Malware Analysis Report

2024-11-16 13:42

Sample ID 240601-h6z5ksdg4y
Target UltraHook.exe
SHA256 cf21cb5e211d67c2fd4f9da05036d6654f412756dbce68c171932eba347e6a14
Tags
xworm execution rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf21cb5e211d67c2fd4f9da05036d6654f412756dbce68c171932eba347e6a14

Threat Level: Known bad

The file UltraHook.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution rat trojan

Detect Xworm Payload

Xworm

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Drops startup file

Loads dropped DLL

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 07:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 07:21

Reported

2024-06-01 07:24

Platform

win10-20240404-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UltraHook.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\UltraHook\hl2.exe N/A
N/A N/A C:\Users\Admin\Desktop\UltraHook\uh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\UltraHook\hl2.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini C:\Windows\System32\bcastdvr.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A 5.tcp.eu.ngrok.io N/A N/A
N/A 5.tcp.eu.ngrok.io N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\1601268389\715946058.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\4183903823\2290032291.pri C:\Windows\system32\taskmgr.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\UltraHook\hl2.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\GamePanel.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\System32\GamePanel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\System32\GamePanel.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\System32\GamePanel.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Users\Admin\AppData\Local\Temp\UltraHook.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Users\Admin\AppData\Local\Temp\UltraHook.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\UltraHook\uh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UltraHook.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\UltraHook\uh.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UltraHook.exe N/A
N/A N/A C:\Users\Admin\Desktop\UltraHook\hl2.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4632 wrote to memory of 2384 N/A C:\Users\Admin\Desktop\UltraHook\uh.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4632 wrote to memory of 2384 N/A C:\Users\Admin\Desktop\UltraHook\uh.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4632 wrote to memory of 2384 N/A C:\Users\Admin\Desktop\UltraHook\uh.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 4632 wrote to memory of 1896 N/A C:\Users\Admin\Desktop\UltraHook\uh.exe C:\Users\Admin\Desktop\UltraHook\hl2.exe
PID 2384 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\UltraHook.exe

"C:\Users\Admin\AppData\Local\Temp\UltraHook.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\UltraHook\hl2.exe

"C:\Users\Admin\Desktop\UltraHook\hl2.exe"

C:\Windows\System32\GameBarPresenceWriter.exe

"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer

C:\Windows\System32\GamePanel.exe

"C:\Windows\System32\GamePanel.exe" 000000000005022C /startuptips

C:\Windows\System32\bcastdvr.exe

"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer

C:\Users\Admin\Desktop\UltraHook\uh.exe

"C:\Users\Admin\Desktop\UltraHook\uh.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3f8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 636

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 18.158.58.205:10369 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 205.58.158.18.in-addr.arpa udp
US 8.8.8.8:53 50.251.17.2.in-addr.arpa udp
DE 18.158.58.205:10369 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
DE 18.158.58.205:10369 5.tcp.eu.ngrok.io tcp
DE 18.158.58.205:10369 5.tcp.eu.ngrok.io tcp
DE 18.158.58.205:10369 5.tcp.eu.ngrok.io tcp
DE 18.158.58.205:10369 5.tcp.eu.ngrok.io tcp
DE 18.158.58.205:10369 5.tcp.eu.ngrok.io tcp
DE 18.158.58.205:10369 5.tcp.eu.ngrok.io tcp
DE 18.158.58.205:10369 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 5.tcp.eu.ngrok.io udp
DE 3.127.181.115:10369 5.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 115.181.127.3.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 16.24.18.2.in-addr.arpa udp
DE 3.127.181.115:10369 5.tcp.eu.ngrok.io tcp
DE 3.127.181.115:10369 5.tcp.eu.ngrok.io tcp

Files

C:\Users\Admin\Desktop\UltraHook\hl2.exe

MD5 7c271bbd974c760f516f1c9f9b61e0f2
SHA1 a1c9b9f1a9cc568ed707d880f78d16ce6d60ab4f
SHA256 4a06de84351ffbccc9bb1575c21142074c240f54902557e13e40ba037976d25f
SHA512 f640b9f1eea0e5374522da490bd318bd17528f12d85ef1bd1566594c0d645de11cd1449fceadaa6751540dc95b2b3599b38a32f9bfa5700d75d81989095935e8

C:\Users\Admin\Videos\Captures\desktop.ini

MD5 b0d27eaec71f1cd73b015f5ceeb15f9d
SHA1 62264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA256 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA512 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

