Analysis Overview
SHA256
954f637d4c8d2c47dc648d703f073fa8586222a8cef8aa8226bce48490ce8b10
Threat Level: Shows suspicious behavior
The file Silver Rat.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Obfuscated with Agile.Net obfuscator
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Program crash
NTFS ADS
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-13 02:05
Signatures
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral16
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
454s
Max time network
1175s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\RDP.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:36
Platform
win11-20240412-en
Max time kernel
1563s
Max time network
1533s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\System.Collections.Immutable.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 03:00
Platform
win11-20240412-en
Max time kernel
446s
Max time network
1174s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\protobuf-net.core.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
455s
Max time network
1177s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\Keylogger.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
449s
Max time network
1173s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\RAPP.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:36
Platform
win11-20240412-en
Max time kernel
451s
Max time network
1174s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\RestSharp.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:56
Platform
win11-20240412-en
Max time kernel
444s
Max time network
1170s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\cgeoip.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
441s
Max time network
1172s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Newtonsoft.Json.dll",#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
458s
Max time network
1180s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\HVNC.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:56
Platform
win11-20240412-en
Max time kernel
458s
Max time network
1177s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\bouncycastle.crypto.dll",#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
453s
Max time network
1174s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\HBrowser.dll",#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
438s
Max time network
1166s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\Options.dll",#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
457s
Max time network
1180s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\OptionsForm.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:37
Platform
win11-20240412-en
Max time kernel
456s
Max time network
1175s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\System.Memory.dll",#1
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:56
Platform
win11-20240412-en
Max time kernel
453s
Max time network
1177s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\bunifu.ui.winforms.1.5.3.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 03:36
Platform
win11-20240412-en
Max time kernel
454s
Max time network
1177s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\protobuf-net.dll",#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
460s
Max time network
1182s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\HRDP.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
1345s
Max time network
1176s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverRat.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SilverRat.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SilverRat.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2516240262-2296879883-3965305654-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Silver Rat.zip:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Silver Rat\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Silver Rat\Loader.