Analysis Overview
SHA256
6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3
Threat Level: Known bad
The file 6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3 was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
UPX packed file
Checks computer location settings
Deletes itself
Executes dropped EXE
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-09 22:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-09 22:41
Reported
2024-08-09 22:44
Platform
win7-20240729-en
Max time kernel
150s
Max time network
92s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\giojn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xejulo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\giojn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\giojn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xejulo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\giojn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xejulo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\giojn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xejulo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tusaw.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe
"C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe"
C:\Users\Admin\AppData\Local\Temp\giojn.exe
"C:\Users\Admin\AppData\Local\Temp\giojn.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\xejulo.exe
"C:\Users\Admin\AppData\Local\Temp\xejulo.exe" OK
C:\Users\Admin\AppData\Local\Temp\tusaw.exe
"C:\Users\Admin\AppData\Local\Temp\tusaw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2244-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2244-36-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2244-37-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2244-35-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2244-33-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2244-30-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2244-28-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2244-25-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2244-23-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2244-20-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2244-18-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2244-15-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2244-13-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2244-11-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2244-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2244-8-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2244-6-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2244-5-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2244-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2244-1-0x0000000000230000-0x0000000000231000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\giojn.exe
| MD5 | 9c380a15619a5d4549ca08188c4139ee |
| SHA1 | 0256d309fb12562870ade3137ee29a284ae3347d |
| SHA256 | 3da1829a6012acd5531c2f01cad5e8166a18b394f99d127e07007a5fb90dd655 |
| SHA512 | db5e94e7174988d44458e6768689e1e81d90018deef6d2020bf0de50af5286306b218ec425a7177a79e98f9ba7921a0774da904ad92a2392aa326a8208b9957a |
memory/2244-41-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 039e362378baa40b93ba578a94a32228 |
| SHA1 | 1b13a409b3322e3c18e94c24e6114a829166a5e5 |
| SHA256 | a7d7fc1c9393629d90bb2ab25bf087c6fda29dd7c91d27a2fcdfa1d254615b45 |
| SHA512 | ba3ac3ed079df544e8edede02fb85569bd0362f8ac005c0a51f54596cb22f2370b2758f977e224d9a46fdc92544a974fd141b7f58ca4f2a93e3af421ebff963b |
memory/2244-60-0x0000000003DA0000-0x000000000488C000-memory.dmp
memory/2244-52-0x0000000003DA0000-0x000000000488C000-memory.dmp
memory/2244-61-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2244-102-0x0000000000526000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1fb93d650f42da54af68b2df300cacc9 |
| SHA1 | 649c9d38af9e9e72dda827717ab4eeafe2fc3975 |
| SHA256 | 680afc015a9e77caa0ed54d0004d8b48c31c7cee937060998ff265b52ff83bed |
| SHA512 | 1d4d7ccd627cfdbc24b8028b40a1dc7a024bd5c5d3e8a0e65cfd801191807234d442b3473714569a4d78c6d1031a58bab049afa3061bf99caf9382fc1cd6e0f3 |
memory/1896-87-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/1896-85-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/1896-82-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/1896-80-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/1896-77-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/1896-75-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/1896-72-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1896-70-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1896-67-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1896-65-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1896-112-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2776-113-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2776-158-0x0000000004840000-0x00000000049D9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 0700a281846149940eeab87fa8c9c57c |
| SHA1 | 981a22c53d358a0e5bcf602a4c30853c9bb69f92 |
| SHA256 | 623328cbc95616c2564e761202b8d4710f142901804d63659d20c6ca9c0e0301 |
| SHA512 | fe17f908686e293f74976f945a040d0a71f3d37400a23e6e804d55c1951e2230451d1f1c91770d9d54e2f8d51ab44c5c65ef6b8d9467123dd6ed0f64b5d2f6a2 |
memory/1232-167-0x0000000000400000-0x0000000000599000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tusaw.exe
| MD5 | aa1688e9cce429f79a82c64eb06182dc |
| SHA1 | e9fc858bbee9a87d256b0d03df9ba970664ab71b |
