Malware Analysis Report

2024-11-16 13:28

Sample ID 240813-zffrpavelh
Target 94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118
SHA256 5ac238e2930b64d9af7698882a8fd2eb0c0694f02291313ed04f28c1296f61e3
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ac238e2930b64d9af7698882a8fd2eb0c0694f02291313ed04f28c1296f61e3

Threat Level: Known bad

The file 94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 20:39

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 20:39

Reported

2024-08-13 20:41

Platform

win7-20240729-en

Max time kernel

147s

Max time network

74s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mucoq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ybugho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nyfoy.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ybugho.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nyfoy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mucoq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2328 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\mucoq.exe
PID 2328 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\mucoq.exe
PID 2328 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\mucoq.exe
PID 2328 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\mucoq.exe
PID 2328 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2328 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\mucoq.exe C:\Users\Admin\AppData\Local\Temp\ybugho.exe
PID 2992 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\mucoq.exe C:\Users\Admin\AppData\Local\Temp\ybugho.exe
PID 2992 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\mucoq.exe C:\Users\Admin\AppData\Local\Temp\ybugho.exe
PID 2992 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\mucoq.exe C:\Users\Admin\AppData\Local\Temp\ybugho.exe
PID 2792 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\ybugho.exe C:\Users\Admin\AppData\Local\Temp\nyfoy.exe
PID 2792 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\ybugho.exe C:\Users\Admin\AppData\Local\Temp\nyfoy.exe
PID 2792 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\ybugho.exe C:\Users\Admin\AppData\Local\Temp\nyfoy.exe
PID 2792 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\ybugho.exe C:\Users\Admin\AppData\Local\Temp\nyfoy.exe
PID 2792 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\ybugho.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\ybugho.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\ybugho.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\ybugho.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\mucoq.exe

"C:\Users\Admin\AppData\Local\Temp\mucoq.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\ybugho.exe

"C:\Users\Admin\AppData\Local\Temp\ybugho.exe" OK

C:\Users\Admin\AppData\Local\Temp\nyfoy.exe

"C:\Users\Admin\AppData\Local\Temp\nyfoy.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2328-2-0x0000000000400000-0x00000000004B3000-memory.dmp

\Users\Admin\AppData\Local\Temp\mucoq.exe

MD5 01527b75f303e6d9326062da08b25bbd
SHA1 668c3752f015b63fbb3c791271a059918c1a3146
SHA256 646cf12f1ddc9e6727b6853c61364aa3f29887d90de1e226ca40ce62ca2a084f
SHA512 750e0cb82435cfbe53a0c76e4e68deb2be6abd3898d964a1179c2249dd1858c6cdabbfa677b87a919b12347f2f6d11b4146b56d9bb38592c48c39926c8c9d473

memory/2328-6-0x0000000002530000-0x00000000025E3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 eb5116da67b4a0a0e5524e6459599ff3
SHA1 a01962783f3aa9fc6e68b54f3e079c881e65cf41
SHA256 ecef4e8b2af9b1e9aa5b4a7b9cf306379176188e70021a1f19f70a72b5859e61
SHA512 8dc986f4aa2a7642d0624fe6cf09d404ffbe3fcebe7be8dc1705895100a31348bcb42da08bc5b3309a61b8f8afb083d384999d3ef84daab4e7be12447b7acf42

memory/2328-21-0x0000000000400000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 5c9b87a7c53a1ed58149e827512b17e3
SHA1 95262ab8393610e53a5149ad8fe088f10b70e28e
SHA256 72b8a0f977544c76cb9474c60ed29470d944efbf51d4ad29d45b6af6c4355128
SHA512 ff2ecfe1d0911e2bed9e203a6f6469d6bd09a2c801712d40e0ca72fea1b9372b24702fd136b661248eed3ce18ec298b50ba25004f2ec9b9befab342d91a9b421

memory/2992-33-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/2792-34-0x0000000000400000-0x00000000004B3000-memory.dmp

\Users\Admin\AppData\Local\Temp\nyfoy.exe

MD5 346bd140629313e5b71ec2a5732d6fca
SHA1 bd3f86ff9f1114d6925b06ae0e1691d9d8be5eaa
SHA256 e1d7397a597b94e2029b3d1252b255f1e2fb5a1c94f531105cb2cc1271f72f16
SHA512 2bff28854c780054ad60be6b0768384a79694ba4fde1eb00de91271c56acbfcddff799142f45e7a97e5250e12f85f2455f2898162e9b09262deb4a8838c4816a

memory/2792-42-0x0000000003BE0000-0x0000000003D76000-memory.dmp

memory/2792-51-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/3000-52-0x0000000000400000-0x0000000000596000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 a157435640a10083c3c7b80bd79bd558
SHA1 d06c142bf8494b36294b1730e5997ba534e1845d
SHA256 e295955bbc3a2d110224471c8ca589b64ddef0b81867f3eee16e0e163f2753a9
SHA512 81e2a9f7cb06721281e7e071d797bd62a0e72a15fb3ba07f7f5eaf0557fbc321853aa0fde2b626f478663112bcfe792065e9020e172c9fe0b3c74e22a7836a96