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.0.2145052087\640182259" -parentBuildID 20230214051806 -prefsHandle 1788 -prefMapHandle 1776 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a84fb52a-fc5a-4009-8116-2fdda5c5ea99} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 1880 21beae24c58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.1.1041433781\1660664923" -parentBuildID 20230214051806 -prefsHandle 2376 -prefMapHandle 2364 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ab100ec-6c09-4fe5-a221-426c61baf6ba} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 2404 21bde187258 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.2.1759952717\7683329" -childID 1 -isForBrowser -prefsHandle 2628 -prefMapHandle 2816 -prefsLen 22148 -prefMapSize 235121 -jsInitHandle 1372 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {33f3e4d6-9503-4bbe-9edd-39a6f285d237} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 2804 21bedbe0258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.3.1778858532\1343224983" -childID 2 -isForBrowser -prefsHandle 2596 -prefMapHandle 1632 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1372 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af517917-d793-4114-b374-9d2d408df363} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 3436 21bf0470258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.4.1817351246\1551165744" -childID 3 -isForBrowser -prefsHandle 5052 -prefMapHandle 4960 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1372 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bea029a4-c3f3-4103-b224-04a20b2cb3f4} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 5064 21bf1df8558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.5.192558974\936675166" -childID 4 -isForBrowser -prefsHandle 5300 -prefMapHandle 5296 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1372 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b440ba4-efe2-4126-a7cb-a52def6509c4} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 5224 21bf266cf58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.6.12328228\1991631313" -childID 5 -isForBrowser -prefsHandle 5480 -prefMapHandle 5476 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 1372 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba456dd0-93af-468e-924f-11e304ccccf6} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 5396 21bf266a558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2096.7.124211355\802831872" -childID 6 -isForBrowser -prefsHandle 2920 -prefMapHandle 2916 -prefsLen 27774 -prefMapSize 235121 -jsInitHandle 1372 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0fe7f4e0-85cf-4ffe-857b-1cfd564b84ff} 2096 "\\.\pipe\gecko-crash-server-pipe.2096" 3404 21bf31a2958 tab
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\Silver Rat\Silver Rat\Loader.exe
"C:\Users\Admin\Downloads\Silver Rat\Silver Rat\Loader.exe"
C:\Users\Admin\Downloads\Silver Rat\Silver Rat\SilverRat.exe
"C:\Users\Admin\Downloads\Silver Rat\Silver Rat\SilverRat.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\SilverRat.exe
"C:\Users\Admin\AppData\Local\Temp\SilverRat.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2384 -ip 2384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 896
C:\Users\Admin\Downloads\Silver Rat\Silver Rat\SilverRat.exe
"C:\Users\Admin\Downloads\Silver Rat\Silver Rat\SilverRat.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\SilverRat.exe
"C:\Users\Admin\AppData\Local\Temp\SilverRat.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3940 -ip 3940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 864
C:\Users\Admin\Downloads\Silver Rat\Silver Rat\Loader.exe
"C:\Users\Admin\Downloads\Silver Rat\Silver Rat\Loader.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sideindexfollowragelrew.pw | udp |
| US | 172.67.185.32:443 | cleartotalfisherwo.shop | tcp |
| US | 8.8.8.8:53 | 32.185.67.172.in-addr.arpa | udp |
| US | 104.21.44.125:443 | worryfillvolcawoi.shop | tcp |
| US | 172.67.183.226:443 | enthusiasimtitleow.shop | tcp |
| US | 172.67.205.132:443 | dismissalcylinderhostw.shop | tcp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 104.21.23.143:443 | diskretainvigorousiw.shop | tcp |
| US | 172.67.166.251:443 | communicationgenerwo.shop | tcp |
| US | 8.8.8.8:53 | 34.181.67.172.in-addr.arpa | udp |
| US | 172.67.144.218:443 | pillowbrocccolipe.shop | tcp |
