Malware Analysis Report

2024-11-16 13:28

Sample ID 240813-va21hsvdrd
Target c77fe1a6c83785cd02e105a7ff648010N.exe
SHA256 1ae89027de50d26946c2923435726edc6d8cba3cb93ea5154ee93ba60aacf710
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ae89027de50d26946c2923435726edc6d8cba3cb93ea5154ee93ba60aacf710

Threat Level: Known bad

The file c77fe1a6c83785cd02e105a7ff648010N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Deletes itself

UPX packed file

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 16:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 16:47

Reported

2024-08-13 16:50

Platform

win10v2004-20240802-en

Max time kernel

115s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sycyg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\jiripu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sycyg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jiripu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yfjox.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sycyg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jiripu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yfjox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Users\Admin\AppData\Local\Temp\sycyg.exe
PID 2672 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Users\Admin\AppData\Local\Temp\sycyg.exe
PID 2672 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Users\Admin\AppData\Local\Temp\sycyg.exe
PID 2672 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\sycyg.exe C:\Users\Admin\AppData\Local\Temp\jiripu.exe
PID 1220 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\sycyg.exe C:\Users\Admin\AppData\Local\Temp\jiripu.exe
PID 1220 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\sycyg.exe C:\Users\Admin\AppData\Local\Temp\jiripu.exe
PID 3736 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\jiripu.exe C:\Users\Admin\AppData\Local\Temp\yfjox.exe
PID 3736 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\jiripu.exe C:\Users\Admin\AppData\Local\Temp\yfjox.exe
PID 3736 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\jiripu.exe C:\Users\Admin\AppData\Local\Temp\yfjox.exe
PID 3736 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\jiripu.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\jiripu.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\jiripu.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe

"C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe"

C:\Users\Admin\AppData\Local\Temp\sycyg.exe

"C:\Users\Admin\AppData\Local\Temp\sycyg.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\jiripu.exe

"C:\Users\Admin\AppData\Local\Temp\jiripu.exe" OK

C:\Users\Admin\AppData\Local\Temp\yfjox.exe

"C:\Users\Admin\AppData\Local\Temp\yfjox.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2672-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2672-3-0x0000000001030000-0x0000000001031000-memory.dmp

memory/2672-2-0x0000000001020000-0x0000000001021000-memory.dmp

memory/2672-8-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

memory/2672-7-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

memory/2672-6-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

memory/2672-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2672-5-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/2672-4-0x0000000001040000-0x0000000001041000-memory.dmp

memory/2672-1-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2672-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sycyg.exe

MD5 09c149687b3cd19755db001e301bb958
SHA1 87e11584429f065c01450aa398221465848e929e
SHA256 6c6899a58b83971526ae7474e725034fd63699586a8e0c7eee9f84625343c05d
SHA512 fdcf7ac36f0b08e75b4575db6825be1ceb961cec16448309ffd6078f23a32a8da538ce15cae6bfa4e9dc8b460a57e99345ec235789026c9b045e4e4d7328e3a5

memory/1220-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2672-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2672-27-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 c867c89d1ec7719c3d9a63fff31881e0
SHA1 5653a2011d6c3b41276d06f3e88af87cf011dd5a
SHA256 f919a8a11787792d222c2425158bd9b741446bdeb488dd4426f04d5a20c31685
SHA512 4864aba5927a9062a2d799a019f7079d440e2db59aea51224e017f142990bf1a834766812b0a5416d6e3d26c7e168901f027b613fc1e61576ffaecd71db0f31a

memory/1220-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 69454f789f0d0c071c6d9a8e6417fc7e
SHA1 88028cd99d6e086dc86984968e54bf918c685cd3
SHA256 f533dd5be6580a670302efcdb3580966ee2b6ee8fa09fd8acf5d405814ef2661
SHA512 6fe29f8dd9933bbc50d2ba9638da75882777cc9f0708a327b7714d2b03e6b5d1b5aa94b99db424321ff493eb2d64bc6201181d4c0375531e321ed7fb6472af78

memory/1220-35-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/1220-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1220-34-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/1220-33-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/1220-32-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/1220-31-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/1220-30-0x0000000001070000-0x0000000001071000-memory.dmp

memory/1220-29-0x0000000001060000-0x0000000001061000-memory.dmp

memory/1220-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3736-50-0x0000000000F90000-0x0000000000F91000-memory.dmp

memory/3736-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3736-55-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/3736-54-0x0000000001000000-0x0000000001001000-memory.dmp

memory/3736-53-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/3736-52-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/3736-51-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

memory/3736-49-0x0000000000F80000-0x0000000000F81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yfjox.exe

MD5 90e39a799e0f6f039acd46213ce4be0a
SHA1 cdf5cca639a15cc971a013751f229617dd8307c4
SHA256 e58b161b2fafbfe0bb810b4fdca9a753ab3918f01595da46dcd89b57e25fc458
SHA512 855ad67f0b4dd5102bb26874a699049fddecf33ab15a4a66e0dc7631ee5b8c8f83adaa70524dafeccff0c607a0fb5c1e851784884fdbed50ad45cda576386dee

memory/4172-70-0x0000000000400000-0x0000000000599000-memory.dmp

memory/3736-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 0e98e99a8528f48404170366b03c3802
SHA1 574bb3f2cc4e2ce64c0dab36887765ed4905c026
SHA256 44248028bcfcf46aa99ee6181b47ace3ce819dd22f8e85feb87e7f5adb33e95a
SHA512 3ee72a799e9339e2fb42204cc282156a55090581f5c2858857a584bdd1a5607336a3efcdcb6e741f4756c3e3f5897bcae0045f7b7902a6f7469d290cc8ceb33c