| SHA256 | 3e63fe5abc80de7401286fda2b1860f395cb8906f916a10a0674c31d2f71a49d |
| SHA512 | daa0fcf4aef6f2e1169a12a586d162eef2a0351db4dfe35cf838cd18e5f1c20b45a2449da07cc48ce38e798dd87f6aefe2cb5e37e8d47547fb1369a8ff20c2ce |
memory/2776-168-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/1232-173-0x0000000000400000-0x0000000000599000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-09 22:41
Reported
2024-08-09 22:44
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
132s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\toavd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gomaaf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toavd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gomaaf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyijz.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gomaaf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\kyijz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\toavd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe
"C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe"
C:\Users\Admin\AppData\Local\Temp\toavd.exe
"C:\Users\Admin\AppData\Local\Temp\toavd.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\gomaaf.exe
"C:\Users\Admin\AppData\Local\Temp\gomaaf.exe" OK
C:\Users\Admin\AppData\Local\Temp\kyijz.exe
"C:\Users\Admin\AppData\Local\Temp\kyijz.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3280-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3280-3-0x0000000002C60000-0x0000000002C61000-memory.dmp
memory/3280-6-0x0000000002CB0000-0x0000000002CB1000-memory.dmp
memory/3280-8-0x0000000002CD0000-0x0000000002CD1000-memory.dmp
memory/3280-13-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3280-7-0x0000000002CC0000-0x0000000002CC1000-memory.dmp
memory/3280-5-0x0000000002C70000-0x0000000002C71000-memory.dmp
memory/3280-9-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3280-2-0x0000000000F50000-0x0000000000F51000-memory.dmp
memory/3280-1-0x0000000000F40000-0x0000000000F41000-memory.dmp
memory/3280-4-0x0000000000526000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toavd.exe
| MD5 | c703358a4ca1ebe362981df777307d63 |
| SHA1 | afc518742d48f15332d12925f0ded89e8f22dc80 |
| SHA256 | 0d0aab82001a8440c4878484c464c4f46f391b79db11ba4693655c80c6eb2973 |
| SHA512 | cecae82b226c85af554968c23f40fa42015ae4b3b46ca0bbfb83d91443a178318d8d4e3b1632cf16756d8a732e5180a7e38977421c26928755ef4faa38651597 |
memory/3720-24-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3280-25-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3280-26-0x0000000000526000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 039e362378baa40b93ba578a94a32228 |
| SHA1 | 1b13a409b3322e3c18e94c24e6114a829166a5e5 |
| SHA256 | a7d7fc1c9393629d90bb2ab25bf087c6fda29dd7c91d27a2fcdfa1d254615b45 |
| SHA512 | ba3ac3ed079df544e8edede02fb85569bd0362f8ac005c0a51f54596cb22f2370b2758f977e224d9a46fdc92544a974fd141b7f58ca4f2a93e3af421ebff963b |
memory/3720-38-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | a6f8a77aec6df19f966a08a95e231475 |
| SHA1 | 1630f8f4e10e2bcafff094054f34ed3dda37940a |
| SHA256 | b67a28eea2cc2426591b1931d3bc3426711e07c3c7b8e75e49c92cc2f19d1284 |
| SHA512 | 070fd1c423f34a4fa00e1a0813cfc091abc27281e62c413291746adebeee87750ceda5e4213294780aa7bcefd86728c1bbc6f649a89d4d67cc5484dfc750c82e |
memory/3720-34-0x0000000002B60000-0x0000000002B61000-memory.dmp
memory/3720-33-0x0000000002B50000-0x0000000002B51000-memory.dmp
memory/3720-32-0x0000000002A30000-0x0000000002A31000-memory.dmp
memory/3720-31-0x0000000002A20000-0x0000000002A21000-memory.dmp
memory/3720-30-0x0000000001040000-0x0000000001041000-memory.dmp
memory/3720-29-0x0000000001030000-0x0000000001031000-memory.dmp
memory/3720-28-0x0000000001020000-0x0000000001021000-memory.dmp
memory/3720-39-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/3720-48-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4576-49-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4576-55-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/4576-57-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4576-56-0x0000000002A90000-0x0000000002A91000-memory.dmp
memory/4576-54-0x0000000001000000-0x0000000001001000-memory.dmp
memory/4576-53-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
memory/4576-52-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
memory/4576-51-0x0000000000FA0000-0x0000000000FA1000-memory.dmp
memory/4576-50-0x0000000000F90000-0x0000000000F91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kyijz.exe
| MD5 | 14b5979af8e4ce5a7ef0405bc4c1c766 |
| SHA1 | f0714ebd45aa35b67e4b9960ea47482a22728348 |
| SHA256 | bf8c1e54bed9dc013e71a6b73ffa9f57cff042fbe6045c793b46f21bc166d76f |
| SHA512 | aaa98ff56016b5defc71520d0c737707655c3f625b195a8589d1b99c1981e80829c6ed9b2376d03d1a61136354021abd8a7ca56360936b19a0977b60395caabe |
memory/2892-71-0x0000000000400000-0x0000000000599000-memory.dmp
memory/4576-72-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 7d88b17633cce15699894f7155869eeb |
| SHA1 | 2a17eb5881b1b1a6585e27aa0096c315627633e7 |
| SHA256 | 605372a1cdb381a3079cc34ebefdef80084816cca402e8244002eb94d8f11db2 |
| SHA512 | 4f52b726ecbbf214f3f9bb42782afe3883dae498b22069d5c676bcfe12abd3257609ea253362fce08e48b1a03465ae44435fef983700387795dc68742ed15113 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/2892-75-0x0000000000400000-0x0000000000599000-memory.dmp
memory/2892-77-0x0000000000400000-0x0000000000599000-memory.dmp