| N/A | 127.0.0.1:49744 | tcp | |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 54.245.32.185:443 | shavar.services.mozilla.com | tcp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | prod.ads.prod.webservices.mozgcp.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 34.117.237.239:443 | contile.services.mozilla.com | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.120.5.221:443 | getpocket.cdn.mozilla.net | tcp |
| N/A | 127.0.0.1:49750 | tcp | |
| FR | 151.80.29.83:80 | api.gofile.io | tcp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| CA | 134.195.196.186:443 | store11.gofile.io | tcp |
| CA | 134.195.196.186:443 | store11.gofile.io | tcp |
| US | 172.67.185.32:443 | cleartotalfisherwo.shop | tcp |
| US | 104.21.44.125:443 | worryfillvolcawoi.shop | tcp |
| US | 172.67.183.226:443 | enthusiasimtitleow.shop | tcp |
| US | 172.67.205.132:443 | dismissalcylinderhostw.shop | tcp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 104.21.23.143:443 | diskretainvigorousiw.shop | tcp |
| US | 172.67.166.251:443 | communicationgenerwo.shop | tcp |
| US | 172.67.144.218:443 | pillowbrocccolipe.shop | tcp |
| US | 172.67.185.32:443 | cleartotalfisherwo.shop | tcp |
| US | 104.21.44.125:443 | worryfillvolcawoi.shop | tcp |
| US | 172.67.183.226:443 | enthusiasimtitleow.shop | tcp |
| US | 172.67.205.132:443 | dismissalcylinderhostw.shop | tcp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 104.21.23.143:443 | diskretainvigorousiw.shop | tcp |
| US | 172.67.166.251:443 | communicationgenerwo.shop | tcp |
| US | 172.67.144.218:443 | pillowbrocccolipe.shop | tcp |
| US | 35.244.181.201:443 | prod.balrog.prod.cloudops.mozgcp.net | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| NL | 2.18.121.73:80 | ciscobinary.openh264.org | tcp |
| GB | 216.58.201.110:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 73.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 216.58.201.110:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r2---sn-5hne6nz6.gvt1.com | udp |
| NL | 74.125.100.199:443 | r2---sn-5hne6nz6.gvt1.com | tcp |
| US | 8.8.8.8:53 | r2.sn-5hne6nz6.gvt1.com | udp |
| US | 8.8.8.8:53 | r2.sn-5hne6nz6.gvt1.com | udp |
| NL | 74.125.100.199:443 | r2.sn-5hne6nz6.gvt1.com | udp |
| US | 8.8.8.8:53 | 199.100.125.74.in-addr.arpa | udp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.117.121.53:443 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 172.67.185.32:443 | cleartotalfisherwo.shop | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 104.21.44.125:443 | worryfillvolcawoi.shop | tcp |
| US | 172.67.183.226:443 | enthusiasimtitleow.shop | tcp |
| US | 172.67.205.132:443 | dismissalcylinderhostw.shop | tcp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 104.21.23.143:443 | diskretainvigorousiw.shop | tcp |
| US | 172.67.166.251:443 | communicationgenerwo.shop | tcp |
| US | 172.67.144.218:443 | pillowbrocccolipe.shop | tcp |
| US | 8.8.8.8:53 | sideindexfollowragelrew.pw | udp |
| US | 172.67.185.32:443 | cleartotalfisherwo.shop | tcp |
| US | 104.21.44.125:443 | worryfillvolcawoi.shop | tcp |
| US | 172.67.183.226:443 | enthusiasimtitleow.shop | tcp |
| US | 172.67.205.132:443 | dismissalcylinderhostw.shop | tcp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 104.21.23.143:443 | diskretainvigorousiw.shop | tcp |
| US | 172.67.166.251:443 | communicationgenerwo.shop | tcp |
| US | 172.67.144.218:443 | pillowbrocccolipe.shop | tcp |
Files
memory/2876-0-0x0000000000920000-0x000000000096B000-memory.dmp
memory/2876-5-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
memory/2876-6-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
memory/2876-7-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
memory/2876-8-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
memory/2876-9-0x0000000000920000-0x000000000096B000-memory.dmp
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 050766629bd864b13e3d21853867c7ac |
| SHA1 | b2433373f511420ac58587d55c4c515c35ed04cb |
| SHA256 | 76b44948b430dec32526e84285643a1fa173e77c70c24ff42479f7c29e302608 |
| SHA512 | 45f58afb5819d3aab170621f6ed17ea403c8ee3aee818f8f37e38f2c13b883bd0baa39b6d7e2256ffb1110675395fa517158b1a6072da656bb2bc5c7b836c8d3 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 748c25d2b7571de48728a14809c4b9a4 |
