xworm | ad121ddbed20a93a429f98df9aa1a589f5efd7fe2a579e00a5ea4409ef9d814d

Analysis

max time kernel
131s
max time network
149s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-05-2024 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SilverBulletPro‌‌.exe
Size

3.3MB
MD5

3a05915ef59826910a7935060c9cb8f2
SHA1

b89b7bbf347b380d98c56d7261f3780dbdd94290
SHA256

ad121ddbed20a93a429f98df9aa1a589f5efd7fe2a579e00a5ea4409ef9d814d
SHA512

8c80f88a9738c9fec207f06c86537d2ff32580dd1d6a51deaee1bde318e211669c0eb82a45c350fcd6d54f3ed7c5f628bc472cddc71f0fb29e43931df1c2da1b
SSDEEP

49152:lffAbklzCfGDY2G+qnb7IzJunAyDZTk1VQq3/YtjCq3x5ZtztwZFG/i/kvfp:lD8vQQnAZbetlh5Zt5wZF0i/kH

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

dsasinject-58214.portmap.io:3389

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/200-19-0x0000000000500000-0x000000000051A000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\svchost.exe	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4136	powershell.exe
4472	powershell.exe
4576	powershell.exe
4864	powershell.exe
3720	powershell.exe
3592	powershell.exe
4568	powershell.exe
304	powershell.exe
4940	powershell.exe
312	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SilverBulletPro.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation	SilverBulletPro.exe

Drops startup file 4 IoCs

Processes:

svchost.execsrss.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe

Executes dropped EXE 5 IoCs

Processes:

SilverBulletPro.exesvchost.execsrss.exeSilverBulletPro44B.tmpSilverBulletPro-v1.5.8.exe

pid process

3584 SilverBulletPro.exe
200 svchost.exe
5100 csrss.exe
4640 SilverBulletPro44B.tmp
1380 SilverBulletPro-v1.5.8.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

SilverBulletPro.exe

description pid process target process

PID 3584 set thread context of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

SilverBulletPro.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance SilverBulletPro.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

csrss.exe

pid process

5100 csrss.exe

pid	process
3584	SilverBulletPro.exe
200	svchost.exe
5100	csrss.exe
4640	SilverBulletPro44B.tmp
1380	SilverBulletPro-v1.5.8.exe

description	pid	process	target process
PID 3584 set thread context of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	SilverBulletPro.exe

pid	process
5100	csrss.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

powershell.exepowershell.exeSilverBulletPro44B.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exe

