Malware Analysis Report

2024-11-16 13:28

Sample ID 240804-g1sb4sybrj
Target e4147b5901fcbc63624d36700ca59330N.exe
SHA256 ac06d639d30aec9bb6305373ffb6fa125a89d1db2d259b587489119676a434bc
Tags
urelas aspackv2 discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ac06d639d30aec9bb6305373ffb6fa125a89d1db2d259b587489119676a434bc

Threat Level: Known bad

The file e4147b5901fcbc63624d36700ca59330N.exe was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 discovery trojan

Urelas

Urelas family

Executes dropped EXE

Deletes itself

ASPack v2.12-2.42

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-04 06:16

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-04 06:16

Reported

2024-08-04 06:18

Platform

win10v2004-20240802-en

Max time kernel

119s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\usmim.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\joivdu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\usmim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\joivdu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\usmim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\joivdu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryiwo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1160 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Users\Admin\AppData\Local\Temp\usmim.exe
PID 1160 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Users\Admin\AppData\Local\Temp\usmim.exe
PID 1160 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Users\Admin\AppData\Local\Temp\usmim.exe
PID 1160 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Windows\SysWOW64\cmd.exe
PID 1160 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Windows\SysWOW64\cmd.exe
PID 3104 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\usmim.exe C:\Users\Admin\AppData\Local\Temp\joivdu.exe
PID 3104 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\usmim.exe C:\Users\Admin\AppData\Local\Temp\joivdu.exe
PID 3104 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\usmim.exe C:\Users\Admin\AppData\Local\Temp\joivdu.exe
PID 704 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\joivdu.exe C:\Users\Admin\AppData\Local\Temp\ryiwo.exe
PID 704 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\joivdu.exe C:\Users\Admin\AppData\Local\Temp\ryiwo.exe
PID 704 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\joivdu.exe C:\Users\Admin\AppData\Local\Temp\ryiwo.exe
PID 704 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\joivdu.exe C:\Windows\SysWOW64\cmd.exe
PID 704 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\joivdu.exe C:\Windows\SysWOW64\cmd.exe
PID 704 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\joivdu.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe

"C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe"

C:\Users\Admin\AppData\Local\Temp\usmim.exe

"C:\Users\Admin\AppData\Local\Temp\usmim.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\joivdu.exe

"C:\Users\Admin\AppData\Local\Temp\joivdu.exe" OK

C:\Users\Admin\AppData\Local\Temp\ryiwo.exe

"C:\Users\Admin\AppData\Local\Temp\ryiwo.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1160-0-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\usmim.exe

MD5 ab14edb09a240e1d33dd69094c9ca0ba
SHA1 a3cba383754cfc2a92ca9436621276b1831bbc32
SHA256 5eb1fa75240ad31b83fb2a43de5029676ab1529c1c568a7d129cb761c79a28ca
SHA512 242944a440d38b212bd4d0169d00d82116b83e63151218233a2968dc7ad720c82cdad16cc5239f4f6087f22f174243e60f252c07c0bb5537975e16da170afca2

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 50c8d0497c2db650e39e6929951ef040
SHA1 6463c2360d376bb7c8cdaa6cbdbe968dc916c3a3
SHA256 42ae5ebe31a8ccdd891e294e3f338d24368de0bd99dd3640fdc4f1ccf8f4334a
SHA512 defb2b8c047282e3ba47cf057bc7746bf87df87b5cca4fa7eee45739482cee34dee1c8eaafb4d1cb18cfb5bdca3e44d376d1905b2be6bf1fd2c2addadfeed174

memory/3104-14-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1160-15-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 67319676c0c43cefcf1c88a4720b07b6
SHA1 d4b4b65683e3221a9ee3025c5ad013eea0d7f407
SHA256 f0d650e4d09d5a7cedd6f4df43f927d45f6e6d9abafc60aeb7eb691a1e2ea59a
SHA512 dd449def574efd2a9194fdb7ff8573ad1e01245fcfeeb89ef32a7419bea741ad1fc7c73cfda2559a4af0bc1a8680cb139e51f6219e53a571dc55c74e4a462f2e

memory/3104-25-0x0000000000400000-0x0000000000458000-memory.dmp

memory/704-26-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ryiwo.exe

MD5 02cb10d89178ce6b8f635c4c4f0e671d
SHA1 8d15bd42833d4d50b0b0e70773f5b2bfcc1549b1
SHA256 9b68519a9e1d446ea200c88d0ab59574d93efc8166613b11385bda40ba2229bd
SHA512 0721f61b9cfea41262af059afda7bdf14f8bd3fad68d77af4e8bd8d06c5044ec393d9637aa244da5d86f6960cd4ec1553ed82535aeaa29f78d7f36e17b3f7045

memory/2828-42-0x0000000000C10000-0x0000000000C9C000-memory.dmp

memory/2828-40-0x0000000000C10000-0x0000000000C9C000-memory.dmp

memory/704-43-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2828-39-0x0000000000C10000-0x0000000000C9C000-memory.dmp

memory/2828-38-0x0000000000C10000-0x0000000000C9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 2e418a94ccf9833624cd7e1af27838ab
SHA1 22cfb28411bd95481aa567b05d1d009b1e90d81d
SHA256 dd8cf16728f51b5ed80ba729153ed9a2e124e2ca8f62a8b403f8f694ff9fed28
SHA512 1857e8578653c8852c7a26eb92f92221278042336a1e580704384b9b1a851994e6aa4c73cca154e7a4850e53d88d7e874bc69dd50a4e6d9043bb08260dd87b43

memory/2828-45-0x0000000000C10000-0x0000000000C9C000-memory.dmp

memory/2828-46-0x0000000000C10000-0x0000000000C9C000-memory.dmp

memory/2828-47-0x0000000000C10000-0x0000000000C9C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-04 06:16

