Analysis Overview
SHA256
04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252
Threat Level: Known bad
The file 04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252 was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
UPX packed file
Deletes itself
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-05 18:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 18:18
Reported
2024-08-05 18:21
Platform
win7-20240704-en
Max time kernel
150s
Max time network
100s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dubob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yjhozu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dubob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dubob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yjhozu.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\dubob.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yjhozu.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dubob.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yjhozu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ujnaq.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe
"C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe"
C:\Users\Admin\AppData\Local\Temp\dubob.exe
"C:\Users\Admin\AppData\Local\Temp\dubob.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\yjhozu.exe
"C:\Users\Admin\AppData\Local\Temp\yjhozu.exe" OK
C:\Users\Admin\AppData\Local\Temp\ujnaq.exe
"C:\Users\Admin\AppData\Local\Temp\ujnaq.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2240-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2240-36-0x0000000002640000-0x0000000002641000-memory.dmp
memory/2240-34-0x0000000002640000-0x0000000002641000-memory.dmp
memory/2240-31-0x0000000002630000-0x0000000002631000-memory.dmp
memory/2240-29-0x0000000002630000-0x0000000002631000-memory.dmp
memory/2240-26-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2240-25-0x0000000002620000-0x0000000002621000-memory.dmp
memory/2240-23-0x0000000002620000-0x0000000002621000-memory.dmp
memory/2240-20-0x0000000002610000-0x0000000002611000-memory.dmp
memory/2240-18-0x0000000002610000-0x0000000002611000-memory.dmp
memory/2240-15-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/2240-13-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/2240-11-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/2240-10-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2240-8-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2240-6-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2240-5-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2240-3-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2240-1-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/2240-41-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2240-42-0x0000000000400000-0x0000000000EEC000-memory.dmp
\Users\Admin\AppData\Local\Temp\dubob.exe
| MD5 | c140363e03d4e5aba55579327a6884b6 |
| SHA1 | c8db9ea27e0aea05b744261ed5006e044d9f46ec |
| SHA256 | ffff12080ccfd2db6d684333259a4b97756c8f455a3b707dd141743682ef6036 |
| SHA512 | fbc956e0247d9ce027dc75bd3ffc0a48135458d1053dced48d4158d513b9ea77f61a265b405f9995d5b11f055e29885f31e4ad2455b374ed88e53c4a0da073c2 |
memory/2240-53-0x0000000003870000-0x000000000435C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 81b8503ff17729813d592d13d41da11c |
| SHA1 | fdd9995f1b0a0e73af0926cb6b2eaf4b58c4b25d |
| SHA256 | 10a2e977a7b7322c53c246a8a19f22415da9013a2dfaba591440f4a6d13782fe |
| SHA512 | e00f64a6783bb71d91dbbeffbac0e49cff64d0bb3b1e87cdc9cbac60ba4ccfdc7eaf1c5a2cb591d9d539c21d4e36369cbb2cb3771d5beba5f1b1ceb97cda4202 |
memory/2240-52-0x0000000003870000-0x000000000435C000-memory.dmp
memory/2240-99-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2240-97-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2740-86-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2740-84-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2740-81-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2740-79-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2740-76-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/2740-74-0x00000000002D0000-0x00000000002D1000-memory.dmp
memory/2740-71-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2740-69-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2740-66-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2740-64-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | af7502ebafdd1c4d0d9cc9e8e9ee8b56 |
| SHA1 | 0d23e271d7d1f3d9557dc97e9447b5ef53a5123f |
| SHA256 | 799c489f4cc66504519b6467c9e4ad6155dcb68b9c0717c02c5fb749fb3297a2 |
| SHA512 | 1c9ee240623d983a331133299ab0e7ddb7405ad0393312dde9e1697c8ff649d33a5e6ff0e82de65d0c01f1adc18c88d7527c66e453ba3348015c6042a05347f2 |
memory/2740-103-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2740-104-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2740-114-0x0000000003D80000-0x000000000486C000-memory.dmp
memory/2740-116-0x0000000000400000-0x0000000000EEC000-memory.dmp
\Users\Admin\AppData\Local\Temp\ujnaq.exe
| MD5 | 19f81d806d7800f18f5f807b34700a38 |
| SHA1 | a57e5fa45e3d164b8173f04d51d374054c092401 |
| SHA256 | 09ab12d19e3dd7061509cda57adff5bdddb5fe00baa5cf9af63c23557e803d94 |
| SHA512 | 7ed609c9d95d28cf977139111fc3faaf96527a2d1cb3f4e1cef62a8a29e696ac76fd8356778e4e622d1729046bb36b2a1187ec13e16711f738c9bb4696e229f6 |
memory/632-163-0x0000000000400000-0x0000000000599000-memory.dmp
