Malware Analysis Report

2025-08-11 00:31

Sample ID 240311-aeafvafb5t
Target b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263
SHA256 b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263

Threat Level: Known bad

The file b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 00:07

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 00:07

Reported

2024-03-11 00:09

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\viofi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuhipo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mezop.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\mezop.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Users\Admin\AppData\Local\Temp\viofi.exe
PID 2972 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Users\Admin\AppData\Local\Temp\viofi.exe
PID 2972 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Users\Admin\AppData\Local\Temp\viofi.exe
PID 2972 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Users\Admin\AppData\Local\Temp\viofi.exe
PID 2972 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\viofi.exe C:\Users\Admin\AppData\Local\Temp\fuhipo.exe
PID 1636 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\viofi.exe C:\Users\Admin\AppData\Local\Temp\fuhipo.exe
PID 1636 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\viofi.exe C:\Users\Admin\AppData\Local\Temp\fuhipo.exe
PID 1636 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\viofi.exe C:\Users\Admin\AppData\Local\Temp\fuhipo.exe
PID 2544 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\fuhipo.exe C:\Users\Admin\AppData\Local\Temp\mezop.exe
PID 2544 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\fuhipo.exe C:\Users\Admin\AppData\Local\Temp\mezop.exe
PID 2544 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\fuhipo.exe C:\Users\Admin\AppData\Local\Temp\mezop.exe
PID 2544 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\fuhipo.exe C:\Users\Admin\AppData\Local\Temp\mezop.exe
PID 1084 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\mezop.exe C:\Windows\SysWOW64\WerFault.exe
PID 1084 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\mezop.exe C:\Windows\SysWOW64\WerFault.exe
PID 1084 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\mezop.exe C:\Windows\SysWOW64\WerFault.exe
PID 1084 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\mezop.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\fuhipo.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\fuhipo.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\fuhipo.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\fuhipo.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe

"C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe"

C:\Users\Admin\AppData\Local\Temp\viofi.exe

"C:\Users\Admin\AppData\Local\Temp\viofi.exe" hi

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\fuhipo.exe

"C:\Users\Admin\AppData\Local\Temp\fuhipo.exe" OK

C:\Users\Admin\AppData\Local\Temp\mezop.exe

"C:\Users\Admin\AppData\Local\Temp\mezop.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 36

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2972-0-0x0000000000400000-0x000000000046E000-memory.dmp

\Users\Admin\AppData\Local\Temp\viofi.exe

MD5 75d6a38d9ea3754cfe2f6c4d1f2eb8d1
SHA1 239e8e3847da8311c422194a3505819e2856b96d
SHA256 94f2fede29f8c3e7ccef323fc7e30a04573d9b4a83f69c517b351e52bb2a6012
SHA512 8f991a2245ce6d8a9bcc61ccb9d721cda08295a4f14f28e4da719a2fc9e343f9b33c0ac202ff5bcbf28ced255a924c51fdb2db16aa4debd17317994ccc3d59ea

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 2479509c651c07d5e23f147c5fcac784
SHA1 ed750be917a06e701feccdf614c23f49f4a05434
SHA256 ef67909272efd389c1de437e3df6d3fd19a52cc7677900760de739ded58eef95
SHA512 e876ec1826a2807c2b1e5d84be1580bf6aee20bf06cc06bf7b34c2db2631cb3813a18947f05e9d193016d85f11cc9a85f37920cbbe90a61537247ca4487734a6

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 392fe03859a4f294d2c15cb4fd401002
SHA1 2dacf37e880afcbe94f8beb123cf64ca3571336e
SHA256 c8c8530256248be7c054c1657b998440bc6b3371985033bcfdedd490dd14a99e
SHA512 c7752051a881f0038ec9effe69d896f24264bba22dd189e8a59f328ed56bc2d285e3b96bafb7eb02ed4463923d451377960582fee4bb7c43ce8e950f4c8b2f03

memory/1636-10-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2972-20-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fuhipo.exe

