Analysis Overview
SHA256
b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec
Threat Level: Known bad
The file b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
UPX packed file
Deletes itself
Checks computer location settings
Loads dropped DLL
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 01:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 01:29
Reported
2024-08-11 01:31
Platform
win7-20240705-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Urelas
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ewbac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ardyuj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ewbac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ewbac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ardyuj.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ewbac.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ardyuj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ewbac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ardyuj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\suvep.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe
"C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe"
C:\Users\Admin\AppData\Local\Temp\ewbac.exe
"C:\Users\Admin\AppData\Local\Temp\ewbac.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ardyuj.exe
"C:\Users\Admin\AppData\Local\Temp\ardyuj.exe" OK
C:\Users\Admin\AppData\Local\Temp\suvep.exe
"C:\Users\Admin\AppData\Local\Temp\suvep.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2500-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2500-1-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2500-28-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2500-25-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2500-23-0x0000000000270000-0x0000000000271000-memory.dmp
memory/2500-20-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2500-18-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2500-15-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2500-13-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2500-11-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2500-10-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2500-8-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2500-6-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2500-5-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2500-3-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2500-38-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2500-36-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2500-35-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2500-33-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2500-30-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2500-41-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2500-42-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ewbac.exe
| MD5 | 50b0ebaeb14276517c2a68a8424abfb0 |
| SHA1 | f258dd9d439169d7692f748e06cec8323ad9bf4c |
| SHA256 | a4bc0af820d9f3c5f393e9a715112a9227ecb2a6195836b7816a17e36d053153 |
| SHA512 | 1a70137b214a0c5975b91d2071f39894341e3da82e7c55d3028de250813999ac36311faf27c607f616c54589c34694f6a5abc5b88d6d0b9989701dbc84e85a2b |
memory/2500-53-0x0000000003F90000-0x0000000004A7C000-memory.dmp
memory/624-62-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 4cdc2dc45799a22bb7c45b8602d06352 |
| SHA1 | 84fe32317ef2f39ae3923fa1667c7ece1d4aa2dc |
| SHA256 | fd58803f78b01c23ff27f296caeb80fda47e5005c6a1e9a77d591d9b4595901c |
| SHA512 | 62fdd113ac2e8e7499633d2897e34a042cb6c59ee51a88b345c4725814994fdb52c80a78780ca48eca46d6cb723c44a64adfb9636b1086e26a02201f5e710d3f |
memory/2500-54-0x0000000003F90000-0x0000000004A7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | aea9cd2945bf14a35d6ec60c6f32e537 |
| SHA1 | c8c0ae807cbb917fef9907aea64a39e755ab3fbd |
| SHA256 | 8eb70bfc1d903030df06aeec5edb94a183688e50cdf1bbbc1b6cc5f4178da514 |
| SHA512 | cd179021f95dc95e20c10f656761dbc340f5cbe35f51a6dafe182557de6ab7618e08c826071729b464619c773faa8d50680b1e00f0169c786d683274308ac341 |
memory/624-90-0x0000000000330000-0x0000000000331000-memory.dmp
memory/624-88-0x0000000000330000-0x0000000000331000-memory.dmp
memory/624-105-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/624-85-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/624-83-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2500-64-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2500-63-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/624-115-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2040-116-0x0000000000400000-0x0000000000EEC000-memory.dmp
\Users\Admin\AppData\Local\Temp\suvep.exe
| MD5 | 356a715bb32bd264d6d70936e81463ef |
| SHA1 | c11fb3f3ba56f1a88ab1fee52d37b2aa52f48df9 |
| SHA256 | 1428994c273d56e39e8283f11a27f3cbdc8144610e21e3940a87b0861fd7c2f6 |
| SHA512 | 58ef930d4abf7de3d9f0fcb9e008d65918e4590e4e1be0f81b912cba3c8effe74b5902e6b95e1848f9f2c5b61038631f2e58fed68e6a9903b87fc872a4e74aee |
memory/2040-169-0x00000000047E0000-0x0000000004979000-memory.dmp
memory/1628-170-0x0000000000400000-0x0000000000599000-memory.dmp
memory/2040-171-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | ae11baa2925b700b97934f8200e6f0b2 |
| SHA1 | cbbe7bc880aa7ea7205943e0d31f1dffb90d95f3 |
| SHA256 | bc3bc2e801f2a7295ab0db4470f30c20524d8acf92b6da6715285d5fc81661ec |
