Analysis
-
max time kernel
231s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18/01/2025, 01:49
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3124 SilverRat.exe -
Loads dropped DLL 10 IoCs
pid Process 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe -
Obfuscated with Agile.Net obfuscator 4 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/files/0x001500000001e07d-391.dat agile_net behavioral1/memory/3124-394-0x00000000074E0000-0x000000000752E000-memory.dmp agile_net behavioral1/files/0x000c00000001db37-402.dat agile_net behavioral1/memory/3124-405-0x0000000008FF0000-0x000000000913E000-memory.dmp agile_net -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SilverRat.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SilverRat.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SilverRat.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3844 msedge.exe 3844 msedge.exe 3916 msedge.exe 3916 msedge.exe 4560 identity_helper.exe 4560 identity_helper.exe 5300 msedge.exe 5300 msedge.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe 3124 SilverRat.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5384 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
pid Process 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 5384 7zFM.exe Token: 35 5384 7zFM.exe Token: SeSecurityPrivilege 5384 7zFM.exe Token: SeSecurityPrivilege 5384 7zFM.exe Token: SeSecurityPrivilege 5384 7zFM.exe Token: SeDebugPrivilege 3124 SilverRat.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 5384 7zFM.exe 5384 7zFM.exe 5384 7zFM.exe 5384 7zFM.exe 5384 7zFM.exe 5384 7zFM.exe 5384 7zFM.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe 3916 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5384 7zFM.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3916 wrote to memory of 1472 3916 msedge.exe 82 PID 3916 wrote to memory of 1472 3916 msedge.exe 82 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 2796 3916 msedge.exe 83 PID 3916 wrote to memory of 3844 3916 msedge.exe 84 PID 3916 wrote to memory of 3844 3916 msedge.exe 84 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85 PID 3916 wrote to memory of 2032 3916 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/243j45m97m0pb3w/Silver+Rat+[Re+Lab].7z/file1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe662046f8,0x7ffe66204708,0x7ffe662047182⤵PID:1472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:22⤵PID:2796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:82⤵PID:2032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:1376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:82⤵PID:552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4560
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵PID:1152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵PID:4344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:4556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵PID:2124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:12⤵PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6032 /prefetch:82⤵PID:1312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:12⤵PID:4808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:12⤵PID:3608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,4191782814280175142,1316780477187414666,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5300
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4368
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3632
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5384
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5616
-