Reported

2024-08-04 06:18

Platform

win7-20240729-en

Max time kernel

119s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qofut.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sosuuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qofut.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sosuuj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huron.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\huron.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Users\Admin\AppData\Local\Temp\qofut.exe
PID 2268 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Users\Admin\AppData\Local\Temp\qofut.exe
PID 2268 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Users\Admin\AppData\Local\Temp\qofut.exe
PID 2268 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Users\Admin\AppData\Local\Temp\qofut.exe
PID 2268 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\qofut.exe C:\Users\Admin\AppData\Local\Temp\sosuuj.exe
PID 2868 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\qofut.exe C:\Users\Admin\AppData\Local\Temp\sosuuj.exe
PID 2868 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\qofut.exe C:\Users\Admin\AppData\Local\Temp\sosuuj.exe
PID 2868 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\qofut.exe C:\Users\Admin\AppData\Local\Temp\sosuuj.exe
PID 2600 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\sosuuj.exe C:\Users\Admin\AppData\Local\Temp\huron.exe
PID 2600 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\sosuuj.exe C:\Users\Admin\AppData\Local\Temp\huron.exe
PID 2600 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\sosuuj.exe C:\Users\Admin\AppData\Local\Temp\huron.exe
PID 2600 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\sosuuj.exe C:\Users\Admin\AppData\Local\Temp\huron.exe
PID 2600 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\sosuuj.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\sosuuj.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\sosuuj.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\sosuuj.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe

"C:\Users\Admin\AppData\Local\Temp\e4147b5901fcbc63624d36700ca59330N.exe"

C:\Users\Admin\AppData\Local\Temp\qofut.exe

"C:\Users\Admin\AppData\Local\Temp\qofut.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\sosuuj.exe

"C:\Users\Admin\AppData\Local\Temp\sosuuj.exe" OK

C:\Users\Admin\AppData\Local\Temp\huron.exe

"C:\Users\Admin\AppData\Local\Temp\huron.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2600-37-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2868-36-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sosuuj.exe

MD5 e1bb8abef3ac231d28b2487dee6988e6
SHA1 2169bf91bac49e5b427702436730f639e4866463
SHA256 a6b22ff91106600eb2cc63ec74bf257810a2b089ba6358bb24bfb57915e725d0
SHA512 92fb888bab3b1c342ca490090c25dbc745f08ff64826732ae02f23cdfc55505e435d5821dfd90b097a316d20da6dfa9774c072ad9dadbe18eed2acefcd65aa63

memory/2868-34-0x0000000003330000-0x0000000003388000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 67319676c0c43cefcf1c88a4720b07b6
SHA1 d4b4b65683e3221a9ee3025c5ad013eea0d7f407
SHA256 f0d650e4d09d5a7cedd6f4df43f927d45f6e6d9abafc60aeb7eb691a1e2ea59a
SHA512 dd449def574efd2a9194fdb7ff8573ad1e01245fcfeeb89ef32a7419bea741ad1fc7c73cfda2559a4af0bc1a8680cb139e51f6219e53a571dc55c74e4a462f2e

memory/2268-18-0x0000000002450000-0x00000000024A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 c796ba1d6146c80626e9d3d1b0bfbbf0
SHA1 b45d14498499b7220514043058720bb95d6b9bb4
SHA256 0fdf48e4f4b6b686a8ffc3e4672efc362bb042f99ba0a0e3ca86e3ed41de791a
SHA512 c10e35483905e75bdb07bffbe1f463a59ca337174a09f4deaacab04181eaf88e5af08d8a6a12d13c043149406b4bb79040379f8c0808748cca30e4f4275152c0

memory/2268-22-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2868-21-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2268-20-0x0000000002450000-0x00000000024A8000-memory.dmp

memory/2268-0-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2600-38-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2076-59-0x0000000000A20000-0x0000000000AAC000-memory.dmp

memory/2076-58-0x0000000000A20000-0x0000000000AAC000-memory.dmp

memory/2076-57-0x0000000000A20000-0x0000000000AAC000-memory.dmp

memory/2076-56-0x0000000000A20000-0x0000000000AAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huron.exe

MD5 1f675291b5f45d32e04d686519566665
SHA1 280660b161aca27d199569f04619e111d464c29f
SHA256 cfb331188f635dbe0c7cc61579c777735c83ee3c7e421fc05b06e244676628a9
SHA512 b9e25b2fdd899c15c73bd1ddb146cd19c50807c56e7a9aadb9c29bfa52ffd91eee3b5e36bbdf3c468d5a35d31ba694f8965a72834bfc27e8aba7bac01ca41343

memory/2600-54-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 ad8cc94b1355fc153c8e5ea6499c93fa
SHA1 6a2371c9ad9f687adf81fb8a9a1b31a4a2c187a7
SHA256 abd7e3ed44d62b43e29f914106e16f3245e202dc84b761f8b35c5b39df3aa6ff
SHA512 5536c14dd6c7cfb3ab6ab22962d07b6dda43f0005d866ea6d69fed88bad98a8e679bc6e8ffc8ef70f40fc5871646397f677f85dd5f1e382819fd63405be2df3d

memory/2600-45-0x00000000020B0000-0x000000000213C000-memory.dmp

memory/2076-62-0x0000000000A20000-0x0000000000AAC000-memory.dmp

memory/2076-63-0x0000000000A20000-0x0000000000AAC000-memory.dmp

memory/2076-64-0x0000000000A20000-0x0000000000AAC000-memory.dmp