Malware Analysis Report

2024-11-16 13:28

Sample ID 240805-wxs7katgkp
Target 04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252
SHA256 04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252

Threat Level: Known bad

The file 04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Loads dropped DLL

UPX packed file

Deletes itself

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-05 18:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 18:18

Reported

2024-08-05 18:21

Platform

win7-20240704-en

Max time kernel

150s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dubob.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yjhozu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ujnaq.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ujnaq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dubob.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yjhozu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Users\Admin\AppData\Local\Temp\dubob.exe
PID 2240 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Users\Admin\AppData\Local\Temp\dubob.exe
PID 2240 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Users\Admin\AppData\Local\Temp\dubob.exe
PID 2240 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Users\Admin\AppData\Local\Temp\dubob.exe
PID 2240 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\dubob.exe C:\Users\Admin\AppData\Local\Temp\yjhozu.exe
PID 2740 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\dubob.exe C:\Users\Admin\AppData\Local\Temp\yjhozu.exe
PID 2740 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\dubob.exe C:\Users\Admin\AppData\Local\Temp\yjhozu.exe
PID 2740 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\dubob.exe C:\Users\Admin\AppData\Local\Temp\yjhozu.exe
PID 1788 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\yjhozu.exe C:\Users\Admin\AppData\Local\Temp\ujnaq.exe
PID 1788 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\yjhozu.exe C:\Users\Admin\AppData\Local\Temp\ujnaq.exe
PID 1788 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\yjhozu.exe C:\Users\Admin\AppData\Local\Temp\ujnaq.exe
PID 1788 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\yjhozu.exe C:\Users\Admin\AppData\Local\Temp\ujnaq.exe
PID 1788 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\yjhozu.exe C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\yjhozu.exe C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\yjhozu.exe C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\yjhozu.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe

"C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe"

C:\Users\Admin\AppData\Local\Temp\dubob.exe

"C:\Users\Admin\AppData\Local\Temp\dubob.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\yjhozu.exe

"C:\Users\Admin\AppData\Local\Temp\yjhozu.exe" OK

C:\Users\Admin\AppData\Local\Temp\ujnaq.exe

"C:\Users\Admin\AppData\Local\Temp\ujnaq.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2240-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2240-36-0x0000000002640000-0x0000000002641000-memory.dmp

memory/2240-34-0x0000000002640000-0x0000000002641000-memory.dmp

memory/2240-31-0x0000000002630000-0x0000000002631000-memory.dmp

memory/2240-29-0x0000000002630000-0x0000000002631000-memory.dmp

memory/2240-26-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2240-25-0x0000000002620000-0x0000000002621000-memory.dmp

memory/2240-23-0x0000000002620000-0x0000000002621000-memory.dmp

memory/2240-20-0x0000000002610000-0x0000000002611000-memory.dmp

memory/2240-18-0x0000000002610000-0x0000000002611000-memory.dmp

memory/2240-15-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2240-13-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2240-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2240-10-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2240-8-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2240-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2240-5-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2240-3-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2240-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2240-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2240-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\dubob.exe

MD5 c140363e03d4e5aba55579327a6884b6
SHA1 c8db9ea27e0aea05b744261ed5006e044d9f46ec
SHA256 ffff12080ccfd2db6d684333259a4b97756c8f455a3b707dd141743682ef6036
SHA512 fbc956e0247d9ce027dc75bd3ffc0a48135458d1053dced48d4158d513b9ea77f61a265b405f9995d5b11f055e29885f31e4ad2455b374ed88e53c4a0da073c2

memory/2240-53-0x0000000003870000-0x000000000435C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 81b8503ff17729813d592d13d41da11c
SHA1 fdd9995f1b0a0e73af0926cb6b2eaf4b58c4b25d
SHA256 10a2e977a7b7322c53c246a8a19f22415da9013a2dfaba591440f4a6d13782fe
SHA512 e00f64a6783bb71d91dbbeffbac0e49cff64d0bb3b1e87cdc9cbac60ba4ccfdc7eaf1c5a2cb591d9d539c21d4e36369cbb2cb3771d5beba5f1b1ceb97cda4202

