Malware Analysis Report

2024-11-16 13:25

Sample ID 241012-3z8hlasfqm
Target 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118
SHA256 a61b00289f9c9ea241546df20ef4b9740ffe672b6621db5d27ca6fa311b9488b
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a61b00289f9c9ea241546df20ef4b9740ffe672b6621db5d27ca6fa311b9488b

Threat Level: Known bad

The file 3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Urelas family

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

UPX packed file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 23:58

Signatures

Urelas family

urelas

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 23:58

Reported

2024-10-13 00:00

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gyewl.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyewl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gyewl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\polyy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\gyewl.exe

"C:\Users\Admin\AppData\Local\Temp\gyewl.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\polyy.exe

"C:\Users\Admin\AppData\Local\Temp\polyy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/5076-0-0x0000000000400000-0x000000000048B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gyewl.exe

MD5 90afcb180021eae006c7bc08ff0fb9f1
SHA1 204666cdb3cf37609b0585491645c41d4a5b9cdc
SHA256 ce664eb97bf7c3088688937b68e0e0124abed29f0dff0d9615abcf62ca7e55ea
SHA512 bcae7263c20ba4d55db626f78ff7e6755adec7bc324f8f17c0811f5f2c76de07a984b28c8727f513315c4a23be9d0ead35ef7c7926aaa2fb361fec11a35aa8e8

memory/5076-13-0x0000000000400000-0x000000000048B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 f3ab88fe91ac7fa730e72c91aa008dc9
SHA1 f9f8f62100cb4a0c3fd56d2f2e5fd66ff10bba26
SHA256 2db45ae9ccce1626f7df16c67b15deb74c16f6690fff7f5577843bf095491470
SHA512 8045c1827b2c437656bd4c6fe301b3a9f5ffbd50cf320e0ef15852f38cd6b0898e2c2d2bbb67c3f52a4142e73f260247583512f08da9c1af6cf9a438767b24ec

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 c484b5757f32e853976d9bfa65ce4297
SHA1 071a17d0c9626d42d3ef1b154cf78c19b366efaa
SHA256 89eee34262a38af181f4db87f6c4b89f89e36fbd64b75d6d4acf0810a7a8b61a
SHA512 5be448758e67a77f94ea712cae261008fbeeda82129b57b235d66cf7c9f59047ce85eed416c35e78efbfa564b044c0daed074fb04cae7eed182c5c53a37ae66a

memory/3212-16-0x0000000000400000-0x000000000048B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\polyy.exe

MD5 54a24a5f8d8f051adfc985c6f1d1504f
SHA1 a9f07d073df389d665ff9bcde181091c29b2b356
SHA256 2d48368273b25659144d32829ecdab32fd004b8370974b9e9c9176798b5415fb
SHA512 93e5b64e575d1aa58e73f76593c1bdb98f1dfc2a057aea292c0d8fbddabf48aa4a1259681dddf146001114c1ef97d48cc654bbff8d39312f4e9cd204d9a18799

memory/208-25-0x0000000000A10000-0x0000000000AC6000-memory.dmp

memory/3212-26-0x0000000000400000-0x000000000048B000-memory.dmp

memory/208-27-0x0000000000C30000-0x0000000000C31000-memory.dmp

memory/208-29-0x0000000000A10000-0x0000000000AC6000-memory.dmp

memory/208-30-0x0000000000A10000-0x0000000000AC6000-memory.dmp

memory/208-31-0x0000000000A10000-0x0000000000AC6000-memory.dmp

memory/208-32-0x0000000000A10000-0x0000000000AC6000-memory.dmp

memory/208-33-0x0000000000A10000-0x0000000000AC6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 23:58

Reported

2024-10-13 00:00

Platform

win7-20241010-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\opolz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\opolz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewije.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2824 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\opolz.exe
PID 2824 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\opolz.exe
PID 2824 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\opolz.exe
PID 2824 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\opolz.exe
PID 2824 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2824 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\opolz.exe C:\Users\Admin\AppData\Local\Temp\ewije.exe
PID 2228 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\opolz.exe C:\Users\Admin\AppData\Local\Temp\ewije.exe
PID 2228 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\opolz.exe C:\Users\Admin\AppData\Local\Temp\ewije.exe
PID 2228 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\opolz.exe C:\Users\Admin\AppData\Local\Temp\ewije.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\3cb6a7288517a560ff1d380d8e8ebf50_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\opolz.exe

"C:\Users\Admin\AppData\Local\Temp\opolz.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\ewije.exe

"C:\Users\Admin\AppData\Local\Temp\ewije.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2824-0-0x0000000000400000-0x000000000048B000-memory.dmp

\Users\Admin\AppData\Local\Temp\opolz.exe

MD5 1ccf894f902c995c9dd34781c4971741
SHA1 dc601f4ab065c962100aec52a8014f26ebe8544f
SHA256 e9a6546ad03c4ecbc7eef3f7b0be21c71253fd3c02d7dcd7508e692c4903cbe9
SHA512 c8ce96a81817fcf630cccc6bb436492820002410da533d16c0bafda19eed4f9b7de73ca9fc09373f0fa6b48745ad812a504f022aa833e9a6c511b6a1e2e301c5

memory/2228-10-0x0000000000400000-0x000000000048B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 f3ab88fe91ac7fa730e72c91aa008dc9
SHA1 f9f8f62100cb4a0c3fd56d2f2e5fd66ff10bba26
SHA256 2db45ae9ccce1626f7df16c67b15deb74c16f6690fff7f5577843bf095491470
SHA512 8045c1827b2c437656bd4c6fe301b3a9f5ffbd50cf320e0ef15852f38cd6b0898e2c2d2bbb67c3f52a4142e73f260247583512f08da9c1af6cf9a438767b24ec

memory/2824-17-0x0000000000400000-0x000000000048B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 60ece94363e293c773216553e4292ffe
SHA1 e23c299e421676987313ab6411a56745462fe30c
SHA256 7cff9cd5ae108273a5fa0cfc9b3f9db123e5116f3bbac1d7c61622a21631ba87
SHA512 8fbfa936a4b71337e27a40ef511d9a60d7b3f59c487a414748da730b7a476d131fd78c62d3f72bf08ae004ab28321c16bd056f4a7a438619063685726dfa74e1

memory/2228-20-0x0000000000400000-0x000000000048B000-memory.dmp

\Users\Admin\AppData\Local\Temp\ewije.exe

MD5 42b221d6cf6e6993ef88af0574f4a9b9
SHA1 98d682267cc8e0ebbb30d34eec518aab6e4c0d40
SHA256 c7c0eee9bc9afae84f93f8b46960aea8db727f7add056f319f3e04dcb36df386
SHA512 fc4bfd5a5036e23f76a9bea419fc60ef367825796126f31f7749568c2962d180231d76aae4b227183c94906efdbb700da79f65839c76ab58e803476d086ad5f4

memory/3024-28-0x0000000000CE0000-0x0000000000D96000-memory.dmp

memory/2228-27-0x0000000000400000-0x000000000048B000-memory.dmp

memory/3024-30-0x0000000000CE0000-0x0000000000D96000-memory.dmp

memory/3024-31-0x0000000000CE0000-0x0000000000D96000-memory.dmp

memory/3024-32-0x0000000000CE0000-0x0000000000D96000-memory.dmp

memory/3024-33-0x0000000000CE0000-0x0000000000D96000-memory.dmp

memory/3024-34-0x0000000000CE0000-0x0000000000D96000-memory.dmp