Malware Analysis Report

2024-11-16 13:27

Sample ID 240803-19c4bsxcrm
Target d896db759d42faa76b50b3cfe0ddda60N.exe
SHA256 06c1a6fb3c7d6a93ed81bf46768e1184aed2b859a75e0a13f9cd67d5e48324bb
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06c1a6fb3c7d6a93ed81bf46768e1184aed2b859a75e0a13f9cd67d5e48324bb

Threat Level: Known bad

The file d896db759d42faa76b50b3cfe0ddda60N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Deletes itself

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-03 22:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-03 22:20

Reported

2024-08-03 22:22

Platform

win7-20240729-en

Max time kernel

116s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\apmit.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dybijy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\humov.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\humov.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\apmit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dybijy.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Users\Admin\AppData\Local\Temp\apmit.exe
PID 3048 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Users\Admin\AppData\Local\Temp\apmit.exe
PID 3048 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Users\Admin\AppData\Local\Temp\apmit.exe
PID 3048 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Users\Admin\AppData\Local\Temp\apmit.exe
PID 3048 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Windows\SysWOW64\cmd.exe
PID 3048 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\apmit.exe C:\Users\Admin\AppData\Local\Temp\dybijy.exe
PID 2896 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\apmit.exe C:\Users\Admin\AppData\Local\Temp\dybijy.exe
PID 2896 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\apmit.exe C:\Users\Admin\AppData\Local\Temp\dybijy.exe
PID 2896 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\apmit.exe C:\Users\Admin\AppData\Local\Temp\dybijy.exe
PID 2268 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\dybijy.exe C:\Users\Admin\AppData\Local\Temp\humov.exe
PID 2268 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\dybijy.exe C:\Users\Admin\AppData\Local\Temp\humov.exe
PID 2268 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\dybijy.exe C:\Users\Admin\AppData\Local\Temp\humov.exe
PID 2268 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\dybijy.exe C:\Users\Admin\AppData\Local\Temp\humov.exe
PID 2268 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\dybijy.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\dybijy.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\dybijy.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\dybijy.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe

"C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe"

C:\Users\Admin\AppData\Local\Temp\apmit.exe

"C:\Users\Admin\AppData\Local\Temp\apmit.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\dybijy.exe

"C:\Users\Admin\AppData\Local\Temp\dybijy.exe" OK

C:\Users\Admin\AppData\Local\Temp\humov.exe

"C:\Users\Admin\AppData\Local\Temp\humov.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/3048-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3048-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3048-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3048-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/3048-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3048-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3048-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/3048-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3048-37-0x0000000000526000-0x000000000087A000-memory.dmp

memory/3048-35-0x0000000000290000-0x0000000000291000-memory.dmp

memory/3048-33-0x0000000000290000-0x0000000000291000-memory.dmp

memory/3048-30-0x0000000000280000-0x0000000000281000-memory.dmp

memory/3048-28-0x0000000000280000-0x0000000000281000-memory.dmp

memory/3048-25-0x0000000000270000-0x0000000000271000-memory.dmp

memory/3048-23-0x0000000000270000-0x0000000000271000-memory.dmp

memory/3048-20-0x0000000000260000-0x0000000000261000-memory.dmp

memory/3048-18-0x0000000000260000-0x0000000000261000-memory.dmp

memory/3048-15-0x0000000000250000-0x0000000000251000-memory.dmp

memory/3048-13-0x0000000000250000-0x0000000000251000-memory.dmp

memory/3048-12-0x0000000000250000-0x0000000000251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\apmit.exe

MD5 1265c2d1eb71a9f2ed56bc93119b3f0c
SHA1 792cb831a293d199965cedef5fcde5c6c90bbe33
SHA256 78c734d3ba612c0583669c150a314af65a0ea69c1335b8a72d8da10167bc34a3
SHA512 ca5c8d4a1eceaed2cd1ed57cf895878c59e4023302cd353615a7c06f84dee5aa58d3ee27fba85d0c75020f6451d19df65d65fc1df500bd73edbac59bda640adb

