xworm | ad121ddbed20a93a429f98df9aa1a589f5efd7fe2a579e00a5ea4409ef9d814d

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SilverBulletPro‌‌.exe
Size

3.3MB
MD5

3a05915ef59826910a7935060c9cb8f2
SHA1

b89b7bbf347b380d98c56d7261f3780dbdd94290
SHA256

ad121ddbed20a93a429f98df9aa1a589f5efd7fe2a579e00a5ea4409ef9d814d
SHA512

8c80f88a9738c9fec207f06c86537d2ff32580dd1d6a51deaee1bde318e211669c0eb82a45c350fcd6d54f3ed7c5f628bc472cddc71f0fb29e43931df1c2da1b
SSDEEP

49152:lffAbklzCfGDY2G+qnb7IzJunAyDZTk1VQq3/YtjCq3x5ZtztwZFG/i/kvfp:lD8vQQnAZbetlh5Zt5wZF0i/kH

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

dsasinject-58214.portmap.io:3389

Attributes

Install_directory
%AppData%
install_file
svchost.exe
telegram
https://api.telegram.org/bot7023899363:AAFEzgbfWzhyE32Lf95TKSRYEYXMd4AfMyk/sendMessage?chat_id=6354844663

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\svchost.exe	family_xworm
behavioral2/memory/3548-37-0x0000000000130000-0x000000000014A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2652	powershell.exe
4384	powershell.exe
2164	powershell.exe
4944	powershell.exe
3520	powershell.exe
1376	powershell.exe
3328	powershell.exe
2288	powershell.exe
4400	powershell.exe
2272	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.execsrss.exeSilverBulletPro‌‌.exeSilverBulletPro.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	SilverBulletPro‌‌.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	SilverBulletPro.exe

Drops startup file 4 IoCs

Processes:

svchost.execsrss.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk	csrss.exe

Executes dropped EXE 5 IoCs

Processes:

SilverBulletPro.exesvchost.execsrss.exeSilverBulletPro960.tmpSilverBulletPro-v1.5.8.exe

pid process

3816 SilverBulletPro.exe
3548 svchost.exe
2304 csrss.exe
3252 SilverBulletPro960.tmp
3140 SilverBulletPro-v1.5.8.exe
Loads dropped DLL 1 IoCs

Processes:

SilverBulletPro.exe

pid process

3816 SilverBulletPro.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

SilverBulletPro.exe

description pid process target process

PID 3816 set thread context of 3252 3816 SilverBulletPro.exe SilverBulletPro960.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

SilverBulletPro.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ SilverBulletPro.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

csrss.exe

pid process

2304 csrss.exe

pid	process
3816	SilverBulletPro.exe
3548	svchost.exe
2304	csrss.exe
3252	SilverBulletPro960.tmp
3140	SilverBulletPro-v1.5.8.exe

pid	process
3816	SilverBulletPro.exe

description	pid	process	target process
PID 3816 set thread context of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	SilverBulletPro.exe

pid	process
2304	csrss.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

powershell.exepowershell.exeSilverBulletPro960.tmppowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exe

pid	process
3328	powershell.exe
3328	powershell.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe
3252	SilverBulletPro960.tmp
3252	SilverBulletPro960.tmp
3252	SilverBulletPro960.tmp
3252	SilverBulletPro960.tmp
3252	SilverBulletPro960.tmp
3252	SilverBulletPro960.tmp
2288	powershell.exe
2288	powershell.exe
2288	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
3520	powershell.exe
3520	powershell.exe
3520	powershell.exe
1376	powershell.exe
1376	powershell.exe
1376	powershell.exe
4400	powershell.exe
4400	powershell.exe
4400	powershell.exe
2272	powershell.exe
2272	powershell.exe
2272	powershell.exe
2652	powershell.exe
2652	powershell.exe
2652	powershell.exe
4384	powershell.exe
4384	powershell.exe
4384	powershell.exe
3548	svchost.exe
3548	svchost.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

svchost.exepowershell.exepowershell.execsrss.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	3548	svchost.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2304	csrss.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	4400	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeBackupPrivilege	4344	vssvc.exe
Token: SeRestorePrivilege	4344	vssvc.exe
Token: SeAuditPrivilege	4344	vssvc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

