Malware Analysis Report

2025-08-05 19:40

Sample ID 240317-cabjfsbf34
Target f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a
SHA256 f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a

Threat Level: Known bad

The file f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Checks computer location settings

Deletes itself

Loads dropped DLL

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 01:51

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 01:51

Reported

2024-03-17 01:54

Platform

win7-20240221-en

Max time kernel

157s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jijui.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\isnuso.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Users\Admin\AppData\Local\Temp\jijui.exe
PID 2716 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Users\Admin\AppData\Local\Temp\jijui.exe
PID 2716 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Users\Admin\AppData\Local\Temp\jijui.exe
PID 2716 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Users\Admin\AppData\Local\Temp\jijui.exe
PID 2716 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\jijui.exe C:\Users\Admin\AppData\Local\Temp\isnuso.exe
PID 3004 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\jijui.exe C:\Users\Admin\AppData\Local\Temp\isnuso.exe
PID 3004 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\jijui.exe C:\Users\Admin\AppData\Local\Temp\isnuso.exe
PID 3004 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\jijui.exe C:\Users\Admin\AppData\Local\Temp\isnuso.exe
PID 2768 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\isnuso.exe C:\Users\Admin\AppData\Local\Temp\pojin.exe
PID 2768 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\isnuso.exe C:\Users\Admin\AppData\Local\Temp\pojin.exe
PID 2768 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\isnuso.exe C:\Users\Admin\AppData\Local\Temp\pojin.exe
PID 2768 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\isnuso.exe C:\Users\Admin\AppData\Local\Temp\pojin.exe
PID 2768 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\isnuso.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\isnuso.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\isnuso.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\isnuso.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe

"C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe"

C:\Users\Admin\AppData\Local\Temp\jijui.exe

"C:\Users\Admin\AppData\Local\Temp\jijui.exe" hi

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\isnuso.exe

"C:\Users\Admin\AppData\Local\Temp\isnuso.exe" OK

C:\Users\Admin\AppData\Local\Temp\pojin.exe

"C:\Users\Admin\AppData\Local\Temp\pojin.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2716-0-0x0000000000400000-0x00000000004679C5-memory.dmp

\Users\Admin\AppData\Local\Temp\jijui.exe

MD5 ab8d2123ca4162d852e887e135fc2a0d
SHA1 b0d3a914a7fc6c7838737a6f92dd8e640c60e560
SHA256 3bc5ea7560ec94e47cbcf30e7f23aad323f1628768a1aa98af4558312f18fcb0
SHA512 046de8c9202a899a6bcabd503ea2ee5b9347d3bbb0364c41be252ec3883013ec7552a3fdc378d5527358802cc719ef41465aada08c5427b85e03750e47534476

memory/2716-11-0x0000000002210000-0x0000000002278000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jijui.exe

MD5 cebd9e1b3893da666d3b620f99255e93
SHA1 c8b428008322c787b8f772f685e61b31edec0c4f
SHA256 6f69e4aaee647ee2119131f4051814124a40d08fe1804ae17c75e4c261b38e59
SHA512 8eebd667d79483ff914b73812a0c366bf4218d5d98f0fb49f401e16b5be8f425068219e9d69ea2c01f8a82e12e530019acb09461d037ff03fe1c37a8d6bc4f6a

\Users\Admin\AppData\Local\Temp\jijui.exe

MD5 e49881b9caeb2e1881e02efa0275fd45
SHA1 c47401d50a491326258d34337d07e25fa223a9ab
SHA256 5c0f7a466a88e100998645ef61c6876b17704365ed042ee9a23fff4ce5e0fe00
SHA512 177dc1c55d8069377fbbd4e1b86272df87ec68789ab7c2c307d8f867778d55f607e7cb7fe6d66bfc30653b963123a26e59bd862ae3656d2db9b4a0aeb4674a8b

memory/2716-15-0x0000000002210000-0x0000000002278000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 047b024223c5fa0c621431007d08b16f
SHA1 eb2aef08b0c87407281cada747a5cd5a12af26f2
SHA256 4c77c8080060a85d99ca2e0fbd2986dc73378cb8dcd65e7cf3c10de27c12d397
SHA512 187bcd8a107b81a3c7e9585b93cabb7e4db9a9cfb105f1e1ead4d18f8154da64c27bb23f127f911d03f06f8555035006e7da0154f203ceb3d920a008972bb1e3

memory/3004-14-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 27fef949ccb96ac3f9c325feabdccb61
SHA1 694c9104de36b20826e7b956832c8726d71a5c0b
SHA256 d11b9ab63b75941afe79e382a7542ed4557a064de6e9bd0f87d489bebfc46475
SHA512 096b4772202cf1f48c166f24c6bbbcde4627c3da3b56ade0265f11f8aefe0d0c29047dbfa5ad82a8a6dd1b8e82fe6d208cb08e6a9d4e38d022a917891851a43e

