Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 21:42
Static task
static1
Behavioral task
behavioral1
Sample
SilverBulletPro.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
SilverBulletPro.exe
Resource
win10v2004-20240508-en
General
-
Target
SilverBulletPro.exe
-
Size
3.3MB
-
MD5
3a05915ef59826910a7935060c9cb8f2
-
SHA1
b89b7bbf347b380d98c56d7261f3780dbdd94290
-
SHA256
ad121ddbed20a93a429f98df9aa1a589f5efd7fe2a579e00a5ea4409ef9d814d
-
SHA512
8c80f88a9738c9fec207f06c86537d2ff32580dd1d6a51deaee1bde318e211669c0eb82a45c350fcd6d54f3ed7c5f628bc472cddc71f0fb29e43931df1c2da1b
-
SSDEEP
49152:lffAbklzCfGDY2G+qnb7IzJunAyDZTk1VQq3/YtjCq3x5ZtztwZFG/i/kvfp:lD8vQQnAZbetlh5Zt5wZF0i/kH
Malware Config
Extracted
xworm
dsasinject-58214.portmap.io:3389
-
Install_directory
%AppData%
-
install_file
svchost.exe
-
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\svchost.exe family_xworm behavioral2/memory/3548-37-0x0000000000130000-0x000000000014A000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2652 powershell.exe 4384 powershell.exe 2164 powershell.exe 4944 powershell.exe 3520 powershell.exe 1376 powershell.exe 3328 powershell.exe 2288 powershell.exe 4400 powershell.exe 2272 powershell.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svchost.execsrss.exeSilverBulletPro.exeSilverBulletPro.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation csrss.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SilverBulletPro.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SilverBulletPro.exe -
Drops startup file 4 IoCs
Processes:
svchost.execsrss.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk csrss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk csrss.exe -
Executes dropped EXE 5 IoCs
Processes:
SilverBulletPro.exesvchost.execsrss.exeSilverBulletPro960.tmpSilverBulletPro-v1.5.8.exepid process 3816 SilverBulletPro.exe 3548 svchost.exe 2304 csrss.exe 3252 SilverBulletPro960.tmp 3140 SilverBulletPro-v1.5.8.exe -
Loads dropped DLL 1 IoCs
Processes:
SilverBulletPro.exepid process 3816 SilverBulletPro.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SilverBulletPro.exedescription pid process target process PID 3816 set thread context of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
SilverBulletPro.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ SilverBulletPro.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
csrss.exepid process 2304 csrss.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
powershell.exepowershell.exeSilverBulletPro960.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepid process 3328 powershell.exe 3328 powershell.exe 2164 powershell.exe 2164 powershell.exe 2164 powershell.exe 3252 SilverBulletPro960.tmp 3252 SilverBulletPro960.tmp 3252 SilverBulletPro960.tmp 3252 SilverBulletPro960.tmp 3252 SilverBulletPro960.tmp 3252 SilverBulletPro960.tmp 2288 powershell.exe 2288 powershell.exe 2288 powershell.exe 4944 powershell.exe 4944 powershell.exe 4944 powershell.exe 3520 powershell.exe 3520 powershell.exe 3520 powershell.exe 1376 powershell.exe 1376 powershell.exe 1376 powershell.exe 4400 powershell.exe 4400 powershell.exe 4400 powershell.exe 2272 powershell.exe 2272 powershell.exe 2272 powershell.exe 2652 powershell.exe 2652 powershell.exe 2652 powershell.exe 4384 powershell.exe 4384 powershell.exe 4384 powershell.exe 3548 svchost.exe 3548 svchost.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
