Malware Analysis Report

2024-11-16 13:28

Sample ID 240807-xez3tsvhpb
Target 0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb
SHA256 0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb

Threat Level: Known bad

The file 0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Executes dropped EXE

UPX packed file

Checks computer location settings

Deletes itself

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-07 18:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 18:46

Reported

2024-08-07 18:49

Platform

win7-20240708-en

Max time kernel

145s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\datau.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\motyzo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\urbor.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\datau.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\motyzo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\urbor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Users\Admin\AppData\Local\Temp\datau.exe
PID 2104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Users\Admin\AppData\Local\Temp\datau.exe
PID 2104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Users\Admin\AppData\Local\Temp\datau.exe
PID 2104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Users\Admin\AppData\Local\Temp\datau.exe
PID 2104 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\datau.exe C:\Users\Admin\AppData\Local\Temp\motyzo.exe
PID 3052 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\datau.exe C:\Users\Admin\AppData\Local\Temp\motyzo.exe
PID 3052 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\datau.exe C:\Users\Admin\AppData\Local\Temp\motyzo.exe
PID 3052 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\datau.exe C:\Users\Admin\AppData\Local\Temp\motyzo.exe
PID 676 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\motyzo.exe C:\Users\Admin\AppData\Local\Temp\urbor.exe
PID 676 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\motyzo.exe C:\Users\Admin\AppData\Local\Temp\urbor.exe
PID 676 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\motyzo.exe C:\Users\Admin\AppData\Local\Temp\urbor.exe
PID 676 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\motyzo.exe C:\Users\Admin\AppData\Local\Temp\urbor.exe
PID 676 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\motyzo.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\motyzo.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\motyzo.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\motyzo.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe

"C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe"

C:\Users\Admin\AppData\Local\Temp\datau.exe

"C:\Users\Admin\AppData\Local\Temp\datau.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\motyzo.exe

"C:\Users\Admin\AppData\Local\Temp\motyzo.exe" OK

C:\Users\Admin\AppData\Local\Temp\urbor.exe

"C:\Users\Admin\AppData\Local\Temp\urbor.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2104-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2104-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2104-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2104-35-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2104-33-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2104-30-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2104-28-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2104-25-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2104-23-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2104-20-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2104-18-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2104-15-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2104-13-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2104-11-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2104-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2104-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2104-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2104-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2104-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2104-37-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2104-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\datau.exe

MD5 96fc7cc7064b7399fd886f9f659dfe79
SHA1 b002415966838385ac237adc6f65c1e227a3a2d3
SHA256 edc4737a7cc1bd3206029eb5d6a3a5faed7f07dfdaca1f6ae89624b71a2285dd
SHA512 f6d359a0bbc566c08207d57010b2c761ab346ce441899adbe0120ec7658c3d6a3e2564424f466166c7c1865ec26e0b29bbaaea550cd6d6901d0cdbc3a6b6a58d

memory/2104-53-0x0000000004190000-0x0000000004C7C000-memory.dmp

memory/3052-59-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 d78c252f49f9eadf14524f6757c9149b
SHA1 34adaeca29054387b8fd96c7234365562c9fef73
SHA256 7e2f8c08403c45eca8c40db90cafb202116a64df683f013cf0c6a3c360f15dae
SHA512 d2cdcf5cd509bbf8aba75ccc3706d99fbab0ed5a284dfb6696c5a1247777c6d44958b37941167f251f28dcf498bee51a3757e7691081d12ecd23575977b808a4

memory/2104-61-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2104-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3052-88-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

memory/3052-86-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

memory/3052-83-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/3052-81-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/3052-78-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/3052-76-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/3052-73-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/3052-71-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/3052-68-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/3052-66-0x00000000003B0000-0x00000000003B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 cdd33522e7c498883127727d2e6e84cc
SHA1 3eecd99a3b4e8636ae1782e780004abc8ee45330
SHA256 64148bf219788f4796e2e75d59e99cb137c08d14f1a18b580dfe2ce4e9b04540
SHA512 e9e880d86f0dd2b8f59e81b885519d531c1b029de876df1982b2595b29f4d8edfc0d90b23d0378b37c43df36dddc4e496c70486ab09f964b25157b70adbf56c2

memory/3052-102-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3052-105-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3052-114-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/676-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3052-115-0x0000000004170000-0x0000000004C5C000-memory.dmp

\Users\Admin\AppData\Local\Temp\urbor.exe

MD5 797b15ec2489e878118d86aa3aabb4f7
SHA1 f6f6a7b1ccd562e2d230f0eef5c0ec63744c26d8
SHA256 3f13e4fb82183744a20fec46ba808a9edfbb941b494008d78baa6c7c66fc52ba
SHA512 5817fcd2c3bd2c7a9ad1c61e70697b1e3952e6bcb5568d57f9a9a2493767577cb98ee6b43d4017833119c6277c87ed11f8b12c0738978afdeea1300b50730a62

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 bd779ee27282eebf75ecd4a6710d5217
SHA1 6bfdcfd4391ed41daad25db3c2b369cfa102657e
SHA256 bf3daa99c81f56bdd658374bd6bfba3f9cbbdb966deac17b502c2f3868937357
SHA512 5d4479b144113bfba49a6721ed99430d6c3847f9b09473721b66edc5e156bd0fb6c9d501e78dc1dfeb7437e61a292b511274e97c886a2ca03161df9bbc3e0d0f

memory/676-172-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1984-170-0x0000000000400000-0x0000000000599000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/676-169-0x00000000046E0000-0x0000000004879000-memory.dmp

memory/1984-176-0x0000000000400000-0x0000000000599000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 18:46