C:\Users\Admin\AppData\Local\Temp\jijui.exe

MD5 76ea83a5d8e05ce7d4180db69e907957
SHA1 4ad8252a92a8a2a4f3ba0670f87eea5864e8c23b
SHA256 5b0949f3298f767f9e3308086b0a12f32c924037c70974e14535657cf6ee1186
SHA512 25c5b4f0b866ebfc8b9824a3311e67fd5846840b87cb03f1833329a709ca8836ffd556a14c05693c638e3c7b0e0e4465bf1a2c8e89dc5f0154963879f3a77522

memory/2716-25-0x0000000000400000-0x00000000004679C5-memory.dmp

\Users\Admin\AppData\Local\Temp\isnuso.exe

MD5 ba700a5dca2f84364202fa2fed34ae83
SHA1 5d30c5cb483eeaf4e1a8314f1f195a90cc9f1f47
SHA256 6e3dd3a5a1084516bb1152acb3ca9430186bc99c058746db1c4726acb11c40a9
SHA512 7b3cc5fb268df891730c66ae17d6f68a275d36c11063ac75406684f75d0dcdb1d5f47b5bab51fd79f48b790ce1cecd8d7918bb2ed71b13d42648ccb6d1a64620

memory/3004-33-0x0000000003050000-0x00000000030B8000-memory.dmp

memory/3004-34-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/2768-36-0x0000000000400000-0x00000000004679C5-memory.dmp

\Users\Admin\AppData\Local\Temp\pojin.exe

MD5 dfebaf7318dd971fc04764d0da3f56ca
SHA1 a154748087ebf983b436236d65113545c606941d
SHA256 74cc296ea7da2152e2b8fcd8a657d4f34a57a3d506acc4e6596e63366c8ae0be
SHA512 7519191ef2bf6a8e06cea513cb656fa4601748ba2582d8ac684343d596c3beb2deeb62d02195e1cb310e5bc0dc9b202324be01a425a049de0a91775b2aebfa3e

C:\Users\Admin\AppData\Local\Temp\pojin.exe

MD5 df4c53b223ed60a53332801214a30953
SHA1 bbaac36875c4ade502e7231cf66e772e93e13185
SHA256 6af392d27bafe7553d54fe382480661db1fa354249f8a3b29d458e2a87dfc44a
SHA512 758bf5106dda55aad0274976050390c5c19b8b2c854a8404c5c0ccc37a18640b61b71d9f2f5a1be4a24d643a549a62e0cf8e29d5d6b52a06a2e8fbf2b08f8e9b

memory/2768-44-0x0000000003450000-0x00000000034F0000-memory.dmp

memory/2624-48-0x0000000000340000-0x00000000003E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 1c1e982d6941717d841e4129df9c41c3
SHA1 59d7f341b12c1c7305dea8cdc267e17c35379d04
SHA256 82a2baeca1a8f9dadec11e7799a35d5007e5d8c3fcb4afbf93953496b07eaeb6
SHA512 6d0b4ca58cfc3fa866ba20127e47dc9ae9bcc920929c68432506d50e4e551c4f8c9888c67c411c65f2f6760a6d8462833a109e35f1086032bff2884546469f6c

memory/2768-55-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/2624-56-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2624-59-0x0000000000340000-0x00000000003E0000-memory.dmp

memory/2624-60-0x0000000000340000-0x00000000003E0000-memory.dmp

memory/2624-61-0x0000000000340000-0x00000000003E0000-memory.dmp

memory/2624-62-0x0000000000340000-0x00000000003E0000-memory.dmp

memory/2624-63-0x0000000000340000-0x00000000003E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 01:51

Reported

2024-03-17 01:54

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bucet.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rugifa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bucet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rugifa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyneb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Users\Admin\AppData\Local\Temp\bucet.exe
PID 2424 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Users\Admin\AppData\Local\Temp\bucet.exe
PID 2424 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Users\Admin\AppData\Local\Temp\bucet.exe
PID 2424 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\bucet.exe C:\Users\Admin\AppData\Local\Temp\rugifa.exe
PID 4236 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\bucet.exe C:\Users\Admin\AppData\Local\Temp\rugifa.exe
PID 4236 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\bucet.exe C:\Users\Admin\AppData\Local\Temp\rugifa.exe
PID 5104 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\rugifa.exe C:\Users\Admin\AppData\Local\Temp\qyneb.exe
PID 5104 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\rugifa.exe C:\Users\Admin\AppData\Local\Temp\qyneb.exe
PID 5104 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\rugifa.exe C:\Users\Admin\AppData\Local\Temp\qyneb.exe
PID 5104 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\rugifa.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\rugifa.exe C:\Windows\SysWOW64\cmd.exe
PID 5104 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\rugifa.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe

"C:\Users\Admin\AppData\Local\Temp\f52a6c1c6751cc59f3fb56181b29cc57b3870184038db1c1ff777aec468f602a.exe"

C:\Users\Admin\AppData\Local\Temp\bucet.exe

"C:\Users\Admin\AppData\Local\Temp\bucet.exe" hi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\rugifa.exe

"C:\Users\Admin\AppData\Local\Temp\rugifa.exe" OK

C:\Users\Admin\AppData\Local\Temp\qyneb.exe

"C:\Users\Admin\AppData\Local\Temp\qyneb.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

memory/2424-0-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bucet.exe

MD5 4371a774b23333b1af3c82fe17eb0f85
SHA1 b6d336fcc573def3c5e59cfbe9d6c4653e241591
SHA256 c54f2f0a0676e7a478288ba7c7964d54d273aa1be21586933f37a43c72d9a5b5
SHA512 d3e1ea59ed7c116e238bb11f21db8d95184e54c23f6eef249e3eb5e9b2dd91a4eb27e885ae6eef0c3ffba5e4552abd00e9b2696e67b6dff7070c184f0a4ae7f4

memory/4236-13-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 aff349671be5058090d6936d451e5776
SHA1 4a05f73c6cbda293d6e6a3453eef14e58e1a8deb
SHA256 e3c07a1962da5399537297da79318ce0999e225f92c52f5c7166f48b4abcf3c8
SHA512 c9854e78024f3d1eb45714382c335009377828635a73acae521e9405c59b4f544691e7bc3c391657894d196e08053a165b7e76acace3a0dfa483db4c6d92693a

memory/2424-15-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 047b024223c5fa0c621431007d08b16f
SHA1 eb2aef08b0c87407281cada747a5cd5a12af26f2
SHA256 4c77c8080060a85d99ca2e0fbd2986dc73378cb8dcd65e7cf3c10de27c12d397
SHA512 187bcd8a107b81a3c7e9585b93cabb7e4db9a9cfb105f1e1ead4d18f8154da64c27bb23f127f911d03f06f8555035006e7da0154f203ceb3d920a008972bb1e3

memory/4236-25-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rugifa.exe

MD5 ffeb39942993351e4ed069a4db46f445
SHA1 be0e86620fbbd595305ab15b7bcc211e3d2cbdf9
SHA256 ee3a625c383c04db7e058ea58b3b92ab4a2179d81d731499a3d3c0b41f76e580
SHA512 daab2d351358238c26918a1c5de38f7ca46df957d2909d7200ae1fd0dd5da38481dbfbb3ccbe590a04003e6d37b7bdbdf24b0269800be6b434d9ab00739a30d5

memory/5104-26-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qyneb.exe

MD5 5d4c91709faa8b94b8f0b0a62a828c1f
SHA1 54fef3d3d5e5b8d2529973da1e85867a36db3fef
SHA256 a025825667f04ffabbcc0cddcaee5a2ded26bf1946db3954ef2727c0d942c95c
SHA512 71ef377ac613d75bc290c39446930ad149d81ae65855c313ed12690c7de6c8ead28d999942798ea75fd5f0e8d5ea352d8b19fcb186c8600a3c05e9e5b4cfad2c

memory/1308-37-0x0000000000B00000-0x0000000000BA0000-memory.dmp

memory/1308-39-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/5104-40-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 d889df337f62131abe5ac62f090ec06f
SHA1 47dbc0cd18ff20ac2e0a696412415c3a2fcdb9fc
SHA256 98b985fe85716dcfaa23adea6e08ebe8b904a07823b3d87321c99571bffedf5d
SHA512 ec7193ee3547846cbad3e3170a07688d816c37441966fcb4eb22c75c94be10d1b83f67d1b7e055ac47a8441033b0b3e6b00efd3457f1f0e4c59be71e5de6e038

memory/1308-43-0x0000000000B00000-0x0000000000BA0000-memory.dmp

memory/1308-44-0x0000000000B00000-0x0000000000BA0000-memory.dmp

memory/1308-45-0x0000000000B00000-0x0000000000BA0000-memory.dmp

memory/1308-46-0x0000000000B00000-0x0000000000BA0000-memory.dmp

memory/1308-47-0x0000000000B00000-0x0000000000BA0000-memory.dmp