svchost.exepowershell.exepowershell.execsrss.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exevssvc.exedescription pid process Token: SeDebugPrivilege 3548 svchost.exe Token: SeDebugPrivilege 3328 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe Token: SeDebugPrivilege 2304 csrss.exe Token: SeDebugPrivilege 2288 powershell.exe Token: SeDebugPrivilege 4944 powershell.exe Token: SeDebugPrivilege 3520 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 4400 powershell.exe Token: SeDebugPrivilege 2272 powershell.exe Token: SeDebugPrivilege 2652 powershell.exe Token: SeDebugPrivilege 4384 powershell.exe Token: SeBackupPrivilege 4344 vssvc.exe Token: SeRestorePrivilege 4344 vssvc.exe Token: SeAuditPrivilege 4344 vssvc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 3548 svchost.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
SilverBulletPro.exeSilverBulletPro.exesvchost.execsrss.exedescription pid process target process PID 4512 wrote to memory of 3816 4512 SilverBulletPro.exe SilverBulletPro.exe PID 4512 wrote to memory of 3816 4512 SilverBulletPro.exe SilverBulletPro.exe PID 4512 wrote to memory of 3548 4512 SilverBulletPro.exe svchost.exe PID 4512 wrote to memory of 3548 4512 SilverBulletPro.exe svchost.exe PID 3816 wrote to memory of 3328 3816 SilverBulletPro.exe Conhost.exe PID 3816 wrote to memory of 3328 3816 SilverBulletPro.exe Conhost.exe PID 4512 wrote to memory of 2304 4512 SilverBulletPro.exe csrss.exe PID 4512 wrote to memory of 2304 4512 SilverBulletPro.exe csrss.exe PID 3816 wrote to memory of 2164 3816 SilverBulletPro.exe powershell.exe PID 3816 wrote to memory of 2164 3816 SilverBulletPro.exe powershell.exe PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp PID 3816 wrote to memory of 3140 3816 SilverBulletPro.exe SilverBulletPro-v1.5.8.exe PID 3816 wrote to memory of 3140 3816 SilverBulletPro.exe SilverBulletPro-v1.5.8.exe PID 3548 wrote to memory of 2288 3548 svchost.exe powershell.exe PID 3548 wrote to memory of 2288 3548 svchost.exe powershell.exe PID 2304 wrote to memory of 4944 2304 csrss.exe powershell.exe PID 2304 wrote to memory of 4944 2304 csrss.exe powershell.exe PID 3548 wrote to memory of 3520 3548 svchost.exe powershell.exe PID 3548 wrote to memory of 3520 3548 svchost.exe powershell.exe PID 2304 wrote to memory of 1376 2304 csrss.exe powershell.exe PID 2304 wrote to memory of 1376 2304 csrss.exe powershell.exe PID 3548 wrote to memory of 4400 3548 svchost.exe powershell.exe PID 3548 wrote to memory of 4400 3548 svchost.exe powershell.exe PID 2304 wrote to memory of 2272 2304 csrss.exe powershell.exe PID 2304 wrote to memory of 2272 2304 csrss.exe powershell.exe PID 3548 wrote to memory of 2652 3548 svchost.exe powershell.exe PID 3548 wrote to memory of 2652 3548 svchost.exe powershell.exe PID 2304 wrote to memory of 4384 2304 csrss.exe powershell.exe PID 2304 wrote to memory of 4384 2304 csrss.exe powershell.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\Users\Admin\AppData\Local\Temp\SilverBulletPro960.tmp"C:\Users\Admin\AppData\Local\Temp\silverbulletapi.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\csrss.exe"C:\ProgramData\csrss.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\csrss.exeFilesize
28KB
MD54d250bcbc14b9b2076b4c651ee3b7deb
SHA1f5cd7173e1797f085b2da82cfa3729e0144bc16b
SHA25641a2f2ca1bdf22fcef635dba5bfd267d32c432aa2f9f00c1574465712d7a5260
SHA5123c3ef5bf7ce6490864256c779493275710645b8cd6087e982b9f49cf1b76f35d1f38799e2641ba5bad00d616aac1eead7b922630795eb88d4a398964365007a2
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD522310ad6749d8cc38284aa616efcd100
SHA1440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA25655b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA5122ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5eb1ad317bd25b55b2bbdce8a28a74a94
SHA198a3978be4d10d62e7411946474579ee5bdc5ea6
SHA2569e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5a7cc007980e419d553568a106210549a
SHA1c03099706b75071f36c3962fcc60a22f197711e0
SHA256a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD534f595487e6bfd1d11c7de88ee50356a
