Analysis Overview
SHA256
5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3
Threat Level: Known bad
The file 5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3 was found to be: Known bad.
Malicious Activity Summary
Urelas
UPX packed file
Executes dropped EXE
Deletes itself
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-10 22:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-10 22:05
Reported
2024-08-10 22:08
Platform
win7-20240704-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ciurw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\remexu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ciurw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ciurw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\remexu.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ciurw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\remexu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ciurw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\remexu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ulogv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe
"C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe"
C:\Users\Admin\AppData\Local\Temp\ciurw.exe
"C:\Users\Admin\AppData\Local\Temp\ciurw.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\remexu.exe
"C:\Users\Admin\AppData\Local\Temp\remexu.exe" OK
C:\Users\Admin\AppData\Local\Temp\ulogv.exe
"C:\Users\Admin\AppData\Local\Temp\ulogv.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2276-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2276-25-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2276-36-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2276-37-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2276-35-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2276-33-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2276-30-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2276-28-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2276-23-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2276-20-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2276-18-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2276-15-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2276-13-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2276-11-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2276-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2276-8-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2276-6-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\ciurw.exe
| MD5 | 05081d09ac6153681387b5b531395d71 |
| SHA1 | 6602c79cd7d2f282ff9ee07eca22a6188e778d5f |
| SHA256 | 8932f553d61e8a0309ddf1a0cfde9492b6d61c889fa7e6bf353cc6597a4b8eee |
| SHA512 | 25f74fb82e2520bbd6b5105cb022e8f8752dbdc3cb854dea10cc05ea088a66e71a4774f06ab5b999d96652faf160839744579f22b24725b830c9571265a3077e |
memory/2276-50-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2276-58-0x0000000003F70000-0x0000000004A5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 0b2d310c5081261ed7a37dfd3658d7f3 |
| SHA1 | 01c5b603fe269e06d90277c4c3600dfd4430431d |
| SHA256 | 8e19fa7ab7dedd21d74ccb808dc41f46d31da1ff64a01a6bd85d9bfabf905c5a |
| SHA512 | a72ccac058bbafb6e9a96fc51fe634351f036bb177323dc91ea4589d50e615b3494005e16b8e3d9f5c706910bafa7db49a0327ee7f4dab21de797c85fddc6053 |
memory/2276-61-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2276-60-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2276-5-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2276-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2276-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/1508-70-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1508-67-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1508-87-0x0000000000280000-0x0000000000281000-memory.dmp
memory/1508-85-0x0000000000280000-0x0000000000281000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ab102d3d1c8b730046521b5e0f16ef17 |
| SHA1 | 90302460c4761878a723cd4ae1bac2080a3ac5f1 |
| SHA256 | d78f0341fa26141120bc039c69f251c8d55d96a9201114031399075ca00d8d84 |
| SHA512 | 84a84b53859781f3c02b8347e25016db45ae8c7929cd869c8aa30af837e3212b8331e8f36d4f9491342a10abdcd29e38d08bf137e40b114e100a2c76c498fedb |
memory/1508-82-0x0000000000270000-0x0000000000271000-memory.dmp
memory/1508-80-0x0000000000270000-0x0000000000271000-memory.dmp
memory/1508-77-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1508-75-0x0000000000260000-0x0000000000261000-memory.dmp
memory/1508-111-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1508-112-0x0000000004560000-0x000000000504C000-memory.dmp
memory/2672-113-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/1508-72-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1508-65-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\ulogv.exe
| MD5 | 8ccfbb7da99103b7ec3dea57074320a0 |
| SHA1 | 1046a90c4b070664e203bed0ae7fee47791a8580 |
| SHA256 | 0a33525b3f49db82dd9a56f067f706f360ba102e32e2176b49765c1eae2d9d35 |
| SHA512 | 8388e9732b19c57204f886bcb5b74978b698346abd5c25693657b3ae819f0540050f7e05deacba51a3fc23e9f12acb89a5f5ee29b22dc002b1df23033bad9f04 |
memory/524-167-0x0000000000400000-0x0000000000599000-memory.dmp
memory/2672-158-0x0000000004750000-0x00000000048E9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | f1482ae6624e18bfdb0a9d8efaf5eb4b |
