Malware Analysis Report

2025-08-05 19:40

Sample ID 240316-2akjssdg5w
Target cf389a6edfd132de5bfeb2deb343d5e2
SHA256 614c3bbd21decd89fa9045ef7960de748ddd0ab3574645441ca014f81e1002d9
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

614c3bbd21decd89fa9045ef7960de748ddd0ab3574645441ca014f81e1002d9

Threat Level: Known bad

The file cf389a6edfd132de5bfeb2deb343d5e2 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 22:22

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 22:22

Reported

2024-03-16 22:25

Platform

win7-20240221-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\exizj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quneah.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\higov.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2612 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Users\Admin\AppData\Local\Temp\exizj.exe
PID 2612 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Users\Admin\AppData\Local\Temp\exizj.exe
PID 2612 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Users\Admin\AppData\Local\Temp\exizj.exe
PID 2612 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Users\Admin\AppData\Local\Temp\exizj.exe
PID 2612 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Windows\SysWOW64\cmd.exe
PID 2376 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\exizj.exe C:\Users\Admin\AppData\Local\Temp\quneah.exe
PID 2376 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\exizj.exe C:\Users\Admin\AppData\Local\Temp\quneah.exe
PID 2376 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\exizj.exe C:\Users\Admin\AppData\Local\Temp\quneah.exe
PID 2376 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\exizj.exe C:\Users\Admin\AppData\Local\Temp\quneah.exe
PID 2624 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\quneah.exe C:\Users\Admin\AppData\Local\Temp\higov.exe
PID 2624 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\quneah.exe C:\Users\Admin\AppData\Local\Temp\higov.exe
PID 2624 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\quneah.exe C:\Users\Admin\AppData\Local\Temp\higov.exe
PID 2624 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\quneah.exe C:\Users\Admin\AppData\Local\Temp\higov.exe
PID 2624 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\quneah.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\quneah.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\quneah.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\quneah.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe

"C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe"

C:\Users\Admin\AppData\Local\Temp\exizj.exe

"C:\Users\Admin\AppData\Local\Temp\exizj.exe" hi

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\quneah.exe

"C:\Users\Admin\AppData\Local\Temp\quneah.exe" OK

C:\Users\Admin\AppData\Local\Temp\higov.exe

"C:\Users\Admin\AppData\Local\Temp\higov.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2612-2-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/2612-23-0x0000000002840000-0x00000000028A8000-memory.dmp

memory/2376-33-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\quneah.exe

MD5 e704188fe23337989ae3292c82c8bbfe
SHA1 635a70acc93d1946f921750eadf9ceb1a21d86cc
SHA256 481d648b2f1bcadb3dd7fee44a1872369690e15218ad829876fdcdb27716bb59
SHA512 a832b1a179894444403f7a911f8606507096061d3fe100d32e7accd4b7983942857ecbdb44f5a8b9255cc4466490a97e650285e6a332b2b175ca4be6b65a23ab

memory/2624-34-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 f0a542051f587925e773aed510551c0a
SHA1 bd0f7fe15646e1bb9b381ce964be431b56c83189
SHA256 ab4e945db38780543ff3997c5e9e5e2c58e974caf1f8c8e540897208d1991f90
SHA512 c9109665f93150eb7eebc895c0ad5357500f3c8707cd5d50a9548a732e15bb9efa948570e4f72c80ccf8a0ddb152f8972a7e202ada6faf05c1f877ce8c6dcc26

memory/2376-25-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/2612-22-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\exizj.exe

MD5 5a9568a8db95af832bac7903cdab2eea
SHA1 133e36356ebc3c99808fb6c21ffbfaee52605ecf
SHA256 afb89bfe1d09cae0e9c0c8265aabcd9f05dedd1428730467ef7ee3227efc02eb
SHA512 b0c177b2603b652ee36cfb1824e5c654df5be1ab288bc750ec693528ebdb83756a2714d696f150f0004c118ddfbec4b7f2adc8098ce0ca07536b3620df84e794

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 8597b27c3ba89aac3aec691f8ef9d237
SHA1 8ee9089671609eb1d4eaabe1b0786abccbfedf2b
SHA256 2acfe09400322b1389b8e2c1a6ffe3734aaae6835bd1ac6839956fab25ef3337
SHA512 a351f0be3182d9a8ebf80676ea9408ba54fff9abcc9f6970f62d4f3d94717a55a35802291cd82d7b0bd513f8e3eb162fe6773a3d65380ed9345d8557f0b95921

\Users\Admin\AppData\Local\Temp\higov.exe

MD5 fe3af1797945ecdb8528731f06d57fcc
SHA1 01bbfcd082ecde962e4db36013e068f3465a8f63
SHA256 88c665becd36e6dfb4673e9f8fc6389506304ae2e8baab095acecdd71c2a98dd
SHA512 fe171a3d4d704ddae7906e36c330d257cc2081f193f14e39af94886288999ddb87c7eb500ed2afc66e19310867bfc5b4f4218741c8f470d74dc58b37065c8468

memory/2624-40-0x0000000003C10000-0x0000000003CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 dfecc9686f56f40bd7bd79b69f9c43bb
SHA1 3e94767cb5d7bd7cfc00965fd32041a99fa6822e
SHA256 038d99a8b5b0141f780250a1a86cd7c969263ebf18dc8539b89f0b6dff6cf2e2
SHA512 2b12fb561bc6005424da26dbacff65c1d9ff2de249b4d7255ad35152a63c95cf3571faee0752b90793bb11ef97087aaac5648913bd374f13cdda24a001cfa116

memory/1904-52-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2624-51-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/1904-54-0x0000000000E70000-0x0000000000F10000-memory.dmp

memory/1904-57-0x0000000000E70000-0x0000000000F10000-memory.dmp

memory/1904-58-0x0000000000E70000-0x0000000000F10000-memory.dmp

memory/1904-59-0x0000000000E70000-0x0000000000F10000-memory.dmp

memory/1904-60-0x0000000000E70000-0x0000000000F10000-memory.dmp

memory/1904-61-0x0000000000E70000-0x0000000000F10000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 22:22