Reported

2024-08-07 18:49

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zusym.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nukove.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zusym.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nukove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zusym.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nukove.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zusym.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zusym.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nukove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nukove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xiovk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3572 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Users\Admin\AppData\Local\Temp\zusym.exe
PID 3572 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Users\Admin\AppData\Local\Temp\zusym.exe
PID 3572 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Users\Admin\AppData\Local\Temp\zusym.exe
PID 3572 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Windows\SysWOW64\cmd.exe
PID 3572 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2888 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\zusym.exe C:\Users\Admin\AppData\Local\Temp\nukove.exe
PID 2888 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\zusym.exe C:\Users\Admin\AppData\Local\Temp\nukove.exe
PID 2888 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\zusym.exe C:\Users\Admin\AppData\Local\Temp\nukove.exe
PID 2540 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\nukove.exe C:\Users\Admin\AppData\Local\Temp\xiovk.exe
PID 2540 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\nukove.exe C:\Users\Admin\AppData\Local\Temp\xiovk.exe
PID 2540 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\nukove.exe C:\Users\Admin\AppData\Local\Temp\xiovk.exe
PID 2540 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\nukove.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\nukove.exe C:\Windows\SysWOW64\cmd.exe
PID 2540 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\nukove.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe

"C:\Users\Admin\AppData\Local\Temp\0c829c5f77898ae24489949261648609bcb1a59eb65ea68b79d3ffad77b542eb.exe"

C:\Users\Admin\AppData\Local\Temp\zusym.exe

"C:\Users\Admin\AppData\Local\Temp\zusym.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\nukove.exe

"C:\Users\Admin\AppData\Local\Temp\nukove.exe" OK

C:\Users\Admin\AppData\Local\Temp\xiovk.exe

"C:\Users\Admin\AppData\Local\Temp\xiovk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3572-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3572-1-0x0000000000F80000-0x0000000000F81000-memory.dmp

memory/3572-3-0x0000000002C30000-0x0000000002C31000-memory.dmp

memory/3572-8-0x0000000000526000-0x000000000087A000-memory.dmp

memory/3572-7-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/3572-6-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/3572-5-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/3572-4-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/3572-2-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

memory/3572-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3572-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zusym.exe

MD5 b919ab7dfce463d60d3012df9125739f
SHA1 d991e286b23167932c382cf2ac5bc4879a1ede62
SHA256 5b270ef326fea465a2ee878264a53d3b0ef53139793f30f2fa526a16a4498cc0
SHA512 22bf147dbd53750b0a386830acd046ffafb22717a7a0d5ffd064fd6562e2c6e917c2bbb3dba9f076690ab0baf9f3c6e62b65189d66eaa473f840196bfa65022a

memory/2888-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3572-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3572-27-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 d78c252f49f9eadf14524f6757c9149b
SHA1 34adaeca29054387b8fd96c7234365562c9fef73
SHA256 7e2f8c08403c45eca8c40db90cafb202116a64df683f013cf0c6a3c360f15dae
SHA512 d2cdcf5cd509bbf8aba75ccc3706d99fbab0ed5a284dfb6696c5a1247777c6d44958b37941167f251f28dcf498bee51a3757e7691081d12ecd23575977b808a4

memory/2888-35-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/2888-34-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/2888-33-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/2888-32-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/2888-31-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/2888-30-0x0000000001090000-0x0000000001091000-memory.dmp

memory/2888-29-0x0000000001080000-0x0000000001081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 7cc592fc55e33fb9b5a7b05954a16f09
SHA1 b708d91821411d753455c427cd6f95eb988ff52e
SHA256 9a85228519a97f10b1528d9f6cab686bcc6d3a2bb321e7c2c935e337981caa9b
SHA512 c1b04a4afe847ec4d3ec8091f2c2cd7636e3186fa8b647c87cb0de84bfccefc9126d71857fa27092a098e16ce36ac7e04c799f71220580f362c97e3783570cb6

memory/2888-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2888-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2888-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2888-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2540-55-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/2540-54-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/2540-53-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/2540-52-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/2540-51-0x0000000001080000-0x0000000001081000-memory.dmp

memory/2540-50-0x0000000001070000-0x0000000001071000-memory.dmp

memory/2540-56-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/2540-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xiovk.exe

MD5 5ec6e9ddd7c50daeacc281b873476186
SHA1 3fcd0db7a35e431a1c2d514d996b49e2046867da
SHA256 d904314696d68b353bbf79195fa70f69bf8e9db85460bef1c7ad38a4b1064447
SHA512 a4c7bd411552469e5b2f6996cf5fb30c9894e21dce426233c70ec68443446e0bca26cace30cb5d5de07a02cf78b7758dab4feca04c106051474b281355dc4031

memory/1176-70-0x0000000000400000-0x0000000000599000-memory.dmp

memory/2540-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 cfd1b81a276c14600c9d4b7b8824faf7
SHA1 dea78791dc231b7a2f3a19e997f95c253fdab0e7
SHA256 b594d2166d2d5247c386684a8ec3f59f111b170342817330e0f672b682943353
SHA512 7203db6e070ea589415208dc577af5559f59871f89fd6a265aef1e4d09bb980f0b6d9098ffc2bb8d34cc4a7691881ba680e5bdba697da183895866ebab7f0a94

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/1176-75-0x0000000000400000-0x0000000000599000-memory.dmp