pid	process
4136	powershell.exe
4136	powershell.exe
4472	powershell.exe
4136	powershell.exe
4472	powershell.exe
4472	powershell.exe
4640	SilverBulletPro44B.tmp
4640	SilverBulletPro44B.tmp
4640	SilverBulletPro44B.tmp
4640	SilverBulletPro44B.tmp
4640	SilverBulletPro44B.tmp
4640	SilverBulletPro44B.tmp
4576	powershell.exe
4576	powershell.exe
4864	powershell.exe
4576	powershell.exe
4864	powershell.exe
4864	powershell.exe
3592	powershell.exe
3720	powershell.exe
3720	powershell.exe
3592	powershell.exe
3720	powershell.exe
3592	powershell.exe
4568	powershell.exe
4568	powershell.exe
304	powershell.exe
304	powershell.exe
4568	powershell.exe
304	powershell.exe
4940	powershell.exe
4940	powershell.exe
4940	powershell.exe
312	powershell.exe
312	powershell.exe
312	powershell.exe
200	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exepowershell.exepowershell.execsrss.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	200	svchost.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeIncreaseQuotaPrivilege	4136	powershell.exe
Token: SeSecurityPrivilege	4136	powershell.exe
Token: SeTakeOwnershipPrivilege	4136	powershell.exe
Token: SeLoadDriverPrivilege	4136	powershell.exe
Token: SeSystemProfilePrivilege	4136	powershell.exe
Token: SeSystemtimePrivilege	4136	powershell.exe
Token: SeProfSingleProcessPrivilege	4136	powershell.exe
Token: SeIncBasePriorityPrivilege	4136	powershell.exe
Token: SeCreatePagefilePrivilege	4136	powershell.exe
Token: SeBackupPrivilege	4136	powershell.exe
Token: SeRestorePrivilege	4136	powershell.exe
Token: SeShutdownPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeSystemEnvironmentPrivilege	4136	powershell.exe
Token: SeRemoteShutdownPrivilege	4136	powershell.exe
Token: SeUndockPrivilege	4136	powershell.exe
Token: SeManageVolumePrivilege	4136	powershell.exe
Token: 33	4136	powershell.exe
Token: 34	4136	powershell.exe
Token: 35	4136	powershell.exe
Token: 36	4136	powershell.exe
Token: SeIncreaseQuotaPrivilege	4472	powershell.exe
Token: SeSecurityPrivilege	4472	powershell.exe
Token: SeTakeOwnershipPrivilege	4472	powershell.exe
Token: SeLoadDriverPrivilege	4472	powershell.exe
Token: SeSystemProfilePrivilege	4472	powershell.exe
Token: SeSystemtimePrivilege	4472	powershell.exe
Token: SeProfSingleProcessPrivilege	4472	powershell.exe
Token: SeIncBasePriorityPrivilege	4472	powershell.exe
Token: SeCreatePagefilePrivilege	4472	powershell.exe
Token: SeBackupPrivilege	4472	powershell.exe
Token: SeRestorePrivilege	4472	powershell.exe
Token: SeShutdownPrivilege	4472	powershell.exe
Token: SeDebugPrivilege	4472	powershell.exe
Token: SeSystemEnvironmentPrivilege	4472	powershell.exe
Token: SeRemoteShutdownPrivilege	4472	powershell.exe
Token: SeUndockPrivilege	4472	powershell.exe
Token: SeManageVolumePrivilege	4472	powershell.exe
Token: 33	4472	powershell.exe
Token: 34	4472	powershell.exe
Token: 35	4472	powershell.exe
Token: 36	4472	powershell.exe
Token: SeDebugPrivilege	5100	csrss.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeIncreaseQuotaPrivilege	4576	powershell.exe
Token: SeSecurityPrivilege	4576	powershell.exe
Token: SeTakeOwnershipPrivilege	4576	powershell.exe
Token: SeLoadDriverPrivilege	4576	powershell.exe
Token: SeSystemProfilePrivilege	4576	powershell.exe
Token: SeSystemtimePrivilege	4576	powershell.exe
Token: SeProfSingleProcessPrivilege	4576	powershell.exe
Token: SeIncBasePriorityPrivilege	4576	powershell.exe
Token: SeCreatePagefilePrivilege	4576	powershell.exe
Token: SeBackupPrivilege	4576	powershell.exe
Token: SeRestorePrivilege	4576	powershell.exe
Token: SeShutdownPrivilege	4576	powershell.exe
Token: SeDebugPrivilege	4576	powershell.exe
Token: SeSystemEnvironmentPrivilege	4576	powershell.exe
Token: SeRemoteShutdownPrivilege	4576	powershell.exe
Token: SeUndockPrivilege	4576	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

