Analysis Overview
SHA256
bef64e21cbc611550b7ac61d9323858cdb845f1307d6466b93b6bc7a1088c4eb
Threat Level: Known bad
The file SilverRat.V1.5.rar was found to be: Known bad.
Malicious Activity Summary
Silverrat family
SilverRat
Sets file to hidden
Downloads MZ/PE file
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Browser Information Discovery
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Enumerates physical storage devices
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Volume Shadow Copy service COM API
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Modifies registry class
Delays execution with timeout.exe
Enumerates system info in registry
Opens file in notepad (likely ransom note)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Scheduled Task/Job: Scheduled Task
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-13 01:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-13 01:17
Reported
2025-02-13 01:19
Platform
win11-20250211-en
Max time kernel
98s
Max time network
105s
Command Line
Signatures
SilverRat
Silverrat family
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 776 wrote to memory of 872 | N/A | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe |
| PID 776 wrote to memory of 872 | N/A | C:\Program Files\7-Zip\7zFM.exe | C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe |
| PID 872 wrote to memory of 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe | C:\Windows\System32\attrib.exe |
| PID 872 wrote to memory of 3392 | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe | C:\Windows\System32\attrib.exe |
| PID 872 wrote to memory of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe | C:\Windows\System32\attrib.exe |
| PID 872 wrote to memory of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe | C:\Windows\System32\attrib.exe |
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.rar"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qzc4OUVGRUMtNzM2OC00MkRDLUE5NTQtMjJERDg0RDZGREVCfSIgdXNlcmlkPSJ7MjUzREE4RUMtNEI0Ny00QzdDLTkwMTYtNDNDMDczMjA0ODFFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Q0QzOURBNTEtRkEwQS00NkZFLUEyOEUtMkM2MDFDQTY0RkM2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczOTI5NDgzNCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzY2NTUyNTM3MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ3NzUxNjE3MTYiLz48L2FwcD48L3JlcXVlc3Q-
C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe
"C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| IE | 4.245.161.190:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 199.232.214.172:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7zO8032ABF8\SilverRat.exe
| MD5 | 545d64cc91e4da6339a70d54a2443c5d |
| SHA1 | f03344ab824c7cf0f73dcc86aa34cab36e2e54e7 |
| SHA256 | 04109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f |
| SHA512 | 733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681 |
memory/872-13-0x0000000000BB0000-0x0000000000BC0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-13 01:17
Reported
2025-02-13 01:19
Platform
win11-20250210-en
Max time kernel
89s
Max time network
110s
Command Line
Signatures
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1505343591-821288467-4101320450-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3356 wrote to memory of 1876 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 3356 wrote to memory of 1876 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\PASSWORD.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\PASSWORD.txt
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RERCNERDMjUtOUY2Qi00NENGLUI1MkUtQzZGMDIzQjA2QkIzfSIgdXNlcmlkPSJ7Q0YwRDI0MUUtODcyMS00NEMxLTgyNDEtQzUzQzdFQjQ0NkZDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjI5RTEyREQtRkFCMy00REZGLTlFNzMtN0ZFQ0VERTdENUEzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjIiIGluc3RhbGxkYXRldGltZT0iMTczOTE4Mzk2NiIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNjU1NjQwMTY2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4NjIxNzU3MDgiLz48L2FwcD48L3JlcXVlc3Q-
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | msedge.api.cdp.microsoft.com | udp |
| US | 172.169.87.222:443 | msedge.api.cdp.microsoft.com | tcp |