C:\Users\Admin\Desktop\Silver Rat [Re Lab]\SilverRat.exe"C:\Users\Admin\Desktop\Silver Rat [Re Lab]\SilverRat.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5fab8d8d865e33fe195732aa7dcb91c30
SHA12637e832f38acc70af3e511f5eba80fbd7461f2c
SHA2561b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA51239a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43
-
Filesize
152B
MD536988ca14952e1848e81a959880ea217
SHA1a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize384B
MD558c395593ac9c4746d208fb62c9c0e49
SHA1c5487923bc895720fea432407b65f83f1fa19e12
SHA2568e484bf1ec4dfea70620406b003bfac33a0324a0e01ab8763149e301217fe59a
SHA51295fffa534e0e7549445dd73929b77ceaa1188bd27c217c3c3e3e67db2cf61063e706d0c981204eebc2e3cd972c757fda79e3385cbadab5c602eae5ee9bd387b0
-
Filesize
3KB
MD511b77882314502ac9b15a105eac36863
SHA11032aefc60cfba2552a2360ffe103a67c0b5ad1d
SHA2565cb535e1d99b3a506bdb70cbb0f125172f9f51abc13c291fe94ccf21fe620411
SHA512da3a3269397e6e9d525549c6151345ba2a497ee412f731b8d9cb8287fdba938e5605ba02fecc730639d702a5d26ed891858c0b8958f34a37bb7c0df4d488fcfc
-
Filesize
8KB
MD5655fb579fa835187b16f726e22fd3312
SHA1ca26f60fa88a3d96670d9a4dd73c9de24e712821
SHA2564d2dda53faab5f08a65a5267e9a35a53c076420e667c3be126ac60403121d2b3
SHA51239ca1505546d9c7001b241849f7b76b62b3ff3c0d39d448a48b5f754a03339367aedef64c8e33a5cbe301843273ff579e0fb1f0334224f4d80b1b777225267c1
-
Filesize
5KB
MD569b0e05f0386985ed4c24d5bc616988f
SHA1185328b7f1cc0cfb61b5f7dd1f78dad6f56517bf
SHA256f04fe9f3219ed99557e20c38c1b64cb9eaf446e803fcdf9dfdf17f861b76cf4b
SHA512ec5a3dbb43939df03f7f742b85ae8b2af93fa0016336ae5c405087711ec6874b94b00c742676d238ec4ef14c1b1a29cdcfae973025eaa1f788dc1c9e19e12878
-
Filesize
7KB
MD52b68ee818ca4e211795637e257d71e1c
SHA10efe089b12556c7cf0f105ed25beada842b842ee
SHA25626c8989034084b524ba794073ca497ead312bd973bac604148a40abfd292fe1d
SHA5121b1a91bfc296b0882d909dcce4d56205617ffb83e5b4b41f4537a8fe53e78d1e142cd5aae2b6875866a83851041180eeaca4ab324c0ceb762441684e8594aad0
-
Filesize
8KB
MD55f4b59828e2050ad923d91297c85720e
SHA12bdc2c5b3dd714cde8ce7df08ee7f3bba56aacff
SHA25697e736df16ec91a9c52cbd4aa9198856d98129e78b18b98679b8665251fefd42
SHA5123f0b18d73cb4df75c2b99b7e6fb83e1053bccd065867eec5ad2bc17a852e21f52799072f8e8bd5989c5bf0071c5f99cb4399e66049125dbd79372bd7b0b0172b
-
Filesize
1KB
MD544b75284f60fabda0099c494f9b11acc
SHA1a25bb8b9435902aaa8aed5ba6c036a38c63842b8
SHA256f32db842207e0323fd3ed1bf61fcd47c901d7efa06e6666e6a6aecba8e2230e0
SHA512b2462ab37c031a477b928a1932ea437d5a9155adc33101d168732a8a24c9997d538ffdaaaad7a85d4f66107d767761ca2904d899f1fec14ae9372713c0531b30
-
Filesize
538B
MD52ea3f4922e5b48783a277c1014619836
SHA13cf5c6804dde66e7bff9821d1f45f700d0bcea3f
SHA256d20cd35d3c6d168134a07a125083616693090b7d0aa06088f093d80be0aa1af9
SHA512c32ca3bb2319d32d1058b011bdc8843e691f01162dc830a641dc43980808610f603d939860da48c1dfae02c8134a640d4fd8e1614227fa1553e42f12d97b8e41
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5737e483c3e7d81d4f9d21eb0f0ad35b7
SHA1389bef6e2b4debd086785714951c5bc5cdb74290
SHA2565976da811f23511687df1080a94b2609e195472ad8ea5651b11ebeffbd571a0a
SHA5125d601863979cdd3357880f2c11d67f1ec6e4065b0a7de67b0066269447bc3639ff9ccb2fc61b0e328d86f1069b69432946f0c6db1b0e6e01349d9098ea2aeb22
-
Filesize
10KB
MD5c81b33272f700411fadf3e32529a95a8
SHA147a9ca1d9b89a9b1c1436a9e7da11494c7676ba0
SHA2560c84055ddf9a4dfe050cd19d26038f5836475558de429274e7d194e00cfd0da6
SHA512139985591b1adb1ae3c64e2d6be078b89a76f282c613e1c5ead5b5658a083d6b90287c19a3919c4e5cacf4cae91d6c931e7b6b8fced2dc722c9b50e25c6b7286
-
Filesize
10KB
MD569cd6a3050537d04fdbdba6215ed7bb2