memory/1788-162-0x0000000004310000-0x00000000044A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | b90b4c9a3a24dfbdc049175a2cab656c |
| SHA1 | e65a533a724c1296ee34688a845c29b561fab3cc |
| SHA256 | 16abfcb0465d19b4eff6334ddbdb5a11a65595ecaadb819dfe5019bc1b01168a |
| SHA512 | 5df1125d61523934c75ae8a33e0b154f1f18f64ef38b6c62857ab4517658586c0a4f843597cce931b197d215f217d7f537c04413f7fee69ed9ea02d55dd9eb53 |
memory/1788-171-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/632-176-0x0000000000400000-0x0000000000599000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 18:18
Reported
2024-08-05 18:21
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\pahib.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kixuqi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pahib.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kixuqi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vuqoa.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kixuqi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\vuqoa.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pahib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe
"C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe"
C:\Users\Admin\AppData\Local\Temp\pahib.exe
"C:\Users\Admin\AppData\Local\Temp\pahib.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\kixuqi.exe
"C:\Users\Admin\AppData\Local\Temp\kixuqi.exe" OK
C:\Users\Admin\AppData\Local\Temp\vuqoa.exe
"C:\Users\Admin\AppData\Local\Temp\vuqoa.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2792-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2792-3-0x0000000001190000-0x0000000001191000-memory.dmp
memory/2792-2-0x0000000001170000-0x0000000001171000-memory.dmp
memory/2792-8-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2792-9-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2792-7-0x00000000011F0000-0x00000000011F1000-memory.dmp
memory/2792-6-0x00000000011E0000-0x00000000011E1000-memory.dmp
memory/2792-5-0x00000000011D0000-0x00000000011D1000-memory.dmp
memory/2792-4-0x00000000011C0000-0x00000000011C1000-memory.dmp
memory/2792-1-0x0000000001160000-0x0000000001161000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pahib.exe
| MD5 | 015ca55d90cee4815240f758566fc936 |
| SHA1 | 568b091bbd99b08ae57bb9a1a2f25df72528bd25 |
| SHA256 | 8911631de71b485e391df92920d8cd51f9bd9b4cb156ab5ffb19e70ccc3ea587 |
| SHA512 | c90dc541949a692b724003d2b6301fdc8ac74ee8b6155890e79c4d43105382bd9ef6cc46a71d398af0ec44c1b9363060283716228270b78dfe1f7456bdbc1053 |
memory/2792-13-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2792-25-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/944-24-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2792-26-0x0000000000526000-0x000000000087A000-memory.dmp
memory/944-27-0x0000000002A00000-0x0000000002A01000-memory.dmp
memory/944-37-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/944-38-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 81b8503ff17729813d592d13d41da11c |
| SHA1 | fdd9995f1b0a0e73af0926cb6b2eaf4b58c4b25d |
| SHA256 | 10a2e977a7b7322c53c246a8a19f22415da9013a2dfaba591440f4a6d13782fe |
| SHA512 | e00f64a6783bb71d91dbbeffbac0e49cff64d0bb3b1e87cdc9cbac60ba4ccfdc7eaf1c5a2cb591d9d539c21d4e36369cbb2cb3771d5beba5f1b1ceb97cda4202 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | e02b3c9aef3c1379231ea140c4c7da6b |
| SHA1 | 6c1cd96e8bb8f0d50e1411fd216f8df51970c8a2 |
| SHA256 | f6788beecddea9a1bd10e47f31f42f33ad268f912bd2303c092c49b11700b087 |
| SHA512 | 1783ebe0caef3972860ceed7b0e5e5956fff0ad54cb3ea078b8f9ca714334c7714e8b5f9eadaf42bb54cc3093c98c20bf6ae56298a30399efbaf3bcff5524c45 |
memory/944-33-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/944-32-0x0000000002A70000-0x0000000002A71000-memory.dmp
memory/944-31-0x0000000002A60000-0x0000000002A61000-memory.dmp
memory/944-30-0x0000000002A50000-0x0000000002A51000-memory.dmp
memory/944-29-0x0000000002A20000-0x0000000002A21000-memory.dmp
memory/944-28-0x0000000002A10000-0x0000000002A11000-memory.dmp
memory/944-48-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3820-53-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/3820-52-0x0000000002B60000-0x0000000002B61000-memory.dmp
memory/3820-51-0x0000000002B30000-0x0000000002B31000-memory.dmp
memory/3820-50-0x0000000002B20000-0x0000000002B21000-memory.dmp
memory/3820-49-0x0000000001060000-0x0000000001061000-memory.dmp
memory/3820-55-0x0000000002B90000-0x0000000002B91000-memory.dmp
memory/3820-54-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/3820-56-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vuqoa.exe
| MD5 | e374de86e54dacce731b12f76feeee31 |
| SHA1 | 31aae040d03f9a6cedd05b6c3c19801a5660409c |
| SHA256 | a58147c120e5d23b5dfa760df2bb6de0fb00130f129f26d57f7c86d15c12527b |
| SHA512 | 118648a864501721cbe892271fbbcd8266fa49f8d7973a99a524022227d20a1229a80fa8e02ef800c44f1c9035c80f94d91c4a3249af2f5080bb1affe0d75748 |
memory/4748-69-0x0000000000400000-0x0000000000599000-memory.dmp
memory/3820-71-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 09e22da4e2a6a72a7ec70f00be95ba8b |
| SHA1 | bb40274fc9ac6162ef8a1a106bfbebf28dd24a87 |
| SHA256 | 2899006252db8c9605022794d05d53dfe656e193c3c16bdb3de3862b4d11e276 |
| SHA512 | ff0539e7eba9933a3abab8744454b4df5c37eff4e8507ba3f60c2830b824226091c5f23e23281e258f53622dd310af94c0ea0a29a22e7c9f004c0bb44b01ad49 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/4748-74-0x0000000000400000-0x0000000000599000-memory.dmp