MD5 3f031f7b450e480fd854d12749502b64
SHA1 805fcd65497c43e5ae850e095f9bd2464841c984
SHA256 af26fa148413a176d76207b9803d02e936db98c58cba18b9cac09ebb3e0f3719
SHA512 9a07490e93bc6b1ba49144956add686596d5183e564cffacadc07c85d628df6580a62a2e0a4ac350e190799e36765652501ea04c8e03833c4ab7d530d5f5f177

memory/2544-27-0x0000000000400000-0x000000000046E000-memory.dmp

memory/1636-28-0x0000000000400000-0x000000000046E000-memory.dmp

\Users\Admin\AppData\Local\Temp\mezop.exe

MD5 594d722205671b61ec88c686879bfe21
SHA1 d078eae3ca660178aaa4a5d1b33dfd3f6b8df8b2
SHA256 acc50be9ad3f52a32cc8c5e628b18b3e657cbead7f4a50627db0db885b5fece7
SHA512 c14f6061df8dbc1ff039a07507a989a318739ee7e8fdd63fda7f8716a18e444f88ab5ee90a2b67250e0aef073392db3e42747277d1b1804ad48dcdfca041dd09

C:\Users\Admin\AppData\Local\Temp\mezop.exe

MD5 e6733dbabea39f9fc4bfbf9b73861a48
SHA1 ab4240c159575ccf03cdffd663e622c9669a52b0
SHA256 252864403649af4c068981d73d1e36fefb1e5827b6f65b9f00424965577a5861
SHA512 03ff82481b8cf8b663a2be89760693557b128210839eeed4e64ae24c39d93605de8a1688f578d03c1cc8aa49e84378036b3d782fdb540d74d52b1c5ce0bf1d29

\Users\Admin\AppData\Local\Temp\mezop.exe

MD5 94b39f3d8b00282d5e264b06e599a3d6
SHA1 9c5b2c4955f6cd0453765bd531b21b9e4dcd72d0
SHA256 27da15fd669491d4de5212ccf36cf44166baa5ec99edd50a2e157e35b9feec8d
SHA512 3c9765d64ab0ebd5d33b31247ecd9a0e7c9a062be384b2f8a486a4c78e6cb2737c65bd0b789d125dbeac90d54fa29f86aa14d1f2ab9c4babb7339cf80790d815

memory/2544-33-0x0000000002D50000-0x0000000002DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mezop.exe

MD5 252430541dcf49595c507492b4bf3d82
SHA1 fc5fab48671cdecf2b8dffc4872fb791848c7886
SHA256 86f224fe24c3b1d8af6a4651c404b97ab5a7374230d1dfb6eaa165511f7c1fcf
SHA512 c0e097d94006d3c8a714c7dd1c51ca5c86ce20b0a8b609c0955fce79f67c18b2add46db829406ffa81bdb52bfd7aea9795805e38cbe318e28a663ae260da50de

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 02695ff9e907714600ea970095692ee5
SHA1 3253a1eb99c691679c8d3932923fc005b7a29ddb
SHA256 317656feaf0f4c54a6942d951c78670e2fc1817b2baeb764b2a64f5b21106b5f
SHA512 9b2b57d0b015ab51462ffdeceeeba6561b53d383700fdcc94e6a84c65a549cd45f792fbc7f9ea9a42a8104cfcfc6290eeb3cfbc22de4ca70309fa55cdcc86c8e

memory/2544-48-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2544-47-0x0000000002D50000-0x0000000002DF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 00:07

Reported

2024-03-11 00:09

Platform

win10v2004-20231215-en

Max time kernel

128s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\reuzu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\qozeso.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\reuzu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qozeso.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\abjas.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2280 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Users\Admin\AppData\Local\Temp\reuzu.exe
PID 2280 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Users\Admin\AppData\Local\Temp\reuzu.exe
PID 2280 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Users\Admin\AppData\Local\Temp\reuzu.exe
PID 2280 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe C:\Windows\SysWOW64\cmd.exe
PID 2412 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\reuzu.exe C:\Users\Admin\AppData\Local\Temp\qozeso.exe
PID 2412 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\reuzu.exe C:\Users\Admin\AppData\Local\Temp\qozeso.exe
PID 2412 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\reuzu.exe C:\Users\Admin\AppData\Local\Temp\qozeso.exe
PID 3548 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\qozeso.exe C:\Users\Admin\AppData\Local\Temp\abjas.exe
PID 3548 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\qozeso.exe C:\Users\Admin\AppData\Local\Temp\abjas.exe
PID 3548 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\qozeso.exe C:\Users\Admin\AppData\Local\Temp\abjas.exe
PID 3548 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\qozeso.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\qozeso.exe C:\Windows\SysWOW64\cmd.exe
PID 3548 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\qozeso.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe

"C:\Users\Admin\AppData\Local\Temp\b8215c556f38aa804e5cf0797e2a44cfe40044655c7813eaa8b2a9b284bbe263.exe"

C:\Users\Admin\AppData\Local\Temp\reuzu.exe

"C:\Users\Admin\AppData\Local\Temp\reuzu.exe" hi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\qozeso.exe

"C:\Users\Admin\AppData\Local\Temp\qozeso.exe" OK

C:\Users\Admin\AppData\Local\Temp\abjas.exe

"C:\Users\Admin\AppData\Local\Temp\abjas.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4388 -ip 4388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 220

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2280-0-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\reuzu.exe

MD5 2873087efcc5ad82e7edaab61fc20ede
SHA1 0b26154719ba6c6136487f26e128e36d4f34d6ef
SHA256 ad79e65f08cfe2e0d76eb8a53f6c382f79102c02e3271fbfb5fdabd787f37162
SHA512 648b387e0947fc1ff65bf1998f03c868d69a9e3d8bc44d9a241e5949bfa5dbce43f63cd8cbd188a0475dd657a6d611e0b9fb95b5f27abdad83c9fec003bcdbca

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 6bf66ae60e32751c890307931922529d
SHA1 2d2a8e37de5a111c13d30c2b1d1194b95a5710e4
SHA256 0fd7d3d36f2c71ad9a8d00db273e424a8964b650ac8c8d5c81afc76f26b06205
SHA512 7538520615300bc708231e2b2354ce4e60148d016377189fc06c42b44100af00bfaec8e655559fa1931d5a1ad37d4f219a88d73da8ae437374bcecc734213a39

memory/2280-15-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 392fe03859a4f294d2c15cb4fd401002
SHA1 2dacf37e880afcbe94f8beb123cf64ca3571336e
SHA256 c8c8530256248be7c054c1657b998440bc6b3371985033bcfdedd490dd14a99e
SHA512 c7752051a881f0038ec9effe69d896f24264bba22dd189e8a59f328ed56bc2d285e3b96bafb7eb02ed4463923d451377960582fee4bb7c43ce8e950f4c8b2f03

C:\Users\Admin\AppData\Local\Temp\qozeso.exe

MD5 59a4ae54b766af8467f135cf98f88b39
SHA1 b8a073d4de9ad174f79bae455ea2903f09eaa0d7
SHA256 c77159fd85da67e8a82d7e3a59287c67a1aa0a4f09a068365ada71a95f286c87
SHA512 2379bc030393fd1624a2e507696adfd543b174b7876f001aaeafecd9025cba2662f7df1955ced0e03fa0abb92dc8dbbf273d32d44c4eae8b0a5a19d4dcc15f33

memory/2412-24-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\abjas.exe

MD5 4091050586686180c782b16c79c7d2b8
SHA1 b9b168e16f1e1cc731ba09983233b3810f6e887a
SHA256 6da6aaae31932108601ee627b099c7d365e874e37a32eec10cef788fba90a06b
SHA512 6bb8ec522a407e13eaff8eea9d938ab66f15d60d2048209a645c4d01ff609123918c25d81fde39f14127e462761f39b6dde064e81f67515a6a1bcef5169c56b7

memory/4388-35-0x0000000000400000-0x00000000004A0000-memory.dmp

memory/3548-37-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 da843167b8bdfc6f7477976a7a7d4a42
SHA1 f8c20bf59448b35227b26099b63724091a0b68fb
SHA256 4697cba571b98d6b6c099546181734044ac5e7738785e267c07866075cff3d67
SHA512 4a02893e64b6ef9d24e76cca9717db6947c2e26ff3e829cbba3980be53ce8eaa599d4a29cee123cf8274bd63550526de94763278bd2da7702c16930aaefd6d89