Malware Analysis Report

2025-08-11 00:31

Sample ID 240311-e2y5yacc6t
Target bfd7a02cc1d28ca7231b333c14ff280f
SHA256 4dbc1a06048161314d5e154fffeaa5a9ea12615931fb72848860cfffbcd46931
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4dbc1a06048161314d5e154fffeaa5a9ea12615931fb72848860cfffbcd46931

Threat Level: Known bad

The file bfd7a02cc1d28ca7231b333c14ff280f was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 04:26

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 04:26

Reported

2024-03-11 04:29

Platform

win7-20240221-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\othou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\othou.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buipj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe C:\Users\Admin\AppData\Local\Temp\othou.exe
PID 2884 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe C:\Users\Admin\AppData\Local\Temp\othou.exe
PID 2884 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe C:\Users\Admin\AppData\Local\Temp\othou.exe
PID 2884 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe C:\Users\Admin\AppData\Local\Temp\othou.exe
PID 2884 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\othou.exe C:\Users\Admin\AppData\Local\Temp\buipj.exe
PID 3044 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\othou.exe C:\Users\Admin\AppData\Local\Temp\buipj.exe
PID 3044 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\othou.exe C:\Users\Admin\AppData\Local\Temp\buipj.exe
PID 3044 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\othou.exe C:\Users\Admin\AppData\Local\Temp\buipj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe

"C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe"

C:\Users\Admin\AppData\Local\Temp\othou.exe

"C:\Users\Admin\AppData\Local\Temp\othou.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\buipj.exe

"C:\Users\Admin\AppData\Local\Temp\buipj.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2884-0-0x0000000000400000-0x000000000048C000-memory.dmp

\Users\Admin\AppData\Local\Temp\othou.exe

MD5 06237f49309c960004134f10e9211ad9
SHA1 5f5844d9e2b2a1c2b88234f9d3e8a5d22f16508c
SHA256 a364c2c62d9cf62fc980c5942f8258da966078ec1d13587dc3525969f97b4ee6
SHA512 6decaf8da3eaa76c0f1ee4e41a20c116821e1afa6d084872cf5e3aa09d43994d9cb414dbc25a2722133b95884da8337cad65c535c33e8f9d0e371e287c9a329a

memory/2884-6-0x0000000002850000-0x00000000028DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 ae99bd0254865d7d31687d314d7480b1
SHA1 24fdb3bfd75e25f9175b3ae77166510f1f24251e
SHA256 a7e256c5b1d05918094d474c94f1609757d8f8af337d33d58c138b423c5329a5
SHA512 abd79e561435c12372c9110a69470a33720aade8ddec84a61ac73e8e33ea4af87d7513d5ab4fba68d8bbe556126c6db00f920eb9d9b412866c348d0387dafddb

memory/2884-17-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 c9750273d031537214893f90406959f3
SHA1 19c8ce78fd837a5de07281ab48281d31d61ca4a4
SHA256 2ab7427f876610bda2816e58b090470e9cd6416cad3d8615230ad819c8d035f2
SHA512 e73ea19480856e41014fbf9c83fbd0515f3696ce4f0d6cb9a2a7e9d962a1317ef8e814daf09cd0996574aef413cf2ed41c44e5857b10e82e880c0a4f69e713e9

memory/1916-27-0x00000000013E0000-0x0000000001483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\buipj.exe

MD5 28d9a08c4733dc86d241d350b5995efa
SHA1 fd2dd82da6a6c124ba962f784c7be911aefc23e7
SHA256 baecd36cd86207dd19335eef736dcec44757e5d3e87ef5540891654a7425e2e4
SHA512 7b799af75a11607e23b05c480eb64c8389aef295b1c8088703da7f6d1728715bdcbe84d783c51c329689a7b338fdc5f12299110c316415829e4748ddc4131ef5

memory/3044-25-0x0000000000400000-0x000000000048C000-memory.dmp

memory/1916-28-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1916-30-0x00000000013E0000-0x0000000001483000-memory.dmp

memory/1916-31-0x00000000013E0000-0x0000000001483000-memory.dmp

memory/1916-32-0x00000000013E0000-0x0000000001483000-memory.dmp

memory/1916-33-0x00000000013E0000-0x0000000001483000-memory.dmp

memory/1916-34-0x00000000013E0000-0x0000000001483000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 04:26

Reported

2024-03-11 04:29

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\genua.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\genua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hojaj.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe

"C:\Users\Admin\AppData\Local\Temp\bfd7a02cc1d28ca7231b333c14ff280f.exe"

C:\Users\Admin\AppData\Local\Temp\genua.exe

"C:\Users\Admin\AppData\Local\Temp\genua.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\hojaj.exe

"C:\Users\Admin\AppData\Local\Temp\hojaj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

memory/1700-0-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\genua.exe

MD5 8e61c212f0d171f36279065e0a01c8f0
SHA1 3480b9776bea1faac49765db82cf4a7622f35962
SHA256 3db6b5be93cdae64a97b9fc0f2f26a688c100477614ed253743ea9627c7dfe58
SHA512 67ea8c484c3b3620e95d345f94a542391fb3e95ce0ff89da9ec813f55f1179d34245a61ef592d618a33e1ab18591e455b3413bca79e73810610b691709036082

memory/1700-13-0x0000000000400000-0x000000000048C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 ae99bd0254865d7d31687d314d7480b1
SHA1 24fdb3bfd75e25f9175b3ae77166510f1f24251e
SHA256 a7e256c5b1d05918094d474c94f1609757d8f8af337d33d58c138b423c5329a5
SHA512 abd79e561435c12372c9110a69470a33720aade8ddec84a61ac73e8e33ea4af87d7513d5ab4fba68d8bbe556126c6db00f920eb9d9b412866c348d0387dafddb

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 80a372c5118589b5327aa4194d1d260a
SHA1 0701af1214aa849eb923ea1dd81e1497de503c45
SHA256 5437a6ad8b309e29502c93dc25a66deebf403e226526a47240c77860daea052a
SHA512 c65adde32b411a4cba8b275fc2b9fd16ed277ae9d51820d0cc5eb7906b4f24bd979a4ce8f2b44a8eeed87150b23515eb7c5523682ad7335d7fbccabcfbf83040

C:\Users\Admin\AppData\Local\Temp\hojaj.exe

MD5 eb77b7db4c4bf2a218a496dccee8e7bb
SHA1 6ea82ce25aa96cb9989edede28ea3730350f2ee4
SHA256 4a0b7e940841e008320f0dfecba76d22e033339af78562d16c02ed2ce2eda2a2
SHA512 870a068811ea728d63410d06aea4a13b87231c946601c788cb806bada33456a701ea42a32d8aeb81289c3fdf74918b9ba963983419951cf8c795f3c732f8dcd8

memory/2748-25-0x00000000028E0000-0x00000000028E1000-memory.dmp

memory/4144-26-0x0000000000400000-0x000000000048C000-memory.dmp

memory/2748-24-0x00000000003A0000-0x0000000000443000-memory.dmp

memory/2748-28-0x00000000003A0000-0x0000000000443000-memory.dmp

memory/2748-29-0x00000000003A0000-0x0000000000443000-memory.dmp

memory/2748-30-0x00000000003A0000-0x0000000000443000-memory.dmp

memory/2748-31-0x00000000003A0000-0x0000000000443000-memory.dmp

memory/2748-32-0x00000000003A0000-0x0000000000443000-memory.dmp