SHA14caad088c15766cc0fa1f42009260e9a02f953bb
SHA2560f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA51210976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exeFilesize
602KB
MD5347d21e54202cc42486f1be0f38ebea1
SHA1f3a17fd7d1581928d8bf773c0f99433da64253db
SHA25680e06ccb6370aca19137d47b6ecf3256d6a34b67a3d4bf0b7c3190a1c5feacad
SHA512620f6318b95253cee873b21b90bdc8f75fb32c30bc42032b9eed5773890a700e66ca3f27f2418bb6b39c8a33f2dea718c2215852e64063e0187131be841950b9
-
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exeFilesize
3.4MB
MD56d535debd23786b26bf8569d912a00fe
SHA1bcddcbd663f1fa166df4d4517c7fd609d96a4f6d
SHA256e9e776072b437af8866e6771217cebae30a50128fc930f5917b722149efd5b57
SHA51238591fc556bfe7132aacbf9954dbb7c8a39ef364a015ccdc9618f3446555627d4ee57b33d07b77924afc0447c0135c3a93bbc7dc9b7dbad6ef5f286e50cbbd1b
-
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro710.tmpFilesize
1KB
MD58fd1d495b09695f4fb95638213559464
SHA18525bec9fcc14bfb53145f339b5498c7d5948563
SHA25621e178a283f66f767540ca84c2f2fe46bfe18add60a41f49a65ac4bdaae1f7a2
SHA51280239f149715fccd6e0d615ace999b483315ec9451664352aea5953a321435964757721e5694e4dfbb3b8aab001621112332617b99eb95994d616160838a82a4
-
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro960.tmpFilesize
1KB
MD586d23632843c402a3a34828bb99317c9
SHA1ee7082dcee56cb61d0cae037078efb2a4b32eaae
SHA256eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280
SHA5129a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_luntz1np.vze.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
76KB
MD57c1243aac3248ae75cc2bab7bf4dfaba
SHA13dd055ef06380e5886f59b76761132c36e8b3e8f
SHA256dbf81c18b8fa71de185da60a70e41f5799405e5a8331e759b399cab5353a1eda
SHA5123f643f2ec6ca210247eab13abfb2e7e73e0f8621e137c9c1fedc3390fbd5129d78dba438988fa6cf70800def4f60cc2a320e8f269b2bfeaa63bade64c5a2bcbf
-
memory/2304-50-0x00000000004A0000-0x00000000004AE000-memory.dmpFilesize
56KB
-
memory/3252-143-0x0000000140000000-0x0000000140641000-memory.dmpFilesize
6.3MB
-
memory/3252-86-0x0000000000110000-0x0000000000111000-memory.dmpFilesize
4KB
-
memory/3252-141-0x0000000140000000-0x0000000140641000-memory.dmpFilesize
6.3MB
-
memory/3328-56-0x0000015717B10000-0x0000015717B32000-memory.dmpFilesize
136KB
-
memory/3548-37-0x0000000000130000-0x000000000014A000-memory.dmpFilesize
104KB
-
memory/3548-41-0x00007FF99AA50000-0x00007FF99B511000-memory.dmpFilesize
10.8MB
-
memory/3548-248-0x00007FF99AA50000-0x00007FF99B511000-memory.dmpFilesize
10.8MB
-
memory/3548-247-0x000000001C760000-0x000000001C790000-memory.dmpFilesize
192KB
-
memory/3816-25-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3816-155-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmpFilesize
2.0MB
-
memory/3816-45-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmpFilesize
2.0MB
-
memory/3816-85-0x0000000003640000-0x0000000003C81000-memory.dmpFilesize
6.3MB
-
memory/3816-47-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmpFilesize
2.0MB
-
memory/3816-77-0x0000000003640000-0x0000000003C81000-memory.dmpFilesize
6.3MB
-
memory/3816-156-0x0000000140000000-0x000000014012A000-memory.dmpFilesize
1.2MB
-
memory/3816-46-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmpFilesize
2.0MB
-
memory/3816-44-0x00007FF9B8B6D000-0x00007FF9B8B6E000-memory.dmpFilesize
4KB
-
memory/3816-48-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmpFilesize
2.0MB
-
memory/4512-4-0x00007FF99AA50000-0x00007FF99B511000-memory.dmpFilesize
10.8MB
-
memory/4512-1-0x0000000000C80000-0x0000000000FC8000-memory.dmpFilesize
3.3MB
-
memory/4512-0-0x00007FF99AA53000-0x00007FF99AA55000-memory.dmpFilesize
8KB
-
memory/4512-49-0x00007FF99AA50000-0x00007FF99B511000-memory.dmpFilesize
10.8MB