| US | 8.8.8.8:53 | msedge.b.tlu.dl.delivery.mp.microsoft.com | udp |
| GB | 96.17.179.145:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2025-02-13 01:17
Reported
2025-02-13 01:19
Platform
win11-20250211-en
Max time kernel
106s
Max time network
111s
Command Line
Signatures
SilverRat
Silverrat family
Downloads MZ/PE file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Program Files\7-Zip\7zG.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Program Files\7-Zip\7zG.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\System32\attrib.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.Re.Lab.rar"
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjM5MjAwNjQtQ0Y3QS00NUE5LUFGNkEtQTNGOURCRUYxRDhFfSIgdXNlcmlkPSJ7QTQyQTFCODItQzdDRi00QTY1LUExMEYtODFFQ0ZBMzNDODM0fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkY1Q0M5QkMtOUJCQi00NTAzLUIwRUQtNjgyQTAzMjZGRTc4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRldGltZT0iMTczOTI5NDgzNCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzY2NTUyNTM3MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4MDc5MjM5NjEiLz48L2FwcD48L3JlcXVlc3Q-
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.Re.Lab\" -ad -an -ai#7zMap13694:122:7zEvent31153
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\SilverRat.V1.5.Re.Lab\" -ad -an -ai#7zMap4399:122:7zEvent23754
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe
"C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe"
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"
C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe
"C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe"
C:\Windows\System32\attrib.exe
"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN SilverRat.exe
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /Create /SC ONCE /TN "SilverRat.exe" /TR "C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe \"\SilverRat.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
C:\Windows\SYSTEM32\schtasks.exe
"schtasks.exe" /query /TN SilverRat.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc hourly /mo 1 /tn "Runtime Broker_Task-HOURLY-01" /tr "%MyFile%" /st 00:00
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.hackingvip.com/rat-and-botnet-settings-configurations-and-tutorials/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffd21463cb8,0x7ffd21463cc8,0x7ffd21463cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,4725533525422537922,5256882114278596377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 /prefetch:8
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\hgfdfd\$77Runtime Broker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.252.28.242:443 | msedge.api.cdp.microsoft.com | tcp |
| GB | 96.17.179.150:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 147.185.221.19:51655 | auto-london.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | www.hackingvip.com | udp |
| BG | 93.123.73.160:443 | www.hackingvip.com | tcp |
| GB | 51.11.108.188:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 51.11.108.188:443 | nav.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 172.165.61.93:443 | data-edge.smartscreen.microsoft.com | tcp |
| BG | 93.123.73.160:443 | www.hackingvip.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| GB | 216.58.213.14:443 | www.youtube.com | tcp |
| GB | 216.58.213.14:443 | www.youtube.com | udp |
| GB | 216.58.204.86:443 | i.ytimg.com | tcp |
| US | 104.18.40.68:443 | pro.fontawesome.com | tcp |
| US | 104.18.40.68:443 | pro.fontawesome.com | tcp |
| US | 104.18.40.68:443 | pro.fontawesome.com | tcp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | tcp |
| GB | 142.250.179.226:443 | googleads.g.doubleclick.net | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 142.250.180.6:443 | static.doubleclick.net | tcp |
| GB | 216.58.201.106:443 | jnn-pa.googleapis.com | tcp |
| GB | 142.250.187.193:443 | yt3.ggpht.com | tcp |
| GB | 216.58.201.106:443 | jnn-pa.googleapis.com | udp |
| GB | 142.250.200.14:443 | www.youtube.com | tcp |
| GB | 142.250.200.14:443 | www.youtube.com | tcp |
| GB | 142.250.200.14:443 | www.youtube.com | tcp |