200 svchost.exe

pid	process
200	svchost.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

SilverBulletPro‌‌.exeSilverBulletPro.exesvchost.execsrss.exe

description	pid	process	target process
PID 2332 wrote to memory of 3584	2332	SilverBulletPro‌‌.exe	SilverBulletPro.exe
PID 2332 wrote to memory of 3584	2332	SilverBulletPro‌‌.exe	SilverBulletPro.exe
PID 2332 wrote to memory of 200	2332	SilverBulletPro‌‌.exe	svchost.exe
PID 2332 wrote to memory of 200	2332	SilverBulletPro‌‌.exe	svchost.exe
PID 2332 wrote to memory of 5100	2332	SilverBulletPro‌‌.exe	csrss.exe
PID 2332 wrote to memory of 5100	2332	SilverBulletPro‌‌.exe	csrss.exe
PID 3584 wrote to memory of 4136	3584	SilverBulletPro.exe	powershell.exe
PID 3584 wrote to memory of 4136	3584	SilverBulletPro.exe	powershell.exe
PID 3584 wrote to memory of 4472	3584	SilverBulletPro.exe	powershell.exe
PID 3584 wrote to memory of 4472	3584	SilverBulletPro.exe	powershell.exe
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 4640	3584	SilverBulletPro.exe	SilverBulletPro44B.tmp
PID 3584 wrote to memory of 1380	3584	SilverBulletPro.exe	SilverBulletPro-v1.5.8.exe
PID 3584 wrote to memory of 1380	3584	SilverBulletPro.exe	SilverBulletPro-v1.5.8.exe
PID 200 wrote to memory of 4576	200	svchost.exe	powershell.exe
PID 200 wrote to memory of 4576	200	svchost.exe	powershell.exe
PID 5100 wrote to memory of 4864	5100	csrss.exe	powershell.exe
PID 5100 wrote to memory of 4864	5100	csrss.exe	powershell.exe
PID 5100 wrote to memory of 3720	5100	csrss.exe	powershell.exe
PID 5100 wrote to memory of 3720	5100	csrss.exe	powershell.exe
PID 200 wrote to memory of 3592	200	svchost.exe	powershell.exe
PID 200 wrote to memory of 3592	200	svchost.exe	powershell.exe
PID 5100 wrote to memory of 4568	5100	csrss.exe	powershell.exe
PID 5100 wrote to memory of 4568	5100	csrss.exe	powershell.exe
PID 200 wrote to memory of 304	200	svchost.exe	powershell.exe
PID 200 wrote to memory of 304	200	svchost.exe	powershell.exe
PID 5100 wrote to memory of 4940	5100	csrss.exe	powershell.exe
PID 5100 wrote to memory of 4940	5100	csrss.exe	powershell.exe
PID 200 wrote to memory of 312	200	svchost.exe	powershell.exe
PID 200 wrote to memory of 312	200	svchost.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SilverBulletPro‌‌.exe
"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro‌‌.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2332

C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe
"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe" -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4472

\??\c:\Users\Admin\AppData\Local\Temp\SilverBulletPro44B.tmp
"C:\Users\Admin\AppData\Local\Temp\silverbulletapi.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4640

C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe
"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe"
3⤵
- Executes dropped EXE
PID:1380

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:312

C:\ProgramData\csrss.exe
"C:\ProgramData\csrss.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3284

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\csrss.exe
Filesize
28KB

MD5
4d250bcbc14b9b2076b4c651ee3b7deb

SHA1
f5cd7173e1797f085b2da82cfa3729e0144bc16b

SHA256
41a2f2ca1bdf22fcef635dba5bfd267d32c432aa2f9f00c1574465712d7a5260

SHA512
3c3ef5bf7ce6490864256c779493275710645b8cd6087e982b9f49cf1b76f35d1f38799e2641ba5bad00d616aac1eead7b922630795eb88d4a398964365007a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cc74e27a6beeb697a3c88a0041c6b23f

SHA1
73316ab2b236a1e5f3ba19979239d58b50d3e753

SHA256
7d20761dbfc669395d8c9f381a289dbba2869a019e0cad24d48bc8fe284ad589

SHA512
9d95a2f619b5bee7c4db51f6d3f5240fa34f6709952995e12b0881187a24a71ce3413e77d73fc9ae17e6a14a4a6c534519ac9ace905093cb91b61c72aa4d796d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0244f51f1ead38b84d793c94fade1ae7

SHA1
0a388717d2cd790e31066225b2bb022f11f4b18b

SHA256
d0463a1e512fcd32f5fde672ce2ec7045148c08267d025a9554ac11d3581a9be

SHA512
09902570984f205573b011806ea00e3ff657c5db4a8f6716f95b18e89a79dc3e06b1be32dba8c7c9e3a23418cc7f2343da037866aeadddbebba6aee1fa000e6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
7dbf200ee472ad09927bf6c1dda11714

SHA1
c5aee4cdbb55a923c94b175e613c318e2e60e75b

SHA256
9e6782e433b16d098a28726bb00c8d600e26163df31f39e532208ed05d6f5416

SHA512
d749adde8af01047c948674e1cc4084d210a9b175526c369a7553d00362cd3cd8d7d52ba033c2062048d0f98dba2581df3afba488025c58b7f30d10f910d6417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
66a2c88503fe55a7d7d435768795330d

