Malware Analysis Report

2024-11-16 13:25

Sample ID 241013-w81e1swdln
Target 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N
SHA256 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3

Threat Level: Known bad

The file 3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Urelas family

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 18:36

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 18:36

Reported

2024-10-13 18:38

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hudim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iffop.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hudim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iffop.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Users\Admin\AppData\Local\Temp\hudim.exe
PID 2576 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Users\Admin\AppData\Local\Temp\hudim.exe
PID 2576 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Users\Admin\AppData\Local\Temp\hudim.exe
PID 2576 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Users\Admin\AppData\Local\Temp\hudim.exe
PID 2576 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\hudim.exe C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe
PID 1076 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\hudim.exe C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe
PID 1076 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\hudim.exe C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe
PID 1076 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\hudim.exe C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe
PID 2832 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe C:\Users\Admin\AppData\Local\Temp\iffop.exe
PID 2832 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe C:\Users\Admin\AppData\Local\Temp\iffop.exe
PID 2832 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe C:\Users\Admin\AppData\Local\Temp\iffop.exe
PID 2832 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe C:\Users\Admin\AppData\Local\Temp\iffop.exe
PID 2832 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe

"C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe"

C:\Users\Admin\AppData\Local\Temp\hudim.exe

"C:\Users\Admin\AppData\Local\Temp\hudim.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe

"C:\Users\Admin\AppData\Local\Temp\yfcoqu.exe" OK

C:\Users\Admin\AppData\Local\Temp\iffop.exe

"C:\Users\Admin\AppData\Local\Temp\iffop.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2576-2-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/2576-20-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/1076-21-0x0000000000400000-0x00000000004CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 8ec417611ffff405ad120efcc1bf7218
SHA1 22ae0bc1858edde9793b1c73e585f5b1ec3bf2ed
SHA256 4fcb48e19e345e1e27f58607663e7e2783f8688689390f495d4866e300623b8c
SHA512 105b287ff8a259f25861d2e27ac98db9a554545207437323303c30debeea8aad8e1a40bfd91f8b77fbd476673d1a12416eb4137792393398a0b853f8ff2a5575

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 14a0f7101e3ae9c32c1a731b1ecf75a4
SHA1 e190c00057aa743d0ef848cee5f7a9884437b40b
SHA256 72b591dede10dc06d398145163bbb9a8fbe5cbe99e8e3e17b6c5cb02e4224c20
SHA512 f818dae6733c89359f38d8b8f843d3562534cfd604dd2a82ed29da178709fe1b707be418c4a74e29ef7c294030e0854d0e38fb901247d881481e3f0be936ed70

C:\Users\Admin\AppData\Local\Temp\hudim.exe

MD5 e769569db4dff88f1c83d85e57055677
SHA1 4e91a23ffca7493e5f929510858f8e80cbf049d4
SHA256 395efd4dffbd978dd28fa813b8f374eda1ff0b990750875ecc202844a70aa8be
SHA512 680c959aff8dc3ac16dc20a38d14a492b1ae4618c2c0979731b4e0f102621f9089fd30990b96a9a9f29111fd33fc3725a21e73f749f7512acddc6de7e0365740

memory/2832-33-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/1076-32-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/2576-35-0x00000000024E0000-0x00000000025AB000-memory.dmp

memory/2832-36-0x0000000000400000-0x00000000004CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 20cac879fc2de119a2729a9777e7aef9
SHA1 617311ffe53164445b83fee5f2bdb3b7e58d84f0
SHA256 4f68a103e6747c40119b8e1a9f775a5b4573da7b52a330c86054a829314540b2
SHA512 a82c7e655ac874d515f68b2bb03d6472dba5f589b894842e38ea33e8ceec4a4df912acf5c3aa342bb85f157709b755bcece4bee8c98def02813a4b30034cc29a

C:\Users\Admin\AppData\Local\Temp\iffop.exe

MD5 2c8e2a49ca0a8521549dddce944a4e52
SHA1 9a20ccdfaa15afc406893401b76df72b44e1e27d
SHA256 617593f75157ca65aab5b704567fbc2527859c4964c0c7a2ccc1bad60f722682
SHA512 b85a2ca1582dc5c4cc20fecfe9f591f62a0f51247f22da402fa4949adac579b75c1c6213deb1fa0113193bb9a54cad395e895fce3c5530e8f53269b06a2b791e

memory/2856-57-0x0000000000400000-0x0000000000622000-memory.dmp

memory/2832-55-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/2832-54-0x0000000003DF0000-0x0000000004012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/2832-61-0x0000000003DF0000-0x0000000004012000-memory.dmp

memory/2856-62-0x0000000000400000-0x0000000000622000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 18:36

