Malware Analysis Report

2025-03-15 05:44

Sample ID 240509-yxeehscb7y
Target e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics
SHA256 2d06ef21537cf815c59e955c0cf1a4682f0548eb06ea038da014db536adb9f67
Tags
urelas aspackv2 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d06ef21537cf815c59e955c0cf1a4682f0548eb06ea038da014db536adb9f67

Threat Level: Known bad

The file e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 trojan

Urelas

Executes dropped EXE

Loads dropped DLL

Deletes itself

Checks computer location settings

ASPack v2.12-2.42

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 20:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 20:09

Reported

2024-05-09 20:12

Platform

win7-20240215-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xionk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afdyg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\xionk.exe
PID 2700 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\xionk.exe
PID 2700 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\xionk.exe
PID 2700 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\xionk.exe
PID 2700 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2700 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2968 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\xionk.exe C:\Users\Admin\AppData\Local\Temp\afdyg.exe
PID 2968 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\xionk.exe C:\Users\Admin\AppData\Local\Temp\afdyg.exe
PID 2968 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\xionk.exe C:\Users\Admin\AppData\Local\Temp\afdyg.exe
PID 2968 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\xionk.exe C:\Users\Admin\AppData\Local\Temp\afdyg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\xionk.exe

"C:\Users\Admin\AppData\Local\Temp\xionk.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\afdyg.exe

"C:\Users\Admin\AppData\Local\Temp\afdyg.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2700-0-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2700-1-0x0000000000020000-0x0000000000022000-memory.dmp

\Users\Admin\AppData\Local\Temp\xionk.exe

MD5 10aad0730a6fcc626a3981ba57cb82d6
SHA1 c8ae0caf1e4737cdc3fdc6900ac0c140f7ed84a3
SHA256 d359204a7d3e2c195bba1bc5f2a8f41398950a5a1270bfcd2dbb73fe57f05795
SHA512 71385dec3d58354eb989f442d7c8ac83661d37b61395de64a482b5f7cbdecde6447b5b77d52a501a35ea4b6ab6aa806ae72bfad3402a58d668754c020326786d

memory/2700-7-0x0000000002BC0000-0x0000000002C28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 e308167fb19765f1dbef4773a12e2c1e
SHA1 767bfab91dfd445ad80939133d3bd8960e186e5a
SHA256 9cdd64398f6223739c7d4a529cdc20202fb6e1bddc5e4d09ef027a113250e150
SHA512 40bfa275ee9b1f4e40286d35bcb2050ad2cca5f3bb51fd5de66f889d0e391f4e610e90f7e0410c340c1a6dc908ad66e5fe2b4c763c68c139f7ca64a7b019c7d4

memory/2968-22-0x0000000000020000-0x0000000000022000-memory.dmp

memory/2968-21-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2700-23-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 6da03bf39bcf22a05e0020f2532b3ac9
SHA1 7460c69fb541010e50527a1bd83d5dd47bfb331c
SHA256 c31ba7210d05d39ab7e53ca1ffbc3343da5e6324e7dad622452b2434e36a5bfa
SHA512 2ed916a90835aa0c4fbba5cef2b218a36abde08a5ff5761df9a78189bf97f24528ab84eb2dc8b62d17b4aa87b444dfea438b461fe0807b6e63428a99e3660772

memory/2968-26-0x0000000000400000-0x0000000000468000-memory.dmp

\Users\Admin\AppData\Local\Temp\afdyg.exe

MD5 bae49d8a7cc074af97aaa6e15e1103b4
SHA1 d521af8883a65f9cd795db27d00c4a0b47639fb0
SHA256 f139f28e10ca22d24867ad0893b5f6b2cb300f09fc93a4785a476bbc3ade516d
SHA512 8c4330213b8b09f44be7bcc5b9bbf374eade367e14f312e8deb36051f84d73d5a79bceb91c31e36664b0d672abd04a7760a3179409c53d3c4dad45dfeea94d2d

memory/2968-39-0x0000000003D70000-0x0000000003E12000-memory.dmp

memory/2968-42-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1760-47-0x0000000001190000-0x0000000001232000-memory.dmp

memory/1760-45-0x0000000001190000-0x0000000001232000-memory.dmp

memory/1760-44-0x0000000001190000-0x0000000001232000-memory.dmp

memory/1760-46-0x0000000001190000-0x0000000001232000-memory.dmp

memory/1760-49-0x0000000001190000-0x0000000001232000-memory.dmp

memory/1760-50-0x0000000001190000-0x0000000001232000-memory.dmp

memory/1760-51-0x0000000001190000-0x0000000001232000-memory.dmp

memory/1760-52-0x0000000001190000-0x0000000001232000-memory.dmp

memory/1760-53-0x0000000001190000-0x0000000001232000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 20:09

Reported

2024-05-09 20:12

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ibtye.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ibtye.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\puoxc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e765e15bb05ed0adf2b432251fee3030_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\ibtye.exe

"C:\Users\Admin\AppData\Local\Temp\ibtye.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\puoxc.exe

"C:\Users\Admin\AppData\Local\Temp\puoxc.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

memory/3068-0-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3068-1-0x00000000001D0000-0x00000000001D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ibtye.exe

MD5 76e3c360bcd94dc8268c82f7fadc886f
SHA1 c144d4ff7e7cefe132aadcff19b1ce2f77a0ed95
SHA256 f9151f89402489190598824456582808da08689c9eb90db2f224b6e02ae5479e
SHA512 6487f720a94ea1713fcc0f1260bea3025e8450aa639c6f167d8eccd30f7ba254cc64c0c1ddfbe25dd533fdf092d433067f02f016a65b5528057bb056ebb0856a

memory/3540-14-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/3540-13-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3068-17-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 e308167fb19765f1dbef4773a12e2c1e
SHA1 767bfab91dfd445ad80939133d3bd8960e186e5a
SHA256 9cdd64398f6223739c7d4a529cdc20202fb6e1bddc5e4d09ef027a113250e150
SHA512 40bfa275ee9b1f4e40286d35bcb2050ad2cca5f3bb51fd5de66f889d0e391f4e610e90f7e0410c340c1a6dc908ad66e5fe2b4c763c68c139f7ca64a7b019c7d4

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 3a065053c91de8d61cfaf03b6ce45b40
SHA1 77623ef9c0b197dce6d4b62b292242ff403b3b0d
SHA256 5f75c8319d7feb441bda3026ce9430ee57c7a7adfa4f443f96c652f83a589f30
SHA512 c0bf4e0941dd084f3bbde0f366567a27420b07f21b8a9ca619e97f6ddc5e222de0e06f306cfe1103ce8edae7cd7a8eb946dfa9c5960fe9f70c29837fd19d26b5

memory/3540-20-0x0000000000400000-0x0000000000468000-memory.dmp

memory/3540-22-0x00000000001D0000-0x00000000001D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\puoxc.exe

MD5 6c8d69028214eec8c2046dd4781c753d
SHA1 cd07d08356e11e1293055167c394277563b3e2f8
SHA256 7919638a6a2288e0e6bc32c52899d5f6b5041c7b6e372d0ed5a67a3d40321585
SHA512 6cba18dc4890fa421761040e49140004f1ea696d78129ff6b0a94ac3b9262c775ee334c4b53301844d62ffe2970b8134ba9e60bfa01680c1c9543b8a81022c4d

memory/3540-43-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1656-42-0x0000000000750000-0x00000000007F2000-memory.dmp

memory/1656-41-0x0000000000750000-0x00000000007F2000-memory.dmp

memory/1656-40-0x0000000000750000-0x00000000007F2000-memory.dmp

memory/1656-38-0x0000000000750000-0x00000000007F2000-memory.dmp

memory/1656-45-0x0000000000750000-0x00000000007F2000-memory.dmp

memory/1656-46-0x0000000000750000-0x00000000007F2000-memory.dmp

memory/1656-47-0x0000000000750000-0x00000000007F2000-memory.dmp

memory/1656-48-0x0000000000750000-0x00000000007F2000-memory.dmp

memory/1656-49-0x0000000000750000-0x00000000007F2000-memory.dmp