memory/2240-52-0x0000000003870000-0x000000000435C000-memory.dmp

memory/2240-99-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2240-97-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2740-86-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2740-84-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2740-81-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2740-79-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2740-76-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2740-74-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/2740-71-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2740-69-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2740-66-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2740-64-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 af7502ebafdd1c4d0d9cc9e8e9ee8b56
SHA1 0d23e271d7d1f3d9557dc97e9447b5ef53a5123f
SHA256 799c489f4cc66504519b6467c9e4ad6155dcb68b9c0717c02c5fb749fb3297a2
SHA512 1c9ee240623d983a331133299ab0e7ddb7405ad0393312dde9e1697c8ff649d33a5e6ff0e82de65d0c01f1adc18c88d7527c66e453ba3348015c6042a05347f2

memory/2740-103-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2740-104-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2740-114-0x0000000003D80000-0x000000000486C000-memory.dmp

memory/2740-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\ujnaq.exe

MD5 19f81d806d7800f18f5f807b34700a38
SHA1 a57e5fa45e3d164b8173f04d51d374054c092401
SHA256 09ab12d19e3dd7061509cda57adff5bdddb5fe00baa5cf9af63c23557e803d94
SHA512 7ed609c9d95d28cf977139111fc3faaf96527a2d1cb3f4e1cef62a8a29e696ac76fd8356778e4e622d1729046bb36b2a1187ec13e16711f738c9bb4696e229f6

memory/632-163-0x0000000000400000-0x0000000000599000-memory.dmp

memory/1788-162-0x0000000004310000-0x00000000044A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 b90b4c9a3a24dfbdc049175a2cab656c
SHA1 e65a533a724c1296ee34688a845c29b561fab3cc
SHA256 16abfcb0465d19b4eff6334ddbdb5a11a65595ecaadb819dfe5019bc1b01168a
SHA512 5df1125d61523934c75ae8a33e0b154f1f18f64ef38b6c62857ab4517658586c0a4f843597cce931b197d215f217d7f537c04413f7fee69ed9ea02d55dd9eb53

memory/1788-171-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/632-176-0x0000000000400000-0x0000000000599000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-05 18:18

Reported

2024-08-05 18:21

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pahib.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kixuqi.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pahib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kixuqi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kixuqi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pahib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pahib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pahib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kixuqi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kixuqi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuqoa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Users\Admin\AppData\Local\Temp\pahib.exe
PID 2792 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Users\Admin\AppData\Local\Temp\pahib.exe
PID 2792 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Users\Admin\AppData\Local\Temp\pahib.exe
PID 2792 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe C:\Windows\SysWOW64\cmd.exe
PID 944 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\pahib.exe C:\Users\Admin\AppData\Local\Temp\kixuqi.exe
PID 944 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\pahib.exe C:\Users\Admin\AppData\Local\Temp\kixuqi.exe
PID 944 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\pahib.exe C:\Users\Admin\AppData\Local\Temp\kixuqi.exe
PID 3820 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\kixuqi.exe C:\Users\Admin\AppData\Local\Temp\vuqoa.exe
PID 3820 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\kixuqi.exe C:\Users\Admin\AppData\Local\Temp\vuqoa.exe
PID 3820 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\kixuqi.exe C:\Users\Admin\AppData\Local\Temp\vuqoa.exe
PID 3820 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\kixuqi.exe C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\kixuqi.exe C:\Windows\SysWOW64\cmd.exe
PID 3820 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\kixuqi.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe

"C:\Users\Admin\AppData\Local\Temp\04af9fdeb8b2ad90a158ad532f52e10b4eb9aa9b926a9f89ee575e067d8ec252.exe"

C:\Users\Admin\AppData\Local\Temp\pahib.exe

"C:\Users\Admin\AppData\Local\Temp\pahib.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\kixuqi.exe

"C:\Users\Admin\AppData\Local\Temp\kixuqi.exe" OK

C:\Users\Admin\AppData\Local\Temp\vuqoa.exe

"C:\Users\Admin\AppData\Local\Temp\vuqoa.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2792-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2792-3-0x0000000001190000-0x0000000001191000-memory.dmp

memory/2792-2-0x0000000001170000-0x0000000001171000-memory.dmp

memory/2792-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2792-9-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2792-7-0x00000000011F0000-0x00000000011F1000-memory.dmp

memory/2792-6-0x00000000011E0000-0x00000000011E1000-memory.dmp

memory/2792-5-0x00000000011D0000-0x00000000011D1000-memory.dmp

memory/2792-4-0x00000000011C0000-0x00000000011C1000-memory.dmp

memory/2792-1-0x0000000001160000-0x0000000001161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pahib.exe

MD5 015ca55d90cee4815240f758566fc936
SHA1 568b091bbd99b08ae57bb9a1a2f25df72528bd25
SHA256 8911631de71b485e391df92920d8cd51f9bd9b4cb156ab5ffb19e70ccc3ea587
SHA512 c90dc541949a692b724003d2b6301fdc8ac74ee8b6155890e79c4d43105382bd9ef6cc46a71d398af0ec44c1b9363060283716228270b78dfe1f7456bdbc1053

memory/2792-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2792-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/944-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2792-26-0x0000000000526000-0x000000000087A000-memory.dmp

memory/944-27-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/944-37-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/944-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 81b8503ff17729813d592d13d41da11c
SHA1 fdd9995f1b0a0e73af0926cb6b2eaf4b58c4b25d
SHA256 10a2e977a7b7322c53c246a8a19f22415da9013a2dfaba591440f4a6d13782fe
SHA512 e00f64a6783bb71d91dbbeffbac0e49cff64d0bb3b1e87cdc9cbac60ba4ccfdc7eaf1c5a2cb591d9d539c21d4e36369cbb2cb3771d5beba5f1b1ceb97cda4202

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 e02b3c9aef3c1379231ea140c4c7da6b
SHA1 6c1cd96e8bb8f0d50e1411fd216f8df51970c8a2
SHA256 f6788beecddea9a1bd10e47f31f42f33ad268f912bd2303c092c49b11700b087
SHA512 1783ebe0caef3972860ceed7b0e5e5956fff0ad54cb3ea078b8f9ca714334c7714e8b5f9eadaf42bb54cc3093c98c20bf6ae56298a30399efbaf3bcff5524c45

memory/944-33-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/944-32-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/944-31-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/944-30-0x0000000002A50000-0x0000000002A51000-memory.dmp

memory/944-29-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/944-28-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/944-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3820-53-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/3820-52-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/3820-51-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/3820-50-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/3820-49-0x0000000001060000-0x0000000001061000-memory.dmp

memory/3820-55-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/3820-54-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/3820-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vuqoa.exe

MD5 e374de86e54dacce731b12f76feeee31
SHA1 31aae040d03f9a6cedd05b6c3c19801a5660409c
SHA256 a58147c120e5d23b5dfa760df2bb6de0fb00130f129f26d57f7c86d15c12527b
SHA512 118648a864501721cbe892271fbbcd8266fa49f8d7973a99a524022227d20a1229a80fa8e02ef800c44f1c9035c80f94d91c4a3249af2f5080bb1affe0d75748

memory/4748-69-0x0000000000400000-0x0000000000599000-memory.dmp

memory/3820-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 09e22da4e2a6a72a7ec70f00be95ba8b
SHA1 bb40274fc9ac6162ef8a1a106bfbebf28dd24a87
SHA256 2899006252db8c9605022794d05d53dfe656e193c3c16bdb3de3862b4d11e276
SHA512 ff0539e7eba9933a3abab8744454b4df5c37eff4e8507ba3f60c2830b824226091c5f23e23281e258f53622dd310af94c0ea0a29a22e7c9f004c0bb44b01ad49

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/4748-74-0x0000000000400000-0x0000000000599000-memory.dmp