| SHA512 | 2b4a719a1b693fb852bf59fa1246ed3a143a2cb77c1120d79258437fc7fb2ed4eeae408d1ae33c3a0c6f57fc4b62c1e8a6e301fe5e551c150345ee3624f63be2 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/1628-176-0x0000000000400000-0x0000000000599000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-11 01:29
Reported
2024-08-11 01:31
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ruynna.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zoakc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zoakc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ruynna.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\duads.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\duads.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zoakc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ruynna.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe
"C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe"
C:\Users\Admin\AppData\Local\Temp\zoakc.exe
"C:\Users\Admin\AppData\Local\Temp\zoakc.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ruynna.exe
"C:\Users\Admin\AppData\Local\Temp\ruynna.exe" OK
C:\Users\Admin\AppData\Local\Temp\duads.exe
"C:\Users\Admin\AppData\Local\Temp\duads.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/2344-0-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2344-1-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2344-9-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2344-8-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/2344-7-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/2344-6-0x0000000002B60000-0x0000000002B61000-memory.dmp
memory/2344-5-0x0000000002B50000-0x0000000002B51000-memory.dmp
memory/2344-4-0x00000000010A0000-0x00000000010A1000-memory.dmp
memory/2344-3-0x0000000001090000-0x0000000001091000-memory.dmp
memory/2344-2-0x0000000001080000-0x0000000001081000-memory.dmp
memory/2344-13-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zoakc.exe
| MD5 | 8b259354d817f2b1cdac8cda809f001c |
| SHA1 | b89cd965f727022d796cc7fd1965302649fff975 |
| SHA256 | b4b12938e2ceb46a65f60aa3ba271c35afdddb0aab8fd456b4f2aca908f6e0b1 |
| SHA512 | cc6735e66d74128f8656f27135332eaddfaad8051389ae516ebd2ed426996c630463ef580aaff9f93087dca175cb827db7602440e6410ca09fff80793c7c6394 |
memory/5112-24-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/2344-26-0x0000000000526000-0x000000000087A000-memory.dmp
memory/2344-25-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 4cdc2dc45799a22bb7c45b8602d06352 |
| SHA1 | 84fe32317ef2f39ae3923fa1667c7ece1d4aa2dc |
| SHA256 | fd58803f78b01c23ff27f296caeb80fda47e5005c6a1e9a77d591d9b4595901c |
| SHA512 | 62fdd113ac2e8e7499633d2897e34a042cb6c59ee51a88b345c4725814994fdb52c80a78780ca48eca46d6cb723c44a64adfb9636b1086e26a02201f5e710d3f |
memory/5112-34-0x00000000011F0000-0x00000000011F1000-memory.dmp
memory/5112-35-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/5112-38-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 04b2acef1b20459df328167147b831d2 |
| SHA1 | 2035eaf86939e0c1f8e8650521cf99f1e222578c |
| SHA256 | 56409deb29f3c9d5dde4834b038d7ca60874d53a7ebc4c8f2470dd9f6fbc20a9 |
| SHA512 | 628e17da1406da91dccfedb7ddb4699a0f0e40ca14e05a4c25b3f1aa1e607dc91de8a44e5c00849d35659b4865b56ffffd1ea8b49a4e794ae8d0cbfe854efd39 |
memory/5112-33-0x00000000010D0000-0x00000000010D1000-memory.dmp
memory/5112-32-0x00000000010C0000-0x00000000010C1000-memory.dmp
memory/5112-31-0x0000000001080000-0x0000000001081000-memory.dmp
memory/5112-30-0x0000000001070000-0x0000000001071000-memory.dmp
memory/5112-29-0x0000000001060000-0x0000000001061000-memory.dmp
memory/5112-28-0x0000000001050000-0x0000000001051000-memory.dmp
memory/5112-39-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/960-49-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/5112-48-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/960-57-0x0000000000400000-0x0000000000EEC000-memory.dmp
memory/960-56-0x0000000002B90000-0x0000000002B91000-memory.dmp
memory/960-55-0x0000000002B80000-0x0000000002B81000-memory.dmp
memory/960-54-0x0000000002B70000-0x0000000002B71000-memory.dmp
memory/960-53-0x0000000002B60000-0x0000000002B61000-memory.dmp
memory/960-52-0x0000000000F60000-0x0000000000F61000-memory.dmp
memory/960-51-0x0000000000F50000-0x0000000000F51000-memory.dmp
memory/960-50-0x0000000000F40000-0x0000000000F41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\duads.exe
| MD5 | b0afb044e83202742aa31a63c91c66a8 |
| SHA1 | 9e90d6262cb6bca8bd06451474d466bae37995d2 |
| SHA256 | 470c420ed397d9a77a1764563e373d1935a4699598eea297ecdc02e1097d910a |
| SHA512 | 53174b373bc3ca80b9d8613b5cb6304c006943feaedc598bb85be44570aa27c8691bf6626783644ed58bf22749819f25add056d2866b562accaab97b9edb6bc7 |
memory/220-71-0x0000000000400000-0x0000000000599000-memory.dmp
memory/960-72-0x0000000000400000-0x0000000000EEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 121d02073a9b5b921ecb76a6cddc6436 |
| SHA1 | 8a0e4231939ac117f49857bdd37273c0cf52fe77 |
| SHA256 | ca59f91b64fe92849ab9912bbcc0a9954da76133e3b1bed179404761504b41dd |
| SHA512 | f36998268338031c2a09dad222efaa7f89e0318f42c8368b8ea9f9feee7801dbcac178a597b63413f302bf5dda58e0b0629c7d676d27e1d47113dd92f3aeec03 |
C:\Users\Admin\AppData\Local\Temp\gbp.ini
| MD5 | dbef593bccc2049f860f718cd6fec321 |
| SHA1 | e7e9f8235b4eb70aa99dd2c38009f2152575a8d0 |
| SHA256 | 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a |
| SHA512 | 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a |
memory/220-75-0x0000000000400000-0x0000000000599000-memory.dmp
memory/220-79-0x0000000000400000-0x0000000000599000-memory.dmp