SHA10f5457450bf05c839dcda3ed81ae5dc22a927b1b
SHA2564ce8d9753cffab1577b72186df0def76d6645bed72f587e48f7cd888d0e37a8a
SHA5124a4e66b81a1c2c11f88178d9b4ae313e20ae97f71e6284828fb38e4bce876b00415e67f3e454d7c7718aa53030686d8bdf2f9ad209f3f565a5d21ac35b6e42da
-
Filesize
4KB
MD5e1a48ec781542ab4f0d3a3368b2a1d05
SHA1a35670f07e5320a1591a55d903b35dcdd1d224a1
SHA256f41d8818774f3ec0bf936e564f50008b46f5e4060edaab3bd72ffa389fb9ef21
SHA512d3e756d8b321d38962a7b36af617d152e9bfd499b31f1630a24ada435715ad81a29ab73e4ab4aa21bbc9029b4177a943303e7df922bf375c2583607cb6f6566a
-
Filesize
1.3MB
MD5c18a9e44e200c7315a1868caab894293
SHA118f65508762d2492f41b22e4e6e5ad19a2226baa
SHA256661a5be944dc9fb2e0eba01c3c0584feb3ecca44877d77f54d0f409ce801af22
SHA5129a5e08bb6ed4535ac92ca446b630b29587cb5a4d7d695234a5d93267d2ac13d702b3738ba0e20606f10020e9642e8e315e7ddc92f1c321b68daf8524a3f5f2d1
-
Filesize
297KB
MD5c1d51a0e747c9d6156410cb3c5b97a60
SHA186312cba2eb3495cc6bec66d54d4ab88596275d8
SHA2566937052b86bc251be510b110e08fc5089d3bd687ce2333a85ea6d5c2c09b437a
SHA512a8d7b2e5555c01076e8dd744d21d8cd901aaffad052af0e8c22269e8c2f765019422ed245368a64d64157652a0e4fcab1a889086fde4e139b4ccf5f7bad08222
-
Filesize
1.3MB
MD5686833fccd95b4f5c8d7695a2d45955d
SHA1882f60ea47f536c1f01da0f5767dfe5d569fc011
SHA256578cbcfb7a01234907fb6314918efd23a502882c79d0ee3c2e7d4ae0cf63ebc2
SHA5128bb3a8741b73ad7c280de31905dbfc449c2d6f538b8feca232201c7079f917c4291936211632bcdf17c95d6cf5d9b97df2cdd21c57af6cbff486ea7691ff3bc1
-
Filesize
1.4MB
MD5acec68d05e0b9b6c34a24da530dc07b2
SHA1015eb32aad6f5309296c3a88f0c5ab1ba451d41e
SHA256bf72939922afa2cd17071f5170b4a82d05bceb1fc33ce29cdfbc68dbb97f0277
SHA512d68d3ac62319178d3bc27a0f1e1762fc814a4da65156db90ae17284a99e5d9909e9e6348a4ff9ef0b92a46ba2033b838b75313307b46ab72dc0aab9641e4f700
-
Filesize
1KB
MD53fcd4ac4720febae7ed0b81913daaf1c
SHA17d2ec4090023cc93a453c65782c78fe9bcf5afbd
SHA256b4b7d0f7878a60e5d641443a7d4720e178568e6febbb38a243d3b9fb8a30842b
SHA512c6a5c5c5d17d2e56fd2fde8705062a8916673ec5557ef9f30c9f62c67877c72f5b8e4528a3a8a8ec24f74e5c52ed385442483606b13972bcc645257a5826f2ca
-
Filesize
57B
MD55f807862258a390b2e2f75abb6d2c865
SHA122abc144aa034c6490cbf143a8f1cdd42bd06d1b
SHA2567b87c31f6d1163fc236651f5e1f3187cfa0c79d4a85d20c1c05f1dc3056c4823
SHA512b831e4b2eeec23e39544961cef6619c8d57c50b53dc6bad8846682df6f5252041f50ce33cbe182488288d6d5e2e3e5194055ee4143ceb09f9601ed49d39dba39
-
Filesize
25.2MB
MD5d6527f7d5f5152c3f5fff6786e5c1606
SHA1e8da82b4a3d2b6bee04236162e5e46e636310ec6
SHA25679a4605d24d32f992d8e144202e980bb6b52bf8c9925b1498a1da59e50ac51f9
SHA5122b4eb9e66028d263c52b3da42fa3df256cf49cd7a7ebdf7c75da6a2dedfd2c22cb5f2071345b7016cd742539c74a801cad70c612330be79802fa19f860ea2d5f
-
Filesize
526B
MD5d6f1152d647b57f64494c3e1d32ede94
SHA1a35bd77be82c79a034660df07270467ee109f5ac
SHA256a47f3f83cdb9816f03632833dc361ac5e7a4c5c923af1fdebfa16303f9d68a72
SHA512699b5ad93d3497348f8aad8e15d54ddd789bbac43f11a7fb629f19cda3749bee0ae06dc83f4e6246df631488169fda5d15c48585581d3a96d2523b8b45e639bd
-
Filesize
2.3MB
MD56d6e172e7965d1250a4a6f8a0513aa9f
SHA1b0fd4f64e837f48682874251c93258ee2cbcad2b
SHA256d1ddd15e9c727a5ecf78d3918c17aee0512f5b181ad44952686beb89146e6bd0
SHA51235daa38ad009599145aa241102bcd1f69b4caa55ebc5bb11df0a06567056c0ec5fcd02a33576c54c670755a6384e0229fd2f96622f12304dec58f79e1e834155
-
Filesize
10.6MB
MD5f06813aa321c43a69a04904cfa735a44
SHA1820a0f9f4c00af6ce2583218019ad14a5c5592e2
SHA256a384bad25740a4b783eaadd6ade53d96e878e1313c34321ddfb23149fbf6366d
SHA51272551e22ba2db4759ad905f92f407f7e8266e363aa8627a56d8bcaea83a69a96466269358a034e626581f24c2417fa98bb0bb57472f96c2ea39b2708edaa5bb8