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/3000-56-0x0000000000400000-0x0000000000596000-memory.dmp

memory/3000-58-0x0000000000400000-0x0000000000596000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 20:39

Reported

2024-08-13 20:41

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\semua.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\qolyzu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\semua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qolyzu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qolyzu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\semua.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kijyi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3064 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\semua.exe
PID 3064 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\semua.exe
PID 3064 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\semua.exe
PID 3064 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 5100 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\semua.exe C:\Users\Admin\AppData\Local\Temp\qolyzu.exe
PID 5100 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\semua.exe C:\Users\Admin\AppData\Local\Temp\qolyzu.exe
PID 5100 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\semua.exe C:\Users\Admin\AppData\Local\Temp\qolyzu.exe
PID 1036 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\qolyzu.exe C:\Users\Admin\AppData\Local\Temp\kijyi.exe
PID 1036 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\qolyzu.exe C:\Users\Admin\AppData\Local\Temp\kijyi.exe
PID 1036 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\qolyzu.exe C:\Users\Admin\AppData\Local\Temp\kijyi.exe
PID 1036 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\qolyzu.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\qolyzu.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\qolyzu.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\94a49d5a2c0479b051e956b0f1d6e290_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\semua.exe

"C:\Users\Admin\AppData\Local\Temp\semua.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\qolyzu.exe

"C:\Users\Admin\AppData\Local\Temp\qolyzu.exe" OK

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\kijyi.exe

"C:\Users\Admin\AppData\Local\Temp\kijyi.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 39.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3064-0-0x0000000000400000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\semua.exe

MD5 e2c1898a8d680a3e18bad3120c25a507
SHA1 de2b028a9558a41d8ca8a26c4657b96770d4a053
SHA256 d4dcf38cb6851a12aa027decafc8da8ad0deb559768cfe2a985dbe429924a9b1
SHA512 c10c76b980fddf1ed8f7c2cfa0241e6064d12aef1a88dccb779e5fcb4cf49474e4a28a0f7a68059dbd1b90008083dc5bb2c1c871fd4b457e68bb73a507060fda

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 471bcd998acc861db1d29ab6a3633a29
SHA1 289f7d02c68a008562baaff3052c7ed947865135
SHA256 dc5458ff94f32ccdf1dc9b39f1cb065f5558a7fa445027c83801960a903ff1de
SHA512 7a89b9cc0f98a0163970a0dd9c9dcfc4df8961b694b33650378a585519d30194c7beeda056b9b5a80790e6568e14f944eea69699b052ba692440b9b74b819645

memory/5100-13-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/3064-15-0x0000000000400000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 eb5116da67b4a0a0e5524e6459599ff3
SHA1 a01962783f3aa9fc6e68b54f3e079c881e65cf41
SHA256 ecef4e8b2af9b1e9aa5b4a7b9cf306379176188e70021a1f19f70a72b5859e61
SHA512 8dc986f4aa2a7642d0624fe6cf09d404ffbe3fcebe7be8dc1705895100a31348bcb42da08bc5b3309a61b8f8afb083d384999d3ef84daab4e7be12447b7acf42

memory/1036-25-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/5100-26-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/1036-27-0x0000000000400000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kijyi.exe

MD5 2af0fd8ec82c79b7ceccac278cdff6f8
SHA1 13138b659de9b84e11186083aff8604ee95e2ef7
SHA256 48d3ee4235f39121c3fb5c1749444074779bd427b4855b004f6b77560105eb06
SHA512 c92da4ce4af30a9da8982b10414c12fb624ddafd5cdda7b5051e9bc5ab3884179b494f4f3b105c18eecc8ef862ea51b2f61a75b575b7e1df441caf9fcd392961

memory/2384-38-0x0000000000400000-0x0000000000596000-memory.dmp

memory/1036-41-0x0000000000400000-0x00000000004B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 c37370c12cb26fd9045857f77cff0874
SHA1 99e5b17747e266186e6bae1468cb543c71885617
SHA256 41f590752d26120b2e7fafc8e6186a9d5f11654d6e3964c82148b8e7e141dd54
SHA512 40c00a097219639bf8607bdaf3813500b4bc50db0d959e375f11f424dbcbae4fe021d226f53fa35d703ab0c4d82c7a81835b23348e20704a573182b226d917a1

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/2384-44-0x0000000000400000-0x0000000000596000-memory.dmp

memory/2384-45-0x0000000000400000-0x0000000000596000-memory.dmp

memory/2384-47-0x0000000000400000-0x0000000000596000-memory.dmp

memory/2384-49-0x0000000000400000-0x0000000000596000-memory.dmp