| SHA1 | 8ab85569c47c4fc18fb5d5ac700d9b6226eff8cd |
| SHA256 | 168aebff993a279eeea2c7c16405c5a9461de67917669fa686229c31ce2da578 |
| SHA512 | e96e49ed47c2a0ac9ba250a829261e729b83556904e7a34edfa370f7a852c6ab3436e0ba29f80a8e7d7223e90bc2cb50044d3df05757cf8e7bfea4390233bfca |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\prefs-1.js
| MD5 | d15f7a87e8befea30e735b45e39b9504 |
| SHA1 | 0a83ac3d5ca0d24230f601a891c44bbe9f99937d |
| SHA256 | 0fb68acdbab583dfa52fc79bb9b5981ed14d761fe7f938238d0b7b97039ccae7 |
| SHA512 | b321eb875b710fb2ba8312386ac8521d907f538c60013afb24d9ba60551a8d2f83525c5463fdb8673fec7e844c6511711873b98fdf10853238d790448a817cb2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | e723ecca48b143774d3e41c224106b65 |
| SHA1 | 9d041995838ee450ac1547d00fbfb4998902dc7e |
| SHA256 | f9c7df6a68412b193039df01670766e910197525ad783b07a8c0aef3b2435e43 |
| SHA512 | 18c3ba696db9b0c3a907ddfae70395e3a92af7b169ee8bb0f1e095a41494c278520adb51287112a993ebf4bdbedf8a0334a34556504fce0511f9c04acea239ee |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\prefs-1.js
| MD5 | 19d8a59b0a5b1ae7502a32154a33150d |
| SHA1 | 5416b111f973d491f8e158b422462a04aeb6683b |
| SHA256 | ca203f0d3d9df4cc6a85c412320ed37a342c2493828a2efb01c842a15c586830 |
| SHA512 | dfb723c1a616af294ac27a81a783e5d9faf755ced304f6d6dbe827acd8c8f96e7368f3de2fc04023eb287dfbe716906e5ba097cde3547ac76866f567fb4549f3 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 6042796da24fe9695406737188fb310a |
| SHA1 | 7f58fb1b35129809988ba363ae2fc8d68cc43016 |
| SHA256 | 0458d0a951d583301e60052b004aa6e939402e7bb1347e281eec7b442f36b6cd |
| SHA512 | a8e630a9c1346b9c34a5f09e85cb95eddfe073caf048eced890f17315aad71f223ed840fff93e98f7997b614d3f568466c0711b250a4d37c5649be59ad2c1325 |
C:\Users\Admin\Downloads\Silver Rat.3P00_eKg.zip.part
| MD5 | eb0ab6050c1f77229b805218e5abe49b |
| SHA1 | bc9e9ea152b5d64d638c80fbea1b41494282baa7 |
| SHA256 | d82a000ba97ab59bb304c0983b574e503344e7553595c6e49a180f1f70236445 |
| SHA512 | d94c6ef1274328ec477430bb4f6c4ae3a2bb12cba620e5a882cb8f10ae6377061aecbb55979b2e503b8ddd5982fd6d7afb5519e67a3a1a3adc8c4e52fde11916 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a0e4962eb25a2539e0358dec9bdea660 |
| SHA1 | 72df4549ef9359c72f9c2f3726f934b376daa2f0 |
| SHA256 | e529cbf4105e2d91f62e4a6d125a0da3411b162cc9e94ad5e7e78dd4982c46c2 |
| SHA512 | 472ea93e26919b531ec4116c2076cf06c4036c3977194803992b28d1e5df3d90d4c6318cf8f18bc1e22362c68b8cbbecc4eb0a2711d2795eb18eb4897b1054c7 |
memory/4656-191-0x0000000000B00000-0x0000000000B4B000-memory.dmp
memory/4656-196-0x0000000000B50000-0x0000000000B51000-memory.dmp
memory/4656-197-0x0000000000B00000-0x0000000000B4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Loader.exe
| MD5 | 9c9245810bad661af3d6efec543d34fd |
| SHA1 | 93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d |
| SHA256 | f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478 |
| SHA512 | 90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767 |
memory/1232-206-0x0000000000A50000-0x0000000000A9B000-memory.dmp
memory/1232-211-0x0000000000B50000-0x0000000000B51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SilverRat.exe
| MD5 | d6527f7d5f5152c3f5fff6786e5c1606 |
| SHA1 | e8da82b4a3d2b6bee04236162e5e46e636310ec6 |
| SHA256 | 79a4605d24d32f992d8e144202e980bb6b52bf8c9925b1498a1da59e50ac51f9 |
| SHA512 | 2b4eb9e66028d263c52b3da42fa3df256cf49cd7a7ebdf7c75da6a2dedfd2c22cb5f2071345b7016cd742539c74a801cad70c612330be79802fa19f860ea2d5f |
memory/1348-222-0x0000000000400000-0x0000000001DB0000-memory.dmp
memory/2384-224-0x0000000073660000-0x0000000073E11000-memory.dmp
memory/2384-225-0x0000000000C30000-0x000000000255E000-memory.dmp
memory/2384-226-0x00000000074B0000-0x0000000007A56000-memory.dmp
memory/2384-227-0x0000000006FA0000-0x0000000007032000-memory.dmp
memory/1232-228-0x0000000000A50000-0x0000000000A9B000-memory.dmp
memory/2384-229-0x0000000073660000-0x0000000073E11000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\prefs-1.js
| MD5 | dcce0be5a0c3fa86131c9f30df75c9d9 |
| SHA1 | c8ed8b247a7221a7b4d2ee91fd346e54d791598c |
| SHA256 | 2ebf18981efe4f44ae76b059ec648fafeb27bfa07cd233ab47a442408b54f44b |
