Analysis Overview
SHA256
cf21cb5e211d67c2fd4f9da05036d6654f412756dbce68c171932eba347e6a14
Threat Level: Known bad
The file UltraHook.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Executes dropped EXE
Drops startup file
Loads dropped DLL
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Drops desktop.ini file(s)
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies registry class
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:26
Reported
2024-06-01 07:28
Platform
win10-20240404-en
Max time kernel
149s
Max time network
147s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\UltraHook\hl2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\UltraHook\uh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\UltraHook\hl2.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Videos\Captures\desktop.ini | C:\Windows\System32\bcastdvr.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\1601268389\715946058.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\4183903823\2290032291.pri | C:\Windows\system32\taskmgr.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\UltraHook\hl2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\System32\GamePanel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\GamePanel.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\System32\GamePanel.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_QEMU&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\GamePanel.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Users\Admin\AppData\Local\Temp\UltraHook.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Users\Admin\AppData\Local\Temp\UltraHook.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\UltraHook\uh.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\UltraHook.exe
"C:\Users\Admin\AppData\Local\Temp\UltraHook.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\UltraHook\hl2.exe
"C:\Users\Admin\Desktop\UltraHook\hl2.exe"
C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
C:\Windows\System32\GamePanel.exe
"C:\Windows\System32\GamePanel.exe" 0000000000020282 /startuptips
C:\Windows\System32\bcastdvr.exe
"C:\Windows\System32\bcastdvr.exe" -ServerName:Windows.Media.Capture.Internal.BroadcastDVRServer
C:\Users\Admin\Desktop\UltraHook\uh.exe
"C:\Users\Admin\Desktop\UltraHook\uh.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x200
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 784
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.102.39:18983 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 39.102.125.3.in-addr.arpa | udp |
| DE | 3.125.102.39:18983 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:18983 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.125.102.39:18983 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 18.158.249.75:18983 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 75.249.158.18.in-addr.arpa | udp |
| DE | 18.158.249.75:18983 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:18983 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:18983 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:18983 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:18983 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:18983 | 0.tcp.eu.ngrok.io | tcp |
| DE | 18.158.249.75:18983 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.125.223.134:18983 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 134.223.125.3.in-addr.arpa | udp |
| DE | 3.125.223.134:18983 | 0.tcp.eu.ngrok.io | tcp |
Files
C:\Users\Admin\Desktop\UltraHook\hl2.exe
| MD5 | 7c271bbd974c760f516f1c9f9b61e0f2 |
| SHA1 | a1c9b9f1a9cc568ed707d880f78d16ce6d60ab4f |
| SHA256 | 4a06de84351ffbccc9bb1575c21142074c240f54902557e13e40ba037976d25f |
| SHA512 | f640b9f1eea0e5374522da490bd318bd17528f12d85ef1bd1566594c0d645de11cd1449fceadaa6751540dc95b2b3599b38a32f9bfa5700d75d81989095935e8 |
C:\Users\Admin\Videos\Captures\desktop.ini
| MD5 | b0d27eaec71f1cd73b015f5ceeb15f9d |
| SHA1 | 62264f8b5c2f5034a1e4143df6e8c787165fbc2f |
| SHA256 | 86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2 |
| SHA512 | 7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c |
C:\Users\Admin\Desktop\UltraHook\uh.exe
| MD5 | 25f2b0f9bf0237cb70c612a00509badc |
