Malware Analysis Report

2024-11-16 13:27

Sample ID 240731-bmz7xayfln
Target 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a
SHA256 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a

Threat Level: Known bad

The file 8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

UPX packed file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-31 01:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-31 01:16

Reported

2024-07-31 01:19

Platform

win7-20240704-en

Max time kernel

145s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qiupn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yhkezy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wexuk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qiupn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yhkezy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wexuk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Users\Admin\AppData\Local\Temp\qiupn.exe
PID 1748 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Users\Admin\AppData\Local\Temp\qiupn.exe
PID 1748 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Users\Admin\AppData\Local\Temp\qiupn.exe
PID 1748 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Users\Admin\AppData\Local\Temp\qiupn.exe
PID 1748 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\qiupn.exe C:\Users\Admin\AppData\Local\Temp\yhkezy.exe
PID 2840 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\qiupn.exe C:\Users\Admin\AppData\Local\Temp\yhkezy.exe
PID 2840 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\qiupn.exe C:\Users\Admin\AppData\Local\Temp\yhkezy.exe
PID 2840 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\qiupn.exe C:\Users\Admin\AppData\Local\Temp\yhkezy.exe
PID 644 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\yhkezy.exe C:\Users\Admin\AppData\Local\Temp\wexuk.exe
PID 644 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\yhkezy.exe C:\Users\Admin\AppData\Local\Temp\wexuk.exe
PID 644 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\yhkezy.exe C:\Users\Admin\AppData\Local\Temp\wexuk.exe
PID 644 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\yhkezy.exe C:\Users\Admin\AppData\Local\Temp\wexuk.exe
PID 644 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\yhkezy.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\yhkezy.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\yhkezy.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\yhkezy.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe

"C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe"

C:\Users\Admin\AppData\Local\Temp\qiupn.exe

"C:\Users\Admin\AppData\Local\Temp\qiupn.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\yhkezy.exe

"C:\Users\Admin\AppData\Local\Temp\yhkezy.exe" OK

C:\Users\Admin\AppData\Local\Temp\wexuk.exe

"C:\Users\Admin\AppData\Local\Temp\wexuk.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/1748-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1748-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1748-38-0x0000000000526000-0x000000000087A000-memory.dmp

memory/1748-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1748-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1748-33-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1748-30-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1748-28-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1748-25-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1748-23-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1748-20-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1748-18-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1748-15-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1748-13-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1748-11-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1748-10-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1748-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1748-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1748-5-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1748-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1748-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1748-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\qiupn.exe

MD5 d166e351b50daaefb2598c6f526d3f3b
SHA1 5cc7a8a466d1f1e0bdae934e89751f5397eb5277
SHA256 73623dd569b76554cb3435a8730300f73fe337390ebb574eb6c145e4c3ef81ea
SHA512 7783865c8c8c233d1f8eb1c7e397a57ea1adc57ae9fdbf3a1875d72e1876fe5c9a0457837dbf38c8332721b640465b9466465474362fb7d836f393e32177de06

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 8ada5a454e2d31b1f264224e2a058239
SHA1 ace150f1a49ba028bce64aaa5357ed536a19e336
SHA256 8b4c48523560c12ff89d556d67243e75f8e8880d3cfb9263a62ae935042a3f95
SHA512 3562dd4d437f2881f4849c5003c40377082e4b71835d67f17016b8b25f3802487caac941c4ebc078a76c32607959fd285ce817f1c86c3e7c6f6c55974a75e8f6

memory/1748-61-0x0000000003EF0000-0x00000000049DC000-memory.dmp

memory/1748-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1748-53-0x0000000003EF0000-0x00000000049DC000-memory.dmp

memory/2840-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2840-89-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2840-87-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2840-84-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2840-82-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2840-79-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2840-77-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2840-74-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2840-72-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2840-69-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2840-67-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1748-103-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ddf453996fcae41217f47c69330d96f9
SHA1 78c965a3ae16d3e4a4ad8dd2b3d9d5c2d9a59648
SHA256 0477f2bda157e996a3a9006c662ece9bff08cc4d5b8017d21b953e4198dd5e72
SHA512 b7dd073dd202f1201b8132747bbc0f8c359e6aa05297213bfbb871075d4939f9b350ec473c70773e668e6c5fc053595428d660eca490d71b55ece869bee98998

memory/2840-105-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2840-115-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/644-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\wexuk.exe

MD5 6860a6e24cff6ddbbca2bd295484a1fc
SHA1 3a4edc0924c51b13a560e3dc2143b3fe5603cb24
SHA256 4066d43a0c8d3e5b41d86a813bf9e4a9db8c4ae3437da1ecbf67ec44b999b561
SHA512 92f82f1192392cbcc18340a643b664eb1e0d84f1ae7ac73fca6212dd9339a71571741600d7d6fbe8228cbe14949416766dbc2e5c581da2ae41c7f5c7686908bd

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 353477e1fe864c2fdda6a63b9a6241d1
SHA1 b945bbbdab042f117abe5d04d57faf13c322632d
SHA256 0282f9b6f828db1026edebb08f3093ab8a808394379f2ccfe2f1ed13dd284385
SHA512 d47f8b272d3e26bc64e65ed02f64966251e29f9e2e3e1134fffd179dc141aa00af96e592d6baebff02869c11741cea7e7c6d0acce1356c44e0d7a172acaec013

memory/644-171-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2580-170-0x0000000000400000-0x0000000000599000-memory.dmp

memory/644-169-0x00000000047E0000-0x0000000004979000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/2580-176-0x0000000000400000-0x0000000000599000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-31 01:16