memory/3048-59-0x0000000003F40000-0x0000000004A2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 d03b3bb6afd5cff8db08058bcb9f7b12
SHA1 9ae3f12cadc0d47de590df0e751344ddf892f787
SHA256 556c4b9de8ff78f7370eecf81fe84f679e3fa445478ffd48a223a565fb1b6db5
SHA512 4e8a3e6375e86c8e6c3af6ff2517926feaa517ac9694e75a7458f531f06198a715e2503ba6e9320e298a2ce10f1bf8121e6351616dad1cc808e03e22f3ce28ae

memory/3048-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3048-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3048-61-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 57de9813158e27de31e6b74a29777559
SHA1 2f60679225a3930cc6c8beb5eb5305a59905b759
SHA256 6db7697667cd3b682fd9c0d9d1fbc72ad06d5fd0d80da3ab53f7d0ffc8197d76
SHA512 7688dc4c631261e32f13988604b282568bc4e5281d263400bbe1d65f0f35993e7f9f7902704443fe8a79f390bd1a6c6fe35e00b04c7136fdc7b17fa8d875e2a6

memory/2896-111-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2896-109-0x00000000045F0000-0x00000000050DC000-memory.dmp

\Users\Admin\AppData\Local\Temp\humov.exe

MD5 eb441a27a5c2eada4ffe0abba20e0011
SHA1 75d079e99b1b739c9c27241e06f2d1b2bb3080ec
SHA256 446c03aa5110f157d7d1feaf6fd6160e0d554cb6fb0c38da6f0755199afa4f31
SHA512 fda9a35b7d78a2ab178487474ac85feb7e0c41e40e8d5e5d3f6cc353d2e21878f560e8ea832b9f759d0c1645be03d15e4be8cda4e8920409a57280ade05902d2

memory/2268-154-0x0000000004600000-0x0000000004799000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 cab12cfacfb8e3839045ae25a622cec0
SHA1 e7185e79f0fe9d4baea26bf77d805d25fd94da53
SHA256 d5d9e717bc0a790497ea4cd9a3bb1dcd59b80ffeaeef9d88685b15a5d93fb564
SHA512 57c314afe6ab0817699962302cf4e205e550991a4e90050219354f083093bc77524669c8febfe2e645978d6d39c709b1cbd44a6072ecc91230ef3b249b1e52e4

memory/2268-166-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1912-167-0x0000000000400000-0x0000000000599000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/1912-172-0x0000000000400000-0x0000000000599000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-03 22:20

Reported

2024-08-03 22:22

Platform

win10v2004-20240802-en

Max time kernel

118s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\qoimm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tytuup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qoimm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tytuup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cehil.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qoimm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tytuup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cehil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Users\Admin\AppData\Local\Temp\qoimm.exe
PID 4552 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Users\Admin\AppData\Local\Temp\qoimm.exe
PID 4552 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Users\Admin\AppData\Local\Temp\qoimm.exe
PID 4552 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe C:\Windows\SysWOW64\cmd.exe
PID 4076 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\qoimm.exe C:\Users\Admin\AppData\Local\Temp\tytuup.exe
PID 4076 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\qoimm.exe C:\Users\Admin\AppData\Local\Temp\tytuup.exe
PID 4076 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\qoimm.exe C:\Users\Admin\AppData\Local\Temp\tytuup.exe
PID 3884 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\tytuup.exe C:\Users\Admin\AppData\Local\Temp\cehil.exe
PID 3884 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\tytuup.exe C:\Users\Admin\AppData\Local\Temp\cehil.exe
PID 3884 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\tytuup.exe C:\Users\Admin\AppData\Local\Temp\cehil.exe
PID 3884 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\tytuup.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\tytuup.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 3128 N/A C:\Users\Admin\AppData\Local\Temp\tytuup.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe

"C:\Users\Admin\AppData\Local\Temp\d896db759d42faa76b50b3cfe0ddda60N.exe"

C:\Users\Admin\AppData\Local\Temp\qoimm.exe

"C:\Users\Admin\AppData\Local\Temp\qoimm.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\tytuup.exe