| SHA1 | 50a51f75cfe722c9bd7b13f52bb249cf2ee7957c |
| SHA256 | 6d9ba1642bb4ff817b0bfc9c1f590d356d214b2be58ba03d7e87b56a1875d840 |
| SHA512 | 6757bfde6a50647b04614a4b24f5bf8584796891de9098be3fb11a6e95c5401cf5b856c0d8f36e0abac5eb9eff69e924f9b571c79553fe58e786ca3170e61365 |
memory/2672-168-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/524-173-0x0000000000400000-0x0000000000599000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-10 22:05
Reported
2024-08-10 22:08
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tytox.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\jososi.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tytox.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jososi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wobeq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\wobeq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tytox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\jososi.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe
"C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe"
C:\Users\Admin\AppData\Local\Temp\tytox.exe
"C:\Users\Admin\AppData\Local\Temp\tytox.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\jososi.exe
"C:\Users\Admin\AppData\Local\Temp\jososi.exe" OK
C:\Users\Admin\AppData\Local\Temp\wobeq.exe
"C:\Users\Admin\AppData\Local\Temp\wobeq.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
memory/2828-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2828-9-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2828-2-0x0000000002D50000-0x0000000002D51000-memory.dmp
memory/2828-7-0x0000000002DC0000-0x0000000002DC1000-memory.dmp
memory/2828-6-0x0000000002DB0000-0x0000000002DB1000-memory.dmp
memory/2828-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp
memory/2828-4-0x0000000002D90000-0x0000000002D91000-memory.dmp
memory/2828-13-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2828-1-0x0000000002C40000-0x0000000002C41000-memory.dmp
memory/2828-3-0x0000000002D60000-0x0000000002D61000-memory.dmp
memory/2828-14-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tytox.exe
| MD5 | c1c8244b78c2e7f7f179ab64e7c378ce |
| SHA1 | f61bf8f9ebc98ee7d3181705d5adab4fcb902243 |
| SHA256 | 15e8e02a35c7d9e3672c6cda994c5f99f65c73be2f7314fd2c22b578255d76f6 |
| SHA512 | 28ede1a156d7ef20250ab816c3a8f3a92107647209b479191ed1d0140e3e809b5eb9f17792cc432f4f7c17aef0a236507158aeac6006a4bcd4004cba96a17e56 |
memory/2828-26-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4300-25-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2828-27-0x0000000000526000-0x000000000087A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 0b2d310c5081261ed7a37dfd3658d7f3 |
| SHA1 | 01c5b603fe269e06d90277c4c3600dfd4430431d |
| SHA256 | 8e19fa7ab7dedd21d74ccb808dc41f46d31da1ff64a01a6bd85d9bfabf905c5a |
| SHA512 | a72ccac058bbafb6e9a96fc51fe634351f036bb177323dc91ea4589d50e615b3494005e16b8e3d9f5c706910bafa7db49a0327ee7f4dab21de797c85fddc6053 |
memory/4300-35-0x0000000002C90000-0x0000000002C91000-memory.dmp
memory/4300-39-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | b085407cd25790de5e6b73905f18cf45 |
| SHA1 | a610c5d9213f538de0bb7119d040345308db0121 |
| SHA256 | 681ef3876e28509b177c51a3e55180dceadc20e5ad1de777647996a9109e6fda |
| SHA512 | 90513c9efdc981700c694f72ec7a3febd916ffb6d70943e00476e2c56b3c57037731894b82762219359ae263fe2e13f26559d96e9fec0bbe4e975521c26bfd2e |
memory/4300-34-0x0000000002C80000-0x0000000002C81000-memory.dmp
memory/4300-33-0x0000000002C70000-0x0000000002C71000-memory.dmp
memory/4300-32-0x0000000002B30000-0x0000000002B31000-memory.dmp
memory/4300-40-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/4300-31-0x0000000002B20000-0x0000000002B21000-memory.dmp
memory/4300-30-0x0000000002B10000-0x0000000002B11000-memory.dmp
memory/4300-29-0x0000000000F40000-0x0000000000F41000-memory.dmp
memory/4300-48-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2164-56-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/2164-57-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2164-55-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/2164-54-0x0000000002B60000-0x0000000002B61000-memory.dmp
memory/2164-53-0x00000000010B0000-0x00000000010B1000-memory.dmp
memory/2164-52-0x00000000010A0000-0x00000000010A1000-memory.dmp
memory/2164-51-0x0000000001090000-0x0000000001091000-memory.dmp
memory/2164-50-0x0000000001080000-0x0000000001081000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\wobeq.exe
| MD5 | 560eb273fa631557367534ecba8bbe51 |
| SHA1 | e2fc9a11515e2157d7466bb5dc4b5cd57cd497d8 |
| SHA256 | a1f6f045911b67b73faaeaf9987582166f99abc8dc87b652afb477da5c618e8f |
| SHA512 | 01b731ce78815aca1112f6e0a395a01cde2631cf386baa7882e316abcef0fa443a6cbf2a78eb16c7a88534565155864dfeb3623286fc58806f80ee65fea9eeb9 |
memory/3504-71-0x0000000000400000-0x0000000000599000-memory.dmp
memory/2164-72-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 0f8b4cb70e98f7695e4e600f825a7dbf |
| SHA1 | cde3f55df1f711fee49545124d4ea4351e5d758b |
| SHA256 | 84e45ba427d76c19f9ca3e61457c2cdd90a5a72629e28b85d3bc3d56eccf820b |
| SHA512 | 2b6aa3c76c8f2f2d441728867b316435c214373d7734ab867ea3415e0ea50f1596562cc2f56e594d5185c7d078f6b29cd427c5e7a9256573253be330acf24a72 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/3504-75-0x0000000000400000-0x0000000000599000-memory.dmp