Reported

2024-07-31 01:19

Platform

win10v2004-20240730-en

Max time kernel

148s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\niwob.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\poupko.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\niwob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\poupko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\poupko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\niwob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niwob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\niwob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\poupko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\poupko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sehen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Users\Admin\AppData\Local\Temp\niwob.exe
PID 2900 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Users\Admin\AppData\Local\Temp\niwob.exe
PID 2900 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Users\Admin\AppData\Local\Temp\niwob.exe
PID 2900 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\niwob.exe C:\Users\Admin\AppData\Local\Temp\poupko.exe
PID 3412 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\niwob.exe C:\Users\Admin\AppData\Local\Temp\poupko.exe
PID 3412 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\niwob.exe C:\Users\Admin\AppData\Local\Temp\poupko.exe
PID 432 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\poupko.exe C:\Users\Admin\AppData\Local\Temp\sehen.exe
PID 432 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\poupko.exe C:\Users\Admin\AppData\Local\Temp\sehen.exe
PID 432 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\poupko.exe C:\Users\Admin\AppData\Local\Temp\sehen.exe
PID 432 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\poupko.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\poupko.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\poupko.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe

"C:\Users\Admin\AppData\Local\Temp\8564dc090e561991f2a43ed44dae5610ca82ca9e87a1f3d093ded3fe78b2830a.exe"

C:\Users\Admin\AppData\Local\Temp\niwob.exe

"C:\Users\Admin\AppData\Local\Temp\niwob.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\poupko.exe

"C:\Users\Admin\AppData\Local\Temp\poupko.exe" OK

C:\Users\Admin\AppData\Local\Temp\sehen.exe

"C:\Users\Admin\AppData\Local\Temp\sehen.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/2900-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2900-1-0x0000000001050000-0x0000000001051000-memory.dmp

memory/2900-3-0x0000000002C40000-0x0000000002C41000-memory.dmp

memory/2900-7-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

memory/2900-6-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/2900-5-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/2900-4-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/2900-2-0x0000000001060000-0x0000000001061000-memory.dmp

memory/2900-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2900-10-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2900-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\niwob.exe

MD5 3766b37aecf3d9600fe2746734c109c6
SHA1 74ad2808cdbcb3566c25339a8272bc4142177eaa
SHA256 710aae7c722543346ec8a99e1d21baf454e0fb95adf21440ccc78ae7cf502a25
SHA512 c3712004c595151277164308e1fb27ca873ddf826f911dddce2708c32fd188ad538d416972e558be956840de275f9aba2f56208bde65478206279cdd5e24c1cf

memory/3412-23-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2900-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2900-26-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 8ada5a454e2d31b1f264224e2a058239
SHA1 ace150f1a49ba028bce64aaa5357ed536a19e336
SHA256 8b4c48523560c12ff89d556d67243e75f8e8880d3cfb9263a62ae935042a3f95
SHA512 3562dd4d437f2881f4849c5003c40377082e4b71835d67f17016b8b25f3802487caac941c4ebc078a76c32607959fd285ce817f1c86c3e7c6f6c55974a75e8f6

memory/3412-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 fe28784d002e188196edb7f2f70f4bc8
SHA1 65e8555bcfd60cb3c12ae63a420fffc12a70bfc5
SHA256 9bafab7c6be6ed736aa3a7d80dffb2ba0496dd7ac3e913cc13ff02f576a466a8
SHA512 e1e11a99efe6dd39dd341beb9f5dd4d69c622fab0e9b51f0bd0a59baef430eaeab7dcc91d26271874753e1fe3c24bdf132d3e721206e8cecf5e9aa189adbc133

memory/3412-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3412-34-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/3412-33-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/3412-32-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/3412-31-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/3412-30-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/3412-29-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/3412-28-0x0000000001060000-0x0000000001061000-memory.dmp

memory/3412-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3412-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/432-49-0x0000000000F80000-0x0000000000F81000-memory.dmp

memory/432-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/432-55-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/432-54-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/432-53-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/432-52-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/432-51-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

memory/432-50-0x0000000000F90000-0x0000000000F91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sehen.exe

MD5 491354bf8ecab3bc3a5c415d30ae8a4c
SHA1 2fea6d7393d539bdeaa1242b05a8f81241d97745
SHA256 a7b815df1c5b92bc0744ce52658be5b7d5b64c2d60d1683e232c6a7d49a1a74b
SHA512 abd53e5710e7b9fc4dc68837abc73e85356a87ab9174a5c2669deaeb6d34789330beafd93f15a84eb87692b15eb6a22b2aed80ba925aef6d1d0b1ff050d1f370

memory/4896-69-0x0000000000400000-0x0000000000599000-memory.dmp

memory/432-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 346f69104506fcfed4739daaa518df25
SHA1 81a9839e844efc8dbd6b66be85abe247eade0204
SHA256 8e8087aed816ad06ff3ab6e6cb8849af1333bb9f68a79760c28200071dbff221
SHA512 35fedb8ed5a68c8b33c7d565f84ba15baed983eb9ace6ad389b20f3cfc9146802d5e858b45d38156984a55cbd77407e188c8f6b23786d164f6e79787beb3aaad

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/4896-74-0x0000000000400000-0x0000000000599000-memory.dmp

memory/4896-75-0x0000000000400000-0x0000000000599000-memory.dmp