Reported

2024-10-13 18:38

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\doefi.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\xixole.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\doefi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xixole.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ybzob.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\doefi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xixole.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ybzob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3280 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Users\Admin\AppData\Local\Temp\doefi.exe
PID 3280 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Users\Admin\AppData\Local\Temp\doefi.exe
PID 3280 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Users\Admin\AppData\Local\Temp\doefi.exe
PID 3280 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe C:\Windows\SysWOW64\cmd.exe
PID 4640 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\doefi.exe C:\Users\Admin\AppData\Local\Temp\xixole.exe
PID 4640 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\doefi.exe C:\Users\Admin\AppData\Local\Temp\xixole.exe
PID 4640 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\doefi.exe C:\Users\Admin\AppData\Local\Temp\xixole.exe
PID 1060 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\xixole.exe C:\Users\Admin\AppData\Local\Temp\ybzob.exe
PID 1060 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\xixole.exe C:\Users\Admin\AppData\Local\Temp\ybzob.exe
PID 1060 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\xixole.exe C:\Users\Admin\AppData\Local\Temp\ybzob.exe
PID 1060 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\xixole.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\xixole.exe C:\Windows\SysWOW64\cmd.exe
PID 1060 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\xixole.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe

"C:\Users\Admin\AppData\Local\Temp\3d53dfa0e7eb380e1508db424dbcd548e76a6725007ec037370d015c1dd177e3N.exe"

C:\Users\Admin\AppData\Local\Temp\doefi.exe

"C:\Users\Admin\AppData\Local\Temp\doefi.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\xixole.exe

"C:\Users\Admin\AppData\Local\Temp\xixole.exe" OK

C:\Users\Admin\AppData\Local\Temp\ybzob.exe

"C:\Users\Admin\AppData\Local\Temp\ybzob.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 27.210.23.2.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3280-0-0x0000000000400000-0x00000000004CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\doefi.exe

MD5 ee2b9d98c25eaad7a432a09b8442b629
SHA1 ecb4b5153d91b98639ed970f5c2063fd8d7289c1
SHA256 75e1b718f3a77bdd9fcafd689f8d6861de98f115519304838be8d23eae4c2ed5
SHA512 27091bbaf636f95ff9b420ee7de74e38cd1ac9cfc5b8c88733656ed2e82b9200c89172986b61e1d6e3798d6886eb3c422134c7b9aee2f5d5bc8dbee221f1c832

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ee1a963c736c6de8bc622ff38e8a8476
SHA1 c590d9023b188881c438a91defea048472a0eb55
SHA256 711b83af3ce57268eda9d12b361730306ee880855c881ee4d0b93f2046736ade
SHA512 867beb41a3746ab4c7e2eafd3f9cd198654dd9ed6c2a25a20ad98191d4726a1b8cd0ec182db4416cce991f821a33d2f41c14eb1515363fa367e55c0308baef5f

memory/3280-14-0x0000000000400000-0x00000000004CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 14a0f7101e3ae9c32c1a731b1ecf75a4
SHA1 e190c00057aa743d0ef848cee5f7a9884437b40b
SHA256 72b591dede10dc06d398145163bbb9a8fbe5cbe99e8e3e17b6c5cb02e4224c20
SHA512 f818dae6733c89359f38d8b8f843d3562534cfd604dd2a82ed29da178709fe1b707be418c4a74e29ef7c294030e0854d0e38fb901247d881481e3f0be936ed70

memory/4640-23-0x0000000000400000-0x00000000004CB000-memory.dmp

memory/1060-25-0x0000000000400000-0x00000000004CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ybzob.exe

MD5 c405e1b0ec8b6d9a99a992153fae45e7
SHA1 f6fb9e2b1605b95cdb97424337f4cd66d7b2ca8d
SHA256 5e6c2649024afaaf3bceaf1de7798a6b19d8ae7c41e1b957b71a4290d264e080
SHA512 7f5c6fcfe24b6b4d81dc30d3b1512e612cb9c1781e80cf38ad631bc30f8dce7bd9ef23a6c644112447ddbd51ca9a83742e550397e3b3b8f99836f2e7f62c0d06

memory/2148-37-0x0000000000400000-0x0000000000622000-memory.dmp

memory/1060-39-0x0000000000400000-0x00000000004CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 b6d1c3fa47828a7fedf267f2febbb887
SHA1 3a2f8e8afae9baee72e71efbb1bd45fdbd3f858d
SHA256 3466a0c189f515c14f0ede59be0c53dd23e7e37429dd99b4941f374e1a675589
SHA512 fd8bd8410b802849ec0fdd71150b0555f45e37c099cb5a2ddac340757fc722e8e3f761ff49042dd4cdf7cc7b3af4877aa69b8263256d046da3692367e0c91976

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/2148-42-0x0000000000400000-0x0000000000622000-memory.dmp