| SHA512 | cdba9696ce13e2dfaa9e9d81e3238fe39b5e9673d5fbadcab840f4607c6d985bc5852cb6347d4f65d73e5d28c0f9c19cdefc74460fea932ee55deeb5537d2a3e |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C
| MD5 | e874ac6b9406ff6fd1fd40dc03dffbaa |
| SHA1 | 620294e065c1935613b8ece47130c0ac7cfe00ad |
| SHA256 | 2112d7cb4d4751d15dd8ae5cd3d5e3338c76b999a964b0afb40adf69a96c2cb1 |
| SHA512 | fd26aa004ca487437e4e82dd1b390c2f70dabdfac88fd8620f9ff6639c5a1f1e5d93d2fe51fe0aa14de997ced6c0ec0bac0e9b89731b99f08aa36e10c23caeb8 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
memory/3144-988-0x00000000010D0000-0x000000000111B000-memory.dmp
memory/3940-1253-0x0000000073B80000-0x0000000074331000-memory.dmp
memory/3256-1010-0x0000000000400000-0x0000000001DB0000-memory.dmp
memory/3144-1476-0x0000000002DF0000-0x0000000002EF0000-memory.dmp
memory/3144-1501-0x0000000002C50000-0x0000000002C90000-memory.dmp
memory/3144-1520-0x0000000002C50000-0x0000000002C90000-memory.dmp
memory/3144-1544-0x0000000002C50000-0x0000000002C90000-memory.dmp
memory/3144-1569-0x0000000002C50000-0x0000000002C90000-memory.dmp
memory/3144-1518-0x0000000002C50000-0x0000000002C90000-memory.dmp
memory/3940-1746-0x0000000073B80000-0x0000000074331000-memory.dmp
memory/3144-1931-0x00000000010D0000-0x000000000111B000-memory.dmp
memory/1944-2240-0x0000000000C30000-0x0000000000C7B000-memory.dmp
memory/1944-2245-0x0000000000C30000-0x0000000000C7B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\sessionstore.jsonlz4
| MD5 | 80669d4def45bb38fbc43debf548a75d |
| SHA1 | 22a1c41e0180a3caf6e0757dddff9708043efaa3 |
| SHA256 | 39b00faedaba54c005496d3f03147c5aa222e23f3ab9026b4741f6665b9d5206 |
| SHA512 | 9055e28d7d150ec0c1a5054e9dbf44c7fd9379e6676e1e8a45a5c5a5013c93fb793b1a6717c3d22ac41ce370215e02d645198e48c9673aac109cdc217f1072b8 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jn4l3e2t.default-release\prefs-1.js
| MD5 | c8f3602113dc2ae77caea7eb6d474674 |
| SHA1 | c657884c10d56f8b49606adb74f321124bb5ed5a |
| SHA256 | 3f9601e5a938c8ed683b339c4de7e14ca574fd4441e15cd7fafd865031635af1 |
| SHA512 | 7f275aaf59324ad6b80775d6f69429867c9ae6d46feaeda2a55fc718d7293530ae61905f79a9683e644247684285967218397c23dc1c02bbcceaad28637138a0 |
Analysis: behavioral22
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:36
Platform
win11-20240412-en
Max time kernel
457s
Max time network
1176s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\System.Buffers.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
440s
Max time network
1166s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\Manager.dll",#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
452s
Max time network
1175s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\Passwords.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:56
Platform
win11-20240412-en
Max time kernel
455s
Max time network
1180s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\bunifu.ui.winforms.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
443s
Max time network
1172s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\Camera.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
456s
Max time network
1176s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\ReverseProxy.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
448s
Max time network
1172s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\Chat.dll",#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
450s
Max time network
1174s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\HApps.dll",#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
444s
Max time network
1172s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\Ransom.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
449s
Max time network
1172s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Plugins\ScanNET.dll",#1
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:36
Platform
win11-20240412-en
Max time kernel
447s
Max time network
1172s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SilverRat.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SilverRat.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1544 wrote to memory of 3828 | N/A | C:\Users\Admin\AppData\Local\Temp\Silver Rat\SilverRat.exe | C:\Users\Admin\AppData\Local\Temp\Loader.exe |
