Malware Analysis Report

2024-11-16 13:27

Sample ID 240727-175qkavbre
Target 0be85afca6aaa8cdaae0f26a4a2fc380N.exe
SHA256 8718c0f1b157df2752a6062e070b0a51fabb42d6e1c2e6bc1fea01904d6970c7
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8718c0f1b157df2752a6062e070b0a51fabb42d6e1c2e6bc1fea01904d6970c7

Threat Level: Known bad

The file 0be85afca6aaa8cdaae0f26a4a2fc380N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Loads dropped DLL

UPX packed file

Checks computer location settings

Deletes itself

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-27 22:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 22:18

Reported

2024-07-27 22:26

Platform

win7-20240704-en

Max time kernel

116s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mosuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qienpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\civog.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mosuv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qienpi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\civog.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1772 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Users\Admin\AppData\Local\Temp\mosuv.exe
PID 1772 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Users\Admin\AppData\Local\Temp\mosuv.exe
PID 1772 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Users\Admin\AppData\Local\Temp\mosuv.exe
PID 1772 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Users\Admin\AppData\Local\Temp\mosuv.exe
PID 1772 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Windows\SysWOW64\cmd.exe
PID 1772 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\mosuv.exe C:\Users\Admin\AppData\Local\Temp\qienpi.exe
PID 2160 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\mosuv.exe C:\Users\Admin\AppData\Local\Temp\qienpi.exe
PID 2160 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\mosuv.exe C:\Users\Admin\AppData\Local\Temp\qienpi.exe
PID 2160 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\mosuv.exe C:\Users\Admin\AppData\Local\Temp\qienpi.exe
PID 2608 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\qienpi.exe C:\Users\Admin\AppData\Local\Temp\civog.exe
PID 2608 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\qienpi.exe C:\Users\Admin\AppData\Local\Temp\civog.exe
PID 2608 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\qienpi.exe C:\Users\Admin\AppData\Local\Temp\civog.exe
PID 2608 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\qienpi.exe C:\Users\Admin\AppData\Local\Temp\civog.exe
PID 2608 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\qienpi.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\qienpi.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\qienpi.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\qienpi.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe

"C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe"

C:\Users\Admin\AppData\Local\Temp\mosuv.exe

"C:\Users\Admin\AppData\Local\Temp\mosuv.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\qienpi.exe

"C:\Users\Admin\AppData\Local\Temp\qienpi.exe" OK

C:\Users\Admin\AppData\Local\Temp\civog.exe

"C:\Users\Admin\AppData\Local\Temp\civog.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/1772-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1772-37-0x0000000000526000-0x000000000087A000-memory.dmp

memory/1772-35-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1772-33-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1772-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1772-30-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1772-28-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1772-25-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1772-23-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1772-20-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1772-18-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1772-15-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1772-13-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1772-11-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1772-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1772-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1772-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1772-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1772-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1772-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1772-43-0x0000000000400000-0x0000000000EEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\mosuv.exe

MD5 b9048a18f5934eb7ad9fcf4bc3846ad3
SHA1 9a7f7a4d10ef957dbdc638a3a7b60e95df5ba6f6
SHA256 25592762f6078878786ddedb40ae2d21f141bf38cc66e2322102e060be410937
SHA512 e72a225386b91358490ab1d065166733d0d64cf56736c3a8cac7c39dfa6e802379fd4c655d6dcfb8bfb7887484b79e94234c9b7cca0de035af7574fe1f76cef6

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 89d1175ccc22de444733c8b8c183b51f
SHA1 60de7c4bb5f8029c7b92d0c27a3003b500210993
SHA256 143add2de2b3d039a8f69bcc322d7e77035526aa2dd129dec469889f8d31ddc5
SHA512 556fb939865bfa503dff724c591d9d545f8301ce4a7802058554fa1eec33547c961490decec6e67eba71f545e85887109a63eb763586e8343ed3ef92a6f341f3

memory/1772-61-0x00000000042E0000-0x0000000004DCC000-memory.dmp

memory/1772-60-0x00000000042E0000-0x0000000004DCC000-memory.dmp

memory/1772-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1772-63-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 9ee54eba1649954268d1f3f37c274921
SHA1 cbb481c73a79a81b116e67d7aa275dfdf829a875
SHA256 48982c78e545c80f0e989d647a878d63ecc856e5dfbafd08ed7414cd86023bc2
SHA512 a17565f9f074095b623c6c1155ad34b7bbf9f48a3982d6a11755b1a7fb1993256039eaaa3da8982c6edbc1f2528854de929359632afdffd6bc3297f4436cd8b1

memory/2160-114-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2160-111-0x00000000042F0000-0x0000000004DDC000-memory.dmp

\Users\Admin\AppData\Local\Temp\civog.exe

MD5 2f6bdd8a9cc01c26e21b8710f5214acf
SHA1 a2ae41268ee73e972929ced6f210e50ee281288e
SHA256 127233514d41cbdd22b1c0edf3e822edebadc7b02a0321661530f13064faf9c2
SHA512 ed9f258e4dbfa3d91b466338c4acf1ca3e4236cb45109d5747a6819c72493644c015390d95e5a4fa860c3bb5b68f9cc74060b64085d2e5d32dd1ab8133174892

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 c746a45a01e7ec649f583035a7e479a0
SHA1 9bd498d4f5f25fcbf7ead3240e85715aa309dfcd
SHA256 000c087007c31a7ead7d2b1b163d6312a19cfbd1a999d86a3f0f55898aea586b
SHA512 ecf6f0700fdd2229f983bb9829073f8ff18abd88442df4b5f5e07f82c028a80b2812b930d4dc830ec01153db7a34bcc661e9e05453a2514b9c100fcb82f6add6

memory/1316-168-0x0000000000400000-0x0000000000599000-memory.dmp

memory/2608-169-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2608-159-0x00000000046A0000-0x0000000004839000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/1316-174-0x0000000000400000-0x0000000000599000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-27 22:18

Reported

2024-07-27 22:27

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\evysz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\irgezy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\evysz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\irgezy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\utpuj.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\evysz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\irgezy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\utpuj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1112 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Users\Admin\AppData\Local\Temp\evysz.exe
PID 1112 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Users\Admin\AppData\Local\Temp\evysz.exe
PID 1112 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Users\Admin\AppData\Local\Temp\evysz.exe
PID 1112 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\evysz.exe C:\Users\Admin\AppData\Local\Temp\irgezy.exe
PID 1292 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\evysz.exe C:\Users\Admin\AppData\Local\Temp\irgezy.exe
PID 1292 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\evysz.exe C:\Users\Admin\AppData\Local\Temp\irgezy.exe
PID 1164 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\irgezy.exe C:\Users\Admin\AppData\Local\Temp\utpuj.exe
PID 1164 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\irgezy.exe C:\Users\Admin\AppData\Local\Temp\utpuj.exe
PID 1164 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\irgezy.exe C:\Users\Admin\AppData\Local\Temp\utpuj.exe
PID 1164 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\irgezy.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\irgezy.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\irgezy.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe

"C:\Users\Admin\AppData\Local\Temp\0be85afca6aaa8cdaae0f26a4a2fc380N.exe"

C:\Users\Admin\AppData\Local\Temp\evysz.exe

"C:\Users\Admin\AppData\Local\Temp\evysz.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\irgezy.exe

"C:\Users\Admin\AppData\Local\Temp\irgezy.exe" OK

C:\Users\Admin\AppData\Local\Temp\utpuj.exe

"C:\Users\Admin\AppData\Local\Temp\utpuj.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1112-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1112-2-0x0000000000526000-0x000000000087A000-memory.dmp

memory/1112-8-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/1112-7-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/1112-6-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/1112-5-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/1112-4-0x0000000001070000-0x0000000001071000-memory.dmp

memory/1112-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1112-3-0x0000000001060000-0x0000000001061000-memory.dmp

memory/1112-1-0x0000000001050000-0x0000000001051000-memory.dmp

memory/1112-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\evysz.exe

MD5 c49071bb0d92505f7b82e682d9e5f6d7
SHA1 3754018af72336c3a1603ed5c489b45c904233f7
SHA256 6e3a54c3e35285577f168e2aa2c1eb4b8caae6d6b981f680113ccb51109e3420
SHA512 dd76cf0a6d4edda9a49db59f73bc210d5bc0e64e0b1330ad79a887c1ece19e485eded60e2707f7987cfe0da229047dfeb6d22952011d56494f16e47e2265c563

memory/1292-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1112-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1112-27-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 89d1175ccc22de444733c8b8c183b51f
SHA1 60de7c4bb5f8029c7b92d0c27a3003b500210993
SHA256 143add2de2b3d039a8f69bcc322d7e77035526aa2dd129dec469889f8d31ddc5
SHA512 556fb939865bfa503dff724c591d9d545f8301ce4a7802058554fa1eec33547c961490decec6e67eba71f545e85887109a63eb763586e8343ed3ef92a6f341f3

memory/1292-35-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/1292-34-0x0000000002B70000-0x0000000002B71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 1715d782fd22e1e249d1dc84a38068f1
SHA1 62b659e6de863e395e75bd6dec46f75a49ee90d6
SHA256 a7b62918649a0140c7bb388d3677c0ced1455ff7401c1ebf4ba685a0bce7beaa
SHA512 32e720d644acd7618976fa9cdc588b39af48f751cca36fb834be8121250bba6cba7f38eaa04915f1124034e3d41dfe91d78e1c700707403c42a687060e23ab75

memory/1292-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1292-33-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/1292-32-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/1292-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1292-31-0x0000000000F70000-0x0000000000F71000-memory.dmp

memory/1292-30-0x0000000000F10000-0x0000000000F11000-memory.dmp

memory/1292-29-0x0000000000F00000-0x0000000000F01000-memory.dmp

memory/1164-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1292-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1164-56-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/1164-55-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/1164-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1164-54-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/1164-53-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/1164-52-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/1164-51-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/1164-50-0x0000000000F10000-0x0000000000F11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\utpuj.exe

MD5 260d07179168706353b4c6679b728af5
SHA1 ddc017d61c959e4697f784b07f2fcc7bcfa7095b
SHA256 4de81441c86e3e7243853af58205d5b04d1cff6152b00e431a98f34cbb5fb2f4
SHA512 99b98dd757dd0c91c6b64ee8007dce6d92207611bb44677f0942b15a73c655cbcb6c328252d24090ad1cf1bc3c78501d75cccd15f0a0e123bf8b6cd20a153dc8

memory/2528-71-0x0000000000400000-0x0000000000599000-memory.dmp

memory/1164-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 a05f4f76ee04c374111e12e296fa87b5
SHA1 c6deba5f430f32a0812f548d95556fa280b3c3dd
SHA256 33ba234ae1cd905e6663e8f1bfc8d41c043a3557ef3b42310481205d62bc9bb1
SHA512 7cbab0aa0fa0ec296581adb7fc161772ee9bf068f177abcc2441111ca9d83fb9b40b6c42cdf243fb843fccf27b99e7d65eb51af8ce799827b0a835c4efa64ace

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/2528-75-0x0000000000400000-0x0000000000599000-memory.dmp