"C:\Users\Admin\AppData\Local\Temp\tytuup.exe" OK

C:\Users\Admin\AppData\Local\Temp\cehil.exe

"C:\Users\Admin\AppData\Local\Temp\cehil.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4552-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4552-4-0x0000000001090000-0x0000000001091000-memory.dmp

memory/4552-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4552-7-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/4552-6-0x00000000010D0000-0x00000000010D1000-memory.dmp

memory/4552-8-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/4552-5-0x00000000010C0000-0x00000000010C1000-memory.dmp

memory/4552-3-0x0000000000526000-0x000000000087A000-memory.dmp

memory/4552-2-0x0000000001080000-0x0000000001081000-memory.dmp

memory/4552-1-0x0000000000F10000-0x0000000000F11000-memory.dmp

memory/4552-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qoimm.exe

MD5 506c2702dc1ac11e937a2f4d7f37cdf4
SHA1 c8007884da282d5cab84f76bd48b6ecf460d127a
SHA256 841e3f64423b6facf1f93c25ab5733946d64db97b65a6b0de396ab1409fa6e9e
SHA512 38f16e239bcf05deb8a1aa854d2c47551d5c25267850714c16cde20fae2cc06642c0c14f871c258b0c1ee6f95a394acaf473d5c2f95615fe1b6bc169f0b0c16f

memory/4076-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4552-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4552-26-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 d03b3bb6afd5cff8db08058bcb9f7b12
SHA1 9ae3f12cadc0d47de590df0e751344ddf892f787
SHA256 556c4b9de8ff78f7370eecf81fe84f679e3fa445478ffd48a223a565fb1b6db5
SHA512 4e8a3e6375e86c8e6c3af6ff2517926feaa517ac9694e75a7458f531f06198a715e2503ba6e9320e298a2ce10f1bf8121e6351616dad1cc808e03e22f3ce28ae

memory/4076-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4076-34-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/4076-33-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/4076-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4076-32-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/4076-31-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/4076-30-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/4076-29-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/4076-28-0x00000000010D0000-0x00000000010D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 d2d605486f31f3c0b15d8a0246f3268c
SHA1 d9f41e8aa1562cccc38aa217afd8510feb5d5dfe
SHA256 5a86136245c89561ca4696bffed149c523a34a4f5771e829537941d6b2fec89c
SHA512 c3fc741cb650d77a0e3b862caedc197a68d5089fb07891bd566bbed8202c4002a42445341e8a91effb415936fe65e9953f091f2dd1fe57ef71dbd5412240fcc0

memory/4076-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3884-51-0x0000000001030000-0x0000000001031000-memory.dmp

memory/3884-50-0x0000000001020000-0x0000000001021000-memory.dmp

memory/3884-54-0x00000000010D0000-0x00000000010D1000-memory.dmp

memory/3884-53-0x00000000010C0000-0x00000000010C1000-memory.dmp

memory/3884-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3884-55-0x00000000010E0000-0x00000000010E1000-memory.dmp

memory/3884-52-0x00000000010B0000-0x00000000010B1000-memory.dmp

memory/3884-49-0x0000000001010000-0x0000000001011000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cehil.exe

MD5 92c99fcaeaed30d0710bacf32b944c44
SHA1 c053db27e0aa5405eefd06777e413d81155cbbf2
SHA256 ea4652b881931aeacffb5b0f1cb47c5641ba612c975955b7d4a417fc3f80107a
SHA512 7cf7fcad3cc863172402c2dd0dc22903b735bd75bd6266b8025b245d18a568bb40609e1442817baa7d92b23261219857866be02e62de6b12ad5984c2d812737a

memory/4900-70-0x0000000000400000-0x0000000000599000-memory.dmp

memory/3884-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 0c7f6a541413da07522c44e54b36957d
SHA1 0b123c6ec500ca81d420282ec44af7bbf60e51db
SHA256 4301d6047521bb1fda702ea17353d468862ab250756faca1db0c3236e8343584
SHA512 a7da0f6c81b3bb04ecf3aeadf1c2b2aeae14c856ffcba9a790a965167349d06c83e160cd45b81e4e13ee98c40deb0bd0377ba89c683717432cd796092d9dd1c9

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/4900-74-0x0000000000400000-0x0000000000599000-memory.dmp

memory/4900-75-0x0000000000400000-0x0000000000599000-memory.dmp