Reported

2024-03-16 22:25

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\axrot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ukfooh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\axrot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\moeqo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Users\Admin\AppData\Local\Temp\axrot.exe
PID 224 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Users\Admin\AppData\Local\Temp\axrot.exe
PID 224 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Users\Admin\AppData\Local\Temp\axrot.exe
PID 224 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\axrot.exe C:\Users\Admin\AppData\Local\Temp\ukfooh.exe
PID 1756 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\axrot.exe C:\Users\Admin\AppData\Local\Temp\ukfooh.exe
PID 1756 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\axrot.exe C:\Users\Admin\AppData\Local\Temp\ukfooh.exe
PID 1532 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe C:\Users\Admin\AppData\Local\Temp\moeqo.exe
PID 1532 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe C:\Users\Admin\AppData\Local\Temp\moeqo.exe
PID 1532 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe C:\Users\Admin\AppData\Local\Temp\moeqo.exe
PID 1532 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe

"C:\Users\Admin\AppData\Local\Temp\cf389a6edfd132de5bfeb2deb343d5e2.exe"

C:\Users\Admin\AppData\Local\Temp\axrot.exe

"C:\Users\Admin\AppData\Local\Temp\axrot.exe" hi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\ukfooh.exe

"C:\Users\Admin\AppData\Local\Temp\ukfooh.exe" OK

C:\Users\Admin\AppData\Local\Temp\moeqo.exe

"C:\Users\Admin\AppData\Local\Temp\moeqo.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
PL 93.184.221.240:80 tcp

Files

memory/224-0-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\axrot.exe

MD5 f2dd01151aac9dec5c94e0915854d166
SHA1 36df3452129b5c3fd834f307a53930867648f97b
SHA256 8f89a44e9800457ea0ff0724a17bfe52a0796797f70ea5cbe4188830c9345bb5
SHA512 ec102f17a6d90832ff3e3f9c1a91255e58f4a9753afcf683b15a5f79404b16d7cec5b28a308f598dba1f9df8f9ab853928b87e394c3f3dbb97715fce729d98ad

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 153b993f7150d69b54d15d6e043f5ab2
SHA1 b46e2c96c8af461bb4bd9613bd5c91aff7c60285
SHA256 f12543d9c55ccd4a62246dfb9fa5537b117d5c509cd199d505498ea0950bf7c0
SHA512 014f5db1efb4254053e6657d4462f7eaa586ec47e17c68d6c6c5b2f37fa265bd20a4e19924bc96c3f1c6a5bfd5bf104920b45d043fa258a35d7a01591bcd6cbe

memory/1756-10-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/224-16-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 f0a542051f587925e773aed510551c0a
SHA1 bd0f7fe15646e1bb9b381ce964be431b56c83189
SHA256 ab4e945db38780543ff3997c5e9e5e2c58e974caf1f8c8e540897208d1991f90
SHA512 c9109665f93150eb7eebc895c0ad5357500f3c8707cd5d50a9548a732e15bb9efa948570e4f72c80ccf8a0ddb152f8972a7e202ada6faf05c1f877ce8c6dcc26

C:\Users\Admin\AppData\Local\Temp\ukfooh.exe

MD5 e77d27b9eae260ff545524c162422c90
SHA1 63d310c0ae42e1972e8037fa29834aa26d49b6da
SHA256 b8feb420b237fb0fdde21edc85bf6331fccad5b74c361f635e1a939a85c90106
SHA512 471fd5b23c562e271d03a2f6a3f005bd0025a4c402ab7e674c20fdbd478043a3dfc314c5c809e496b78916b2fea3f595c42d7dee955328a4502fd83731491e2b

memory/1532-26-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/1756-25-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\moeqo.exe

MD5 0596b7e46278d25cfd1c98793f258fc1
SHA1 6d92961907b41ad0354e1fd1ade0f3433d5a5e11
SHA256 927ec232b92f27231c62cb865334a2aed934c67cfba606e3e6c66fce229d4c7f
SHA512 277af5f06be1743ce23734a95cdf760e50aade670be6778400c1f35231f69deff5dd984582ec737b147c4b72faebb5c39be276b29844ae6cb415753df0701f7d

memory/1388-37-0x0000000000F40000-0x0000000000FE0000-memory.dmp

memory/1388-39-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1532-40-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 5a29d1f10053285c2d1f60faae33dfe2
SHA1 6baab06febca88249ee6e9a8a5e644961dd5b834
SHA256 59971e8d793ae473e572e6cf6cbd1d39594bbb28c18ac6ea4e452bdf243e3f4f
SHA512 5d7cbbcb9da7d02a84a4afd67bf0a93410e94aa50d7fde96478aacb4bdad9085ff3ec7435777e090ce4a399d8c9dccbd9e97c4d64eb7c47b6f5075924ec62998

memory/1388-43-0x0000000000F40000-0x0000000000FE0000-memory.dmp

memory/1388-44-0x0000000000F40000-0x0000000000FE0000-memory.dmp

memory/1388-45-0x0000000000F40000-0x0000000000FE0000-memory.dmp

memory/1388-46-0x0000000000F40000-0x0000000000FE0000-memory.dmp

memory/1388-47-0x0000000000F40000-0x0000000000FE0000-memory.dmp