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/4172-74-0x0000000000400000-0x0000000000599000-memory.dmp

memory/4172-76-0x0000000000400000-0x0000000000599000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 16:47

Reported

2024-08-13 16:50

Platform

win7-20240708-en

Max time kernel

117s

Max time network

93s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuhor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyudvu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qucoj.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zuhor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kyudvu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qucoj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Users\Admin\AppData\Local\Temp\zuhor.exe
PID 2360 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Users\Admin\AppData\Local\Temp\zuhor.exe
PID 2360 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Users\Admin\AppData\Local\Temp\zuhor.exe
PID 2360 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Users\Admin\AppData\Local\Temp\zuhor.exe
PID 2360 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\zuhor.exe C:\Users\Admin\AppData\Local\Temp\kyudvu.exe
PID 2752 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\zuhor.exe C:\Users\Admin\AppData\Local\Temp\kyudvu.exe
PID 2752 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\zuhor.exe C:\Users\Admin\AppData\Local\Temp\kyudvu.exe
PID 2752 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\zuhor.exe C:\Users\Admin\AppData\Local\Temp\kyudvu.exe
PID 2364 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\kyudvu.exe C:\Users\Admin\AppData\Local\Temp\qucoj.exe
PID 2364 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\kyudvu.exe C:\Users\Admin\AppData\Local\Temp\qucoj.exe
PID 2364 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\kyudvu.exe C:\Users\Admin\AppData\Local\Temp\qucoj.exe
PID 2364 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\kyudvu.exe C:\Users\Admin\AppData\Local\Temp\qucoj.exe
PID 2364 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\kyudvu.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\kyudvu.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\kyudvu.exe C:\Windows\SysWOW64\cmd.exe
PID 2364 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\kyudvu.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe

"C:\Users\Admin\AppData\Local\Temp\c77fe1a6c83785cd02e105a7ff648010N.exe"

C:\Users\Admin\AppData\Local\Temp\zuhor.exe

"C:\Users\Admin\AppData\Local\Temp\zuhor.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\kyudvu.exe

"C:\Users\Admin\AppData\Local\Temp\kyudvu.exe" OK

C:\Users\Admin\AppData\Local\Temp\qucoj.exe

"C:\Users\Admin\AppData\Local\Temp\qucoj.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2360-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2360-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2360-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2360-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2360-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2360-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2360-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2360-39-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2360-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2360-33-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2360-30-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2360-28-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2360-25-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2360-23-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2360-20-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2360-18-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2360-15-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2360-13-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2360-11-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2360-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2360-8-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\zuhor.exe

MD5 0fc9b18c26b3f7f8aeee22e9d8580984
SHA1 279dd966d5aac1b9ba962e1aff6953a9a181296b
SHA256 d48616dad3b8125af022f41b335bac62b7480501d10f34001656330fc502ef1d
SHA512 6c810a20538f011523b7b68ad5f83681531993760be90e8d0c2337f3e02bff68f9e6c67fe5b6ff81c1571237054a21271cbe66a02d05e87fbccd586af4badc27

memory/2752-59-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2360-60-0x0000000004000000-0x0000000004AEC000-memory.dmp

memory/2360-58-0x0000000004000000-0x0000000004AEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 c867c89d1ec7719c3d9a63fff31881e0
SHA1 5653a2011d6c3b41276d06f3e88af87cf011dd5a
SHA256 f919a8a11787792d222c2425158bd9b741446bdeb488dd4426f04d5a20c31685
SHA512 4864aba5927a9062a2d799a019f7079d440e2db59aea51224e017f142990bf1a834766812b0a5416d6e3d26c7e168901f027b613fc1e61576ffaecd71db0f31a

memory/2360-101-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2752-88-0x00000000002B0000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 8f680889cdf5e9c3cc885a33b948708d
SHA1 6cc8d96006ca68615a1f5a5bdbeec071320e4972
SHA256 849ee07c82c24446131ef488b5346ae9e4488d4ba3a0b5967774b3fa42e845e2
SHA512 3e9a00873ec35e70455ac1848797539dc76055d9704dce3b373cba10b6eb4950641941d22564207538307d3e9d9b480a30b2806ee06faba9738e293895a00b5f

memory/2752-86-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2360-84-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2752-82-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2752-80-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2752-77-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2752-75-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2752-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2752-115-0x00000000042D0000-0x0000000004DBC000-memory.dmp

memory/2364-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2752-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\qucoj.exe

MD5 47780aeefc4603a1dc2a5c2b750dc025
SHA1 72f91e268fe233b67bc2c89d4abffc9dfbd238ac
SHA256 48b6fd89ebb23d121b98d20a410e3755543137496614a3bf5aa9986ffb1d39f6
SHA512 7f7fb404fa93a393f6bd1b3b28497b8cb300eac8254fdeffa6127b929fc54fd7f7304270d484242b184751fcc625b0d78db161c0886e36d52ec8f69607b852c2

memory/2364-161-0x00000000047E0000-0x0000000004979000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 8adaca7aa26ed13ed2a4eef0dca4e20d
SHA1 8040fa3a202b266ed1776e6c96e87e76939e4b7f
SHA256 21e9934f338efa285de25627879509917a78e9afd48f17dce6b85f6b32213967
SHA512 15e59f841b0b8c651e0896d8ca96c6883ea2ad393d31adb3bef3a4274a620ce8c97711aff345515fd27272718fc7e6bfd04902771f5056bb4ef9a8642dfcf542

memory/352-171-0x0000000000400000-0x0000000000599000-memory.dmp

memory/2364-170-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/352-176-0x0000000000400000-0x0000000000599000-memory.dmp