svchost.exe

pid process

3548 svchost.exe

pid	process
3548	svchost.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

SilverBulletPro‌‌.exeSilverBulletPro.exesvchost.execsrss.exe

description	pid	process	target process
PID 4512 wrote to memory of 3816	4512	SilverBulletPro‌‌.exe	SilverBulletPro.exe
PID 4512 wrote to memory of 3816	4512	SilverBulletPro‌‌.exe	SilverBulletPro.exe
PID 4512 wrote to memory of 3548	4512	SilverBulletPro‌‌.exe	svchost.exe
PID 4512 wrote to memory of 3548	4512	SilverBulletPro‌‌.exe	svchost.exe
PID 3816 wrote to memory of 3328	3816	SilverBulletPro.exe	Conhost.exe
PID 3816 wrote to memory of 3328	3816	SilverBulletPro.exe	Conhost.exe
PID 4512 wrote to memory of 2304	4512	SilverBulletPro‌‌.exe	csrss.exe
PID 4512 wrote to memory of 2304	4512	SilverBulletPro‌‌.exe	csrss.exe
PID 3816 wrote to memory of 2164	3816	SilverBulletPro.exe	powershell.exe
PID 3816 wrote to memory of 2164	3816	SilverBulletPro.exe	powershell.exe
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3252	3816	SilverBulletPro.exe	SilverBulletPro960.tmp
PID 3816 wrote to memory of 3140	3816	SilverBulletPro.exe	SilverBulletPro-v1.5.8.exe
PID 3816 wrote to memory of 3140	3816	SilverBulletPro.exe	SilverBulletPro-v1.5.8.exe
PID 3548 wrote to memory of 2288	3548	svchost.exe	powershell.exe
PID 3548 wrote to memory of 2288	3548	svchost.exe	powershell.exe
PID 2304 wrote to memory of 4944	2304	csrss.exe	powershell.exe
PID 2304 wrote to memory of 4944	2304	csrss.exe	powershell.exe
PID 3548 wrote to memory of 3520	3548	svchost.exe	powershell.exe
PID 3548 wrote to memory of 3520	3548	svchost.exe	powershell.exe
PID 2304 wrote to memory of 1376	2304	csrss.exe	powershell.exe
PID 2304 wrote to memory of 1376	2304	csrss.exe	powershell.exe
PID 3548 wrote to memory of 4400	3548	svchost.exe	powershell.exe
PID 3548 wrote to memory of 4400	3548	svchost.exe	powershell.exe
PID 2304 wrote to memory of 2272	2304	csrss.exe	powershell.exe
PID 2304 wrote to memory of 2272	2304	csrss.exe	powershell.exe
PID 3548 wrote to memory of 2652	3548	svchost.exe	powershell.exe
PID 3548 wrote to memory of 2652	3548	svchost.exe	powershell.exe
PID 2304 wrote to memory of 4384	2304	csrss.exe	powershell.exe
PID 2304 wrote to memory of 4384	2304	csrss.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SilverBulletPro‌‌.exe
"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro‌‌.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe
"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe" -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension ".tmp" -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2164

\??\c:\Users\Admin\AppData\Local\Temp\SilverBulletPro960.tmp
"C:\Users\Admin\AppData\Local\Temp\silverbulletapi.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3252

C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe
"C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe"
3⤵
- Executes dropped EXE
PID:3140

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\ProgramData\csrss.exe
"C:\ProgramData\csrss.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\csrss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'csrss.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\csrss.exe
Filesize
28KB

MD5
4d250bcbc14b9b2076b4c651ee3b7deb

SHA1
f5cd7173e1797f085b2da82cfa3729e0144bc16b

SHA256
41a2f2ca1bdf22fcef635dba5bfd267d32c432aa2f9f00c1574465712d7a5260

SHA512
3c3ef5bf7ce6490864256c779493275710645b8cd6087e982b9f49cf1b76f35d1f38799e2641ba5bad00d616aac1eead7b922630795eb88d4a398964365007a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro-v1.5.8.exe
Filesize
602KB

MD5
347d21e54202cc42486f1be0f38ebea1

SHA1
f3a17fd7d1581928d8bf773c0f99433da64253db

SHA256
80e06ccb6370aca19137d47b6ecf3256d6a34b67a3d4bf0b7c3190a1c5feacad

SHA512
620f6318b95253cee873b21b90bdc8f75fb32c30bc42032b9eed5773890a700e66ca3f27f2418bb6b39c8a33f2dea718c2215852e64063e0187131be841950b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro.exe
Filesize
3.4MB