| PID 1544 wrote to memory of 3828 | N/A | C:\Users\Admin\AppData\Local\Temp\Silver Rat\SilverRat.exe | C:\Users\Admin\AppData\Local\Temp\Loader.exe |
| PID 1544 wrote to memory of 3828 | N/A | C:\Users\Admin\AppData\Local\Temp\Silver Rat\SilverRat.exe | C:\Users\Admin\AppData\Local\Temp\Loader.exe |
| PID 1544 wrote to memory of 404 | N/A | C:\Users\Admin\AppData\Local\Temp\Silver Rat\SilverRat.exe | C:\Users\Admin\AppData\Local\Temp\SilverRat.exe |
| PID 1544 wrote to memory of 404 | N/A | C:\Users\Admin\AppData\Local\Temp\Silver Rat\SilverRat.exe | C:\Users\Admin\AppData\Local\Temp\SilverRat.exe |
| PID 1544 wrote to memory of 404 | N/A | C:\Users\Admin\AppData\Local\Temp\Silver Rat\SilverRat.exe | C:\Users\Admin\AppData\Local\Temp\SilverRat.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Silver Rat\SilverRat.exe
"C:\Users\Admin\AppData\Local\Temp\Silver Rat\SilverRat.exe"
C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
C:\Users\Admin\AppData\Local\Temp\SilverRat.exe
"C:\Users\Admin\AppData\Local\Temp\SilverRat.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 404 -ip 404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 904
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 172.67.185.32:443 | cleartotalfisherwo.shop | tcp |
| US | 104.21.44.125:443 | worryfillvolcawoi.shop | tcp |
| US | 172.67.183.226:443 | enthusiasimtitleow.shop | tcp |
| US | 172.67.205.132:443 | dismissalcylinderhostw.shop | tcp |
| US | 172.67.181.34:443 | affordcharmcropwo.shop | tcp |
| US | 8.8.8.8:53 | 226.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.205.67.172.in-addr.arpa | udp |
| US | 172.67.211.165:443 | diskretainvigorousiw.shop | tcp |
| US | 172.67.166.251:443 | communicationgenerwo.shop | tcp |
| US | 104.21.47.56:443 | pillowbrocccolipe.shop | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Loader.exe
| MD5 | 9c9245810bad661af3d6efec543d34fd |
| SHA1 | 93e4f301156d120a87fe2c4be3aaa28b9dfd1a8d |
| SHA256 | f5f14b9073f86da926a8ed319b3289b893442414d1511e45177f6915fb4e5478 |
| SHA512 | 90d9593595511e722b733a13c53d2e69a1adc9c79b3349350deead2c1cdfed615921fb503597950070e9055f6df74bb64ccd94a60d7716822aa632699c70b767 |
memory/3828-8-0x0000000000D90000-0x0000000000DDB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SilverRat.exe
| MD5 | d6527f7d5f5152c3f5fff6786e5c1606 |
| SHA1 | e8da82b4a3d2b6bee04236162e5e46e636310ec6 |
| SHA256 | 79a4605d24d32f992d8e144202e980bb6b52bf8c9925b1498a1da59e50ac51f9 |
| SHA512 | 2b4eb9e66028d263c52b3da42fa3df256cf49cd7a7ebdf7c75da6a2dedfd2c22cb5f2071345b7016cd742539c74a801cad70c612330be79802fa19f860ea2d5f |
memory/3828-22-0x0000000002950000-0x0000000002990000-memory.dmp
memory/3828-21-0x0000000002B00000-0x0000000002B01000-memory.dmp
memory/3828-23-0x0000000002950000-0x0000000002990000-memory.dmp
memory/3828-26-0x0000000002950000-0x0000000002990000-memory.dmp
memory/3828-28-0x0000000002950000-0x0000000002990000-memory.dmp
memory/3828-24-0x0000000002950000-0x0000000002990000-memory.dmp
memory/1544-30-0x0000000000400000-0x0000000001DB0000-memory.dmp
memory/404-31-0x0000000073600000-0x0000000073DB1000-memory.dmp
memory/404-32-0x0000000000480000-0x0000000001DAE000-memory.dmp
memory/3828-33-0x0000000000D90000-0x0000000000DDB000-memory.dmp
memory/404-34-0x0000000006D00000-0x00000000072A6000-memory.dmp
memory/404-35-0x00000000067F0000-0x0000000006882000-memory.dmp
memory/404-36-0x0000000073600000-0x0000000073DB1000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:54
Platform
win11-20240412-en
Max time kernel
450s
Max time network
1177s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\System.Numerics.Vectors.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:56
Platform
win11-20240412-en
Max time kernel
452s
Max time network
1173s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\guna.ui2.dll",#1
Network
| Country | Destination | Domain | Proto |
| IE | 52.111.236.22:443 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-13 02:05
Reported
2024-04-13 02:35
Platform
win11-20240412-en
Max time kernel
1354s
Max time network
1178s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Silver Rat\Bunifu.Licensing.dll",#1
Network
| Country | Destination | Domain | Proto |
| NL | 52.111.243.29:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |