Malware Analysis Report

2024-11-16 13:27

Sample ID 240727-ed27pavhrn
Target 8c998e707315ec9b559a8cb61a188090N.exe
SHA256 751a1bfb73fc05bb9915827c69ea6febf9a9b9a9e73046098c5be031b6587912
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

751a1bfb73fc05bb9915827c69ea6febf9a9b9a9e73046098c5be031b6587912

Threat Level: Known bad

The file 8c998e707315ec9b559a8cb61a188090N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-27 03:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 03:50

Reported

2024-07-27 05:29

Platform

win7-20240704-en

Max time kernel

119s

Max time network

90s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gujyf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xisiif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bynii.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gujyf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xisiif.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bynii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Users\Admin\AppData\Local\Temp\gujyf.exe
PID 2732 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Users\Admin\AppData\Local\Temp\gujyf.exe
PID 2732 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Users\Admin\AppData\Local\Temp\gujyf.exe
PID 2732 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Users\Admin\AppData\Local\Temp\gujyf.exe
PID 2732 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Windows\SysWOW64\cmd.exe
PID 2732 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Windows\SysWOW64\cmd.exe
PID 2584 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\gujyf.exe C:\Users\Admin\AppData\Local\Temp\xisiif.exe
PID 2584 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\gujyf.exe C:\Users\Admin\AppData\Local\Temp\xisiif.exe
PID 2584 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\gujyf.exe C:\Users\Admin\AppData\Local\Temp\xisiif.exe
PID 2584 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\gujyf.exe C:\Users\Admin\AppData\Local\Temp\xisiif.exe
PID 452 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\xisiif.exe C:\Users\Admin\AppData\Local\Temp\bynii.exe
PID 452 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\xisiif.exe C:\Users\Admin\AppData\Local\Temp\bynii.exe
PID 452 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\xisiif.exe C:\Users\Admin\AppData\Local\Temp\bynii.exe
PID 452 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\xisiif.exe C:\Users\Admin\AppData\Local\Temp\bynii.exe
PID 452 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\xisiif.exe C:\Windows\SysWOW64\cmd.exe
PID 452 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\xisiif.exe C:\Windows\SysWOW64\cmd.exe
PID 452 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\xisiif.exe C:\Windows\SysWOW64\cmd.exe
PID 452 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\xisiif.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe

"C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe"

C:\Users\Admin\AppData\Local\Temp\gujyf.exe

"C:\Users\Admin\AppData\Local\Temp\gujyf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\xisiif.exe

"C:\Users\Admin\AppData\Local\Temp\xisiif.exe" OK

C:\Users\Admin\AppData\Local\Temp\bynii.exe

"C:\Users\Admin\AppData\Local\Temp\bynii.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2732-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2732-14-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2732-12-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2732-11-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2732-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2732-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2732-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2732-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2732-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2732-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2732-36-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2732-34-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2732-31-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2732-29-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2732-26-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2732-24-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2732-21-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2732-19-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2732-16-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2732-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2732-43-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2732-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\gujyf.exe

MD5 ecae46589a5c273c23ded35c46dae687
SHA1 fcf15ce57874dc7791283608841c9e592ca23818
SHA256 da1a8613cf68fc0241b14ca5f795e252489fb74c490dc7f4d2a73fea0d49db20
SHA512 de8a26659b06805c34bd123dac6179fab6e59efa1be355b5130be94248cb0fa866b2ad7d3bd72f6d6cc0e28113532dd9c39153f2eddb12d589e503be16dcd1cf

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 c00dbd601b4f93ffc7f0050d209906c4
SHA1 6bcffea011e9bc0f58f945b4df44ad3a5e23a7f4
SHA256 371790975c164b3a2059ac1da9a3ff4e2d5edb9f22409b786d5acd4caec43cae
SHA512 c757396fa72262e1d7ca906de8dedd9446e6cb3cfc22abd0947423fbf0f7dad6ee296cfab344d11afc54fbbf0380f7d87eb1d936c1b413771bdd3e6f66b54059

memory/2732-54-0x0000000003820000-0x000000000430C000-memory.dmp

memory/2732-52-0x0000000003820000-0x000000000430C000-memory.dmp

memory/2732-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2732-94-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2584-88-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2584-86-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2584-83-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2584-81-0x0000000000260000-0x0000000000261000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 581bd5273f17f124e1ade1764ed854bc
SHA1 2ba926b3b8a3ee1d3ada189b608b3a0e97949265
SHA256 19072ad4fd29862d1fb1b1890374023f6e347ff28a72c1beffdcaac4f34f5860
SHA512 2dd4bdbaf15b9468922e2fc6ac06c27ca71b25ab08089071df040afd612b320c59f539e87f5ae81463e7eb4946208a90bbb6a9a3fe747438c909a4648cd5135a

memory/2584-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2584-114-0x0000000003C80000-0x000000000476C000-memory.dmp

memory/2584-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\bynii.exe

MD5 15c806cb8bc43724b6253363d96d74f5
SHA1 f3c66c83bfe6d65faf7966fe349413a20fbd96ba
SHA256 efe0b6e41d638472ded5158bcf132438aaa86abcfdf43a326263d5655565218e
SHA512 6ad3e682a74ef94fd7ff8f4b9db4cedd798095f725cd14a58dd92a955f53504534ca243eda34b8a48ee741d28274146d059f0599034c190589a4c1a41167fc64

memory/452-161-0x00000000041B0000-0x0000000004349000-memory.dmp

memory/556-163-0x0000000000400000-0x0000000000599000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 bed9430cdb2ea12464bd91b7285b1544
SHA1 9212215cc411c72612cab24411e1fbd8ce6787ad
SHA256 2abc4fbf370d5ff40382fcf986d7589799c807839d91b77ab40859a1b78b8d3f
SHA512 5877b392002abd199a7d40b7f28c0b04d840423b64dc9063ff5f64dbed5d73f6683239daaef6575513d3867b597bb1ece3df69766604036489f9f45d57ba3f37

memory/452-171-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/556-176-0x0000000000400000-0x0000000000599000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-27 03:50

Reported

2024-07-27 05:29

Platform

win10v2004-20240709-en

Max time kernel

119s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\joepy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rukery.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\joepy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rukery.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\joepy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rukery.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3556 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Users\Admin\AppData\Local\Temp\joepy.exe
PID 3556 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Users\Admin\AppData\Local\Temp\joepy.exe
PID 3556 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Users\Admin\AppData\Local\Temp\joepy.exe
PID 3556 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\joepy.exe C:\Users\Admin\AppData\Local\Temp\rukery.exe
PID 5016 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\joepy.exe C:\Users\Admin\AppData\Local\Temp\rukery.exe
PID 5016 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\joepy.exe C:\Users\Admin\AppData\Local\Temp\rukery.exe
PID 3044 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\rukery.exe C:\Users\Admin\AppData\Local\Temp\zymav.exe
PID 3044 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\rukery.exe C:\Users\Admin\AppData\Local\Temp\zymav.exe
PID 3044 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\rukery.exe C:\Users\Admin\AppData\Local\Temp\zymav.exe
PID 3044 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\rukery.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\rukery.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\rukery.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe

"C:\Users\Admin\AppData\Local\Temp\8c998e707315ec9b559a8cb61a188090N.exe"

C:\Users\Admin\AppData\Local\Temp\joepy.exe

"C:\Users\Admin\AppData\Local\Temp\joepy.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\rukery.exe

"C:\Users\Admin\AppData\Local\Temp\rukery.exe" OK

C:\Users\Admin\AppData\Local\Temp\zymav.exe

"C:\Users\Admin\AppData\Local\Temp\zymav.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3556-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3556-3-0x00000000010C0000-0x00000000010C1000-memory.dmp

memory/3556-9-0x0000000000526000-0x000000000087A000-memory.dmp

memory/3556-7-0x0000000001120000-0x0000000001121000-memory.dmp

memory/3556-6-0x0000000001110000-0x0000000001111000-memory.dmp

memory/3556-5-0x0000000001100000-0x0000000001101000-memory.dmp

memory/3556-4-0x00000000010F0000-0x00000000010F1000-memory.dmp

memory/3556-2-0x00000000010B0000-0x00000000010B1000-memory.dmp

memory/3556-1-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/3556-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3556-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\joepy.exe

MD5 7a937eee07f35dfcaeefeb61472ca110
SHA1 0ba323999bfe9269bee87628b32cf9ccd7bc711c
SHA256 ecfb8a1545904768779d50c9038ceccad6b3a986d3c1fc755f22e47337bff9d8
SHA512 0d2232aae79b50ff036099aa1f65d2788051e5d4f72b865a5557dea2815473ff3ae583887b406514bb522d230af7589350dff60ebba77c41934bf435c60def73

memory/3556-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3556-26-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 c00dbd601b4f93ffc7f0050d209906c4
SHA1 6bcffea011e9bc0f58f945b4df44ad3a5e23a7f4
SHA256 371790975c164b3a2059ac1da9a3ff4e2d5edb9f22409b786d5acd4caec43cae
SHA512 c757396fa72262e1d7ca906de8dedd9446e6cb3cfc22abd0947423fbf0f7dad6ee296cfab344d11afc54fbbf0380f7d87eb1d936c1b413771bdd3e6f66b54059

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 433f9470cdee864f3a73653a46db9421
SHA1 d7cc4ad83bde83cfabf0eb3bfd79dff4f0a0f0b2
SHA256 f4cdc192c6611038f96628258b71ba7cdcb2a6787ff18c2f50d3b9d136de0e85
SHA512 51efb2d633529f37bbdafc1773a9ab306a67f6b8e504770e0aab1335e44713d60e7a70a758916c64170cee9354a72d11c16d0f2be2f842267618ccd597bebb49

memory/5016-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/5016-34-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/5016-33-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/5016-32-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/5016-31-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/5016-30-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

memory/5016-29-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

memory/5016-28-0x0000000000F40000-0x0000000000F41000-memory.dmp

memory/5016-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3044-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/5016-47-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3044-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3044-54-0x0000000001000000-0x0000000001001000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zymav.exe

MD5 3e3abdb15e483f36c902ce2651ce88b8
SHA1 1a8fc6478c85778a155a84829fd9e36d947051a1
SHA256 6f6ce07ba7237e93def0d2f0067c0717a47c48143594f4e3ef22098b9b16fab2
SHA512 332ca8aad9eaa19958d222d29e8f0b2e95ade3f8033c37508bcdc376568bdbb02f3f67c3726e590f591b59cc31d51fb5e2289c1e5dbc07ffdd7ea1db141968a5

memory/1244-70-0x0000000000400000-0x0000000000599000-memory.dmp

memory/3044-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 abc7549465caa3417ab2e5a58f03250a
SHA1 8ae3ba55cca93c8703f45001506458ad00acae33
SHA256 e3cd6d8ae3fee7f95da822ca162c65c1219f696e5cf642e13f757b043acaee40
SHA512 3623bd4f1610be597402986c397e6b484bee2b031d5f5f0f7a8210b399d5399a921a29f0fa5309169a10c7eabfc6b9989538bb54fcce4decc06e1bf0cbb05e94

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/1244-74-0x0000000000400000-0x0000000000599000-memory.dmp