SHA1
3d67c8b220ce74fcfcebf77bb82cb64df334a776

SHA256
fc86d5781ed8aa5c177f3ee63a49df768ffe9f9b021dc78f9c2ddc6d3a10d0cb

SHA512
dc1fcd0b214f44aa9d6abd0880226fd0c94ca6428765bc9997283747c6097f57bea3796bf795f7b411e576206918cf4a0b27f9ed9d8e6003e08ff7988a214b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ef2198ef73ec430ba1596194fe85dd39

SHA1
92a8b17865f115c0edf377526b532d7e5bc16caf

SHA256
7a74ac50d25c023d2f70b6a9bdd70985b159f1d4962dbacaa1d887399442223a

SHA512
ee1e7921b171b66689d9939074cd0c4e37a2bd1b91ef54d6ec9337f04ea1804c141433bbbc34476de7f83f8bd077e0caf153d6dff665aadc1d9db0d96fb8951a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dcc28f3c755e2b65f3e979d20f79f0ee

SHA1
0885d4b0aa2863a7e046f6047592c7ce540e07ff

SHA256
2850e538981b09b98bf0b4d75f95b73a8687e7df63d4c4c2d8ff34923d0ca8b2

SHA512
2c95540b143e0dbeea3a782f171091f22334db04fbd027f5571b1e649c9dea0e5ac2632bdfe12c7fb3cfaf77ec2cdcafd9af5f826e40d03a829903c0497e8358

Download Submit
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe
Filesize
602KB

MD5
347d21e54202cc42486f1be0f38ebea1

SHA1
f3a17fd7d1581928d8bf773c0f99433da64253db

SHA256
80e06ccb6370aca19137d47b6ecf3256d6a34b67a3d4bf0b7c3190a1c5feacad

SHA512
620f6318b95253cee873b21b90bdc8f75fb32c30bc42032b9eed5773890a700e66ca3f27f2418bb6b39c8a33f2dea718c2215852e64063e0187131be841950b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe
Filesize
3.4MB

MD5
6d535debd23786b26bf8569d912a00fe

SHA1
bcddcbd663f1fa166df4d4517c7fd609d96a4f6d

SHA256
e9e776072b437af8866e6771217cebae30a50128fc930f5917b722149efd5b57

SHA512
38591fc556bfe7132aacbf9954dbb7c8a39ef364a015ccdc9618f3446555627d4ee57b33d07b77924afc0447c0135c3a93bbc7dc9b7dbad6ef5f286e50cbbd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qldye3ph.10i.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
76KB

MD5
7c1243aac3248ae75cc2bab7bf4dfaba

SHA1
3dd055ef06380e5886f59b76761132c36e8b3e8f

SHA256
dbf81c18b8fa71de185da60a70e41f5799405e5a8331e759b399cab5353a1eda

SHA512
3f643f2ec6ca210247eab13abfb2e7e73e0f8621e137c9c1fedc3390fbd5129d78dba438988fa6cf70800def4f60cc2a320e8f269b2bfeaa63bade64c5a2bcbf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\SilverBulletPro44B.tmp
Filesize
1KB

MD5
86d23632843c402a3a34828bb99317c9

SHA1
ee7082dcee56cb61d0cae037078efb2a4b32eaae

SHA256
eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280

SHA512
9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223

Download Submit
memory/200-19-0x0000000000500000-0x000000000051A000-memory.dmp

Filesize
104KB

Download
memory/2332-0-0x00007FF80A4D0000-0x00007FF80A6AB000-memory.dmp

Filesize
1.9MB

Download
memory/2332-25-0x00007FF80A4D0000-0x00007FF80A6AB000-memory.dmp

Filesize
1.9MB

Download
memory/2332-2-0x00007FF80A4D0000-0x00007FF80A6AB000-memory.dmp

Filesize
1.9MB

Download
memory/2332-1-0x0000000000680000-0x00000000009C8000-memory.dmp

Filesize
3.3MB

Download
memory/3584-180-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/3584-18-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/4136-37-0x000002B6AD0F0000-0x000002B6AD166000-memory.dmp

Filesize
472KB

Download
memory/4136-31-0x000002B6ACDC0000-0x000002B6ACDE2000-memory.dmp

Filesize
136KB

Download
memory/4640-118-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/4640-137-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/4640-177-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/5100-26-0x0000000000D70000-0x0000000000D7E000-memory.dmp

Filesize
56KB

Download