C:\Users\Admin\Desktop\UltraHook\uh.exe

MD5 25f2b0f9bf0237cb70c612a00509badc
SHA1 9f70d93c311314a506f4e102087c9c4213234390
SHA256 db1617ad28eae2935ea86e47a357ea8c0c460b228f3677901dc61af19a160684
SHA512 dfc82b0fc9eea24ec5d11f9e2497174116cae18b201292b4dc96b5ecce2fcfe00dd3f538dec2b0086cb4bece1d210d7a806d0d6a4384a7273943b15453d170a3

memory/4632-31-0x0000000000EF0000-0x0000000000F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 09633ffe1d3b4c7a747e4408f8efbce5
SHA1 1204d7963755d1d126b4b37110b3ce9aa363be26
SHA256 a05bf5a2ce5ede067135335270d9baf3d01b11589262d484b549ecfc6ed18afb
SHA512 63bfca8dca0e438b8eef2ba4ad5aafcb2369793cb5c1c979b2b4090ad1153c540372ec274cc1a9fd4f4fc85e142e2e6eb7a7b4780106c9d7189a9ece89a6bb60

memory/2384-40-0x0000000000970000-0x0000000000CE8000-memory.dmp

\Users\Admin\Desktop\UltraHook\uh.dll

MD5 dee522e807bdfd9b79db03ff6e90116a
SHA1 249685a1c7aa3b0fb526a3d21d163f41f1881217
SHA256 7461010af30c604682fdda59b421291a4bd13820b9511734b9f850ed286adaf4
SHA512 04fabe0e63dd56a7036e43dea4e19428199e67b5276596f2e28e91a35da3567424c011ffb83d3c76b8958999218321d2a635c50c1b89b6e9035e312775db07c2

memory/2384-45-0x0000000000970000-0x0000000000CE8000-memory.dmp

memory/2384-44-0x0000000000970000-0x0000000000CE8000-memory.dmp

memory/2384-48-0x0000000006200000-0x000000000629C000-memory.dmp

memory/2384-49-0x00000000062A0000-0x0000000006306000-memory.dmp

memory/2768-52-0x0000000004800000-0x0000000004836000-memory.dmp

memory/2768-53-0x0000000007450000-0x0000000007A78000-memory.dmp

memory/2768-54-0x0000000007250000-0x0000000007272000-memory.dmp

memory/2768-55-0x00000000072F0000-0x0000000007356000-memory.dmp

memory/2768-56-0x0000000007CE0000-0x0000000008030000-memory.dmp

memory/2768-57-0x0000000007C80000-0x0000000007C9C000-memory.dmp

memory/2768-58-0x0000000008040000-0x000000000808B000-memory.dmp

memory/2768-59-0x0000000008350000-0x00000000083C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tthg411a.k1u.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/2768-76-0x00000000093C0000-0x00000000093F3000-memory.dmp

memory/2768-77-0x000000006E240000-0x000000006E28B000-memory.dmp

memory/2768-78-0x00000000093A0000-0x00000000093BE000-memory.dmp

memory/2768-83-0x0000000009500000-0x00000000095A5000-memory.dmp

memory/2768-84-0x0000000009730000-0x00000000097C4000-memory.dmp

memory/2768-277-0x0000000009690000-0x00000000096AA000-memory.dmp

memory/2768-282-0x0000000009670000-0x0000000009678000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 974ad918567d85b0b05f625c163f6179
SHA1 6a6518481192c1d131d3bcae7cb5703203105c34
SHA256 45d525ec9dbc9579eeb8bfe2b7e33a8a6554bcf13fe7089c3a8ab07d297063f5
SHA512 685014d63a71e40dabbe00cd169c1110425f357c4aa0be6f38f59407d9b31f021eb1329452907405e8eab063cca1ff0e2d7f024bf6f692130cf67a4214420724

memory/4960-318-0x000000006E240000-0x000000006E28B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 108fd55c5964b6ddb685e736b1a0a526
SHA1 ee7227f5cfc7817ceb1cc92ea0209f83fc22853b
SHA256 ece2baf832bcb7231c634ad8f180c65c50bc77f1df5f60ba4ab507351ec39e75
SHA512 5f3abfb0570292a62729f7f924ec2c80b1ccad46fc7dfc91df9b9d648383e3447a2d3bd693b82195cd8517a50608ef5c2f7ec61a0bc808fecc67f5d2efb22488

memory/4920-552-0x000000006E240000-0x000000006E28B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 48c51c38e52b8dd821307498a6a87a36
SHA1 2a0177d0b03f9393ffbb7e031aab7036f432b987
SHA256 f1881bef8d770cec5089449168708c78498447a42499b276b68446c1ea32dbfc
SHA512 8ba275fbf51593e502cab67449414e3d5a01b1ca57e8e0735bc10c8cf11aa379048ec4999c7b7b0781942247df99ee12c0c12a3cf867e1f3b0ed2b4dea788c9e

memory/3160-787-0x000000006E240000-0x000000006E28B000-memory.dmp

memory/2384-1007-0x0000000000970000-0x0000000000CE8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk

MD5 4434bce1cc04fec99fc83160c0630311
SHA1 d7db2b7a9f7cf331dd5a7e65bc752da11490b3d6
SHA256 f87e288c5e76832f4fc845568645f0812766b196db7f43a08f94f6a9df820cc6
SHA512 b88b8e36093ed0ca4fb62fd38ecb59b304ade6d0036d029b0b0de52c19a72c0c55fead3dac3da62f315377a7dfc204653635a11a412e26117d880f439fd1c5c1