| SHA1 | 9f70d93c311314a506f4e102087c9c4213234390 |
| SHA256 | db1617ad28eae2935ea86e47a357ea8c0c460b228f3677901dc61af19a160684 |
| SHA512 | dfc82b0fc9eea24ec5d11f9e2497174116cae18b201292b4dc96b5ecce2fcfe00dd3f538dec2b0086cb4bece1d210d7a806d0d6a4384a7273943b15453d170a3 |
memory/3948-31-0x0000000000940000-0x0000000000960000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost.exe
| MD5 | 09633ffe1d3b4c7a747e4408f8efbce5 |
| SHA1 | 1204d7963755d1d126b4b37110b3ce9aa363be26 |
| SHA256 | a05bf5a2ce5ede067135335270d9baf3d01b11589262d484b549ecfc6ed18afb |
| SHA512 | 63bfca8dca0e438b8eef2ba4ad5aafcb2369793cb5c1c979b2b4090ad1153c540372ec274cc1a9fd4f4fc85e142e2e6eb7a7b4780106c9d7189a9ece89a6bb60 |
C:\Users\Admin\Desktop\UltraHook\UH.DLL
| MD5 | dee522e807bdfd9b79db03ff6e90116a |
| SHA1 | 249685a1c7aa3b0fb526a3d21d163f41f1881217 |
| SHA256 | 7461010af30c604682fdda59b421291a4bd13820b9511734b9f850ed286adaf4 |
| SHA512 | 04fabe0e63dd56a7036e43dea4e19428199e67b5276596f2e28e91a35da3567424c011ffb83d3c76b8958999218321d2a635c50c1b89b6e9035e312775db07c2 |
memory/3060-41-0x0000000000920000-0x0000000000C98000-memory.dmp
memory/3060-46-0x0000000000920000-0x0000000000C98000-memory.dmp
memory/3060-47-0x0000000005D00000-0x0000000005D9C000-memory.dmp
memory/3060-48-0x0000000003220000-0x0000000003286000-memory.dmp
memory/4904-51-0x00000000050A0000-0x00000000050D6000-memory.dmp
memory/4904-52-0x0000000007BB0000-0x00000000081D8000-memory.dmp
memory/4904-53-0x00000000078E0000-0x0000000007902000-memory.dmp
memory/4904-54-0x0000000007A80000-0x0000000007AE6000-memory.dmp
memory/4904-55-0x0000000008460000-0x00000000087B0000-memory.dmp
memory/4904-56-0x0000000008430000-0x000000000844C000-memory.dmp
memory/4904-57-0x0000000008C90000-0x0000000008CDB000-memory.dmp
memory/4904-58-0x0000000008BC0000-0x0000000008C36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pm4ybek4.uh4.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4904-75-0x0000000009CB0000-0x0000000009CE3000-memory.dmp
memory/4904-76-0x000000006EA10000-0x000000006EA5B000-memory.dmp
memory/4904-77-0x0000000009C70000-0x0000000009C8E000-memory.dmp
memory/4904-82-0x0000000009DE0000-0x0000000009E85000-memory.dmp
memory/4904-83-0x0000000009FA0000-0x000000000A034000-memory.dmp
memory/4904-276-0x0000000009F40000-0x0000000009F5A000-memory.dmp
memory/4904-281-0x0000000009F30000-0x0000000009F38000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 60170802bf0da54651f0a26057938f96 |
| SHA1 | b86f092cf57a1c9b149710374188de6f441d53ee |
| SHA256 | 69e04900a28dc8823d10c5e6cc018e0f7a057b342a337c8e1c0e712fc6abe83b |
| SHA512 | 1c9ec643ceced65f121d4e73b03891fb6d37b488e3e73a9d8407b0a5eeb2dd6a77b1c0de0330a0d7444910a6e7f88f0b426197b2aa9368d74ee4c6b3b8ded909 |
memory/5080-317-0x000000006EA10000-0x000000006EA5B000-memory.dmp
memory/1100-534-0x0000000007420000-0x0000000007770000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3aec782bb3f3271af35bbdaf4bbb0de3 |
| SHA1 | 81ec4ac6f4ad7801a8320143b4b82624a248901d |
| SHA256 | 6eecbd4849c279b100f8e879a57636447ae9c87d1d0633817399272a84b271bd |
| SHA512 | 49e3128a7e42134f38e1e638ccde27d0dfb73306c783b0ddca5c7d08d2a9753ffdf304b961506afb2f5e29ef64bfcd338fcf964062409c243ed8dd23b29da469 |
memory/1100-536-0x0000000007B30000-0x0000000007B7B000-memory.dmp
memory/1100-553-0x000000006E560000-0x000000006E5AB000-memory.dmp
memory/1100-558-0x0000000009060000-0x0000000009105000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 72722772d03cc4b476de38dae66eb9c2 |
| SHA1 | cdc47055c586e90bfe35d1b19c6300669e837cac |
| SHA256 | e7510cbe018887be99ad9e90a1025818336e3782de5c7d06429cb6dc23e7de9b |
| SHA512 | e25eb3f8e6a3374ddd778bba3ebdda201f0bb43004f4ac5df96f07e7bb9bacb50ff585a2db9f4e789fe955c181de174c960cbf49911d80a16dc10e34d6f4e3b0 |
memory/5056-789-0x000000006E560000-0x000000006E5AB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk
| MD5 | bcdf2db5e9749352366ff536238e9343 |
| SHA1 | f108734c7960e9367c08e0752c2fda354ece5f52 |
| SHA256 | 4938475d5b1add19eb16186d58ee84f01216b555b3c21a4a1c1a28990f966a3d |
| SHA512 | cace967601f6c5fdeadbad256b9567cfb11a6ca9fe6f0b5ebf54045917ec47ccab18581bd022307564710f74703b27e1fa19823b996ab40fd4763440671123ef |
memory/3060-1017-0x0000000000920000-0x0000000000C98000-memory.dmp