| GB | 142.250.200.14:443 | www.youtube.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | udp |
| US | 147.185.221.19:51655 | auto-london.gl.at.ply.gg | tcp |
| US | 147.185.221.19:51655 | auto-london.gl.at.ply.gg | tcp |
Files
C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe
| MD5 | 545d64cc91e4da6339a70d54a2443c5d |
| SHA1 | f03344ab824c7cf0f73dcc86aa34cab36e2e54e7 |
| SHA256 | 04109cb3426408945bea79e8e355285fb5bf93224b5b2775a5f6ff6c1e992b5f |
| SHA512 | 733154a7f76840fad3ead2af149cf708807878ef3f08c62232ee3cdc0b7e6a4b4dc338103569daf9f755a6549475df15b34b7f223929348001d4086e83371681 |
C:\Users\Admin\Desktop\SilverRat.V1.5.Re.Lab\SilverRat V1.5 [Re Lab]\SilverRat.exe.config
| MD5 | d6f1152d647b57f64494c3e1d32ede94 |
| SHA1 | a35bd77be82c79a034660df07270467ee109f5ac |
| SHA256 | a47f3f83cdb9816f03632833dc361ac5e7a4c5c923af1fdebfa16303f9d68a72 |
| SHA512 | 699b5ad93d3497348f8aad8e15d54ddd789bbac43f11a7fb629f19cda3749bee0ae06dc83f4e6246df631488169fda5d15c48585581d3a96d2523b8b45e639bd |
memory/2380-92-0x0000000000730000-0x0000000000740000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ud4yuqo.lmd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/996-102-0x0000027368E50000-0x0000027368E72000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ca9db6aa94730283d8a369e08f8f710c |
| SHA1 | c1ef5c3b08fa3ee3edec4155a31cd20312cb7b09 |
| SHA256 | 60ac735f5b28b26af18d6f5b4cbaa8b81a01ada539c946bfd8ec32379b0c3b33 |
| SHA512 | 27d982e3f854ee4e6eaba491679ecda3f60aa086bd5a75ee7aac61d01db177a68d9f1185e7039c623793974ae478cd1b3d35b5df4cade0204d5c0eaec4ab9d06 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3a14c2ec70a0175c20aceee2cf4d425f |
| SHA1 | 47d680bf85143e5a941b9a2e459bca4c9f8e51f8 |
| SHA256 | 8e424c207cf0e2e4780c5fd51143b92e9e7a8ad36a9477a8a6819e4b3d4c8d79 |
| SHA512 | b9c2dd9927a4fbf1628537235178fdc98f849a30ade35607cff43f479011ab82cff20ce21df9ac3e9d6aceda4d8481e30de973a12451d9ee05a091d9098c11df |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6aa7f98432bfc067a5dfb4fa65e6d535 |
| SHA1 | 141dd5723c4039f8334abdb832fce09c234dc297 |
| SHA256 | 35670e8d683c61adb54de7db2a1464c545747980df8f034a7fc39a5d29fe87d4 |
| SHA512 | b65e043049a2f9af5c3b87888066c40d81f312488176dade17e832008a332431f079de1fea7dae6b417c711c7765197344f0cf89017faef84c9efea3629e1b73 |
\??\pipe\LOCAL\crashpad_4328_RJXPEPRGRFQIYMGV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\tmpB36D.tmp.bat
| MD5 | 11937c577d47348990e4816062d0c209 |
| SHA1 | a7bc33b4aadd599ba389094f4e11dcfa08383dff |
| SHA256 | d3df40754b99a8d6b1a0bbd1eb126e0a4ac86f50487a75e9325935b6fcfd784f |
| SHA512 | b0ae8c57f9fe907fb55a5bc748310fff1d75ec8039fd6b23c46ff0b41539607b3b1db5f0977caa7d5fb719055038c7ed8e418f3499cb3f1f042cd8e382e9ad95 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 26541f76efcea9a599fa8f9235294723 |
| SHA1 | bf21799721b76d75aeacaf4e66c72372960022b2 |
| SHA256 | 115d27578016de7aafc6887e59f32ea4f035013344c6d92bb2b9ac904ef8de7d |
| SHA512 | 0a019438071fa252842067f2fd3d99a8594db9927c70aad0a27752f0db485325b4bb0c273c51942c67696502e7fdd97c7af7f6fba26856a53a28d425f1e0f838 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 09c6c5b50a780b24fd3e100b028b81ad |
| SHA1 | f6697a0aac8e57f611d8a165ac299fbb9041b9d9 |
| SHA256 | 1474792d33f948a556c34134010f93b1f6ae9c1ec0fb85c4a8ad979334b8e7cb |
| SHA512 | a275e4a31d2d5ff4b5d62edc7f9402c3a02728fc0541bc850f742eac3c34009683066f20501ddc3dc9158391edd2c187a82a9aedd0f3d7cec64333086131e05b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fed72e82cf860a51b4062e3bb146b1be |
| SHA1 | 69c0f8a0575ee7ef163071ba6cd473ae57851ed3 |
| SHA256 | cdaa4e281eb4230210dc28bfdf7317ac962062e6790284707f5bfde843646410 |
| SHA512 | bafa05b68171b142a6154c8405465b5c966197ab3f491e4220bad2927921928909c20ee46f5724c3b5a7b9de15e02ce92712a0bc30e6f27b7a21747d3bf2c770 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 6cff9695dbec31477f95ce955ab4293d |
| SHA1 | 396b2a343e5664a93cf0a61f126f6129dc49e0f8 |
| SHA256 | 3919773e5b37dbf24bb7472641eb4822dfc3dc80652fcb0fc928818fe846b53c |
| SHA512 | c098d028bb055df35bcdaff456648ba729abc11612f33d969185cfa6571e8b20be70b547933baf8df04df16ab699d59c01804a21760a898462f7e3875e1c388e |