MD5
6d535debd23786b26bf8569d912a00fe

SHA1
bcddcbd663f1fa166df4d4517c7fd609d96a4f6d

SHA256
e9e776072b437af8866e6771217cebae30a50128fc930f5917b722149efd5b57

SHA512
38591fc556bfe7132aacbf9954dbb7c8a39ef364a015ccdc9618f3446555627d4ee57b33d07b77924afc0447c0135c3a93bbc7dc9b7dbad6ef5f286e50cbbd1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro710.tmp
Filesize
1KB

MD5
8fd1d495b09695f4fb95638213559464

SHA1
8525bec9fcc14bfb53145f339b5498c7d5948563

SHA256
21e178a283f66f767540ca84c2f2fe46bfe18add60a41f49a65ac4bdaae1f7a2

SHA512
80239f149715fccd6e0d615ace999b483315ec9451664352aea5953a321435964757721e5694e4dfbb3b8aab001621112332617b99eb95994d616160838a82a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\SilverBulletPro960.tmp
Filesize
1KB

MD5
86d23632843c402a3a34828bb99317c9

SHA1
ee7082dcee56cb61d0cae037078efb2a4b32eaae

SHA256
eef04cd51ee4cffc01ea5b13e1bf7a174cc4f093aef143471a31d16e20f9e280

SHA512
9a5fcf3158c96be1a48dff04d58ec15471d69f44a6a06ea5f2fcd2c858bd974bbfbfe31028cc85a321ae55f5d621038c5234dcf01757682c399b91dc007cb223

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_luntz1np.vze.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
76KB

MD5
7c1243aac3248ae75cc2bab7bf4dfaba

SHA1
3dd055ef06380e5886f59b76761132c36e8b3e8f

SHA256
dbf81c18b8fa71de185da60a70e41f5799405e5a8331e759b399cab5353a1eda

SHA512
3f643f2ec6ca210247eab13abfb2e7e73e0f8621e137c9c1fedc3390fbd5129d78dba438988fa6cf70800def4f60cc2a320e8f269b2bfeaa63bade64c5a2bcbf

Download Submit
memory/2304-50-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/3252-143-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/3252-86-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/3252-141-0x0000000140000000-0x0000000140641000-memory.dmp

Filesize
6.3MB

Download
memory/3328-56-0x0000015717B10000-0x0000015717B32000-memory.dmp

Filesize
136KB

Download
memory/3548-37-0x0000000000130000-0x000000000014A000-memory.dmp

Filesize
104KB

Download
memory/3548-41-0x00007FF99AA50000-0x00007FF99B511000-memory.dmp

Filesize
10.8MB

Download
memory/3548-248-0x00007FF99AA50000-0x00007FF99B511000-memory.dmp

Filesize
10.8MB

Download
memory/3548-247-0x000000001C760000-0x000000001C790000-memory.dmp

Filesize
192KB

Download
memory/3816-25-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/3816-155-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3816-45-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3816-85-0x0000000003640000-0x0000000003C81000-memory.dmp

Filesize
6.3MB

Download
memory/3816-47-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3816-77-0x0000000003640000-0x0000000003C81000-memory.dmp

Filesize
6.3MB

Download
memory/3816-156-0x0000000140000000-0x000000014012A000-memory.dmp

Filesize
1.2MB

Download
memory/3816-46-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmp

Filesize
2.0MB

Download
memory/3816-44-0x00007FF9B8B6D000-0x00007FF9B8B6E000-memory.dmp

Filesize
4KB

Download
memory/3816-48-0x00007FF9B8AD0000-0x00007FF9B8CC5000-memory.dmp

Filesize
2.0MB

Download
memory/4512-4-0x00007FF99AA50000-0x00007FF99B511000-memory.dmp

Filesize
10.8MB

Download
memory/4512-1-0x0000000000C80000-0x0000000000FC8000-memory.dmp

Filesize
3.3MB

Download
memory/4512-0-0x00007FF99AA53000-0x00007FF99AA55000-memory.dmp

Filesize
8KB

Download
memory/4512-49-0x00007FF99AA50000-0x00007FF99B511000-memory.dmp

Filesize
10.8MB

Download