Malware Analysis Report

2024-11-16 13:28

Sample ID 240810-1zqlnszgrn
Target 5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3
SHA256 5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3

Threat Level: Known bad

The file 5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

UPX packed file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-10 22:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-10 22:05

Reported

2024-08-10 22:08

Platform

win7-20240704-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ciurw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\remexu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ulogv.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ciurw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\remexu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ulogv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Users\Admin\AppData\Local\Temp\ciurw.exe
PID 2276 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Users\Admin\AppData\Local\Temp\ciurw.exe
PID 2276 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Users\Admin\AppData\Local\Temp\ciurw.exe
PID 2276 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Users\Admin\AppData\Local\Temp\ciurw.exe
PID 2276 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Windows\SysWOW64\cmd.exe
PID 1508 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ciurw.exe C:\Users\Admin\AppData\Local\Temp\remexu.exe
PID 1508 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ciurw.exe C:\Users\Admin\AppData\Local\Temp\remexu.exe
PID 1508 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ciurw.exe C:\Users\Admin\AppData\Local\Temp\remexu.exe
PID 1508 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\ciurw.exe C:\Users\Admin\AppData\Local\Temp\remexu.exe
PID 2672 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\remexu.exe C:\Users\Admin\AppData\Local\Temp\ulogv.exe
PID 2672 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\remexu.exe C:\Users\Admin\AppData\Local\Temp\ulogv.exe
PID 2672 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\remexu.exe C:\Users\Admin\AppData\Local\Temp\ulogv.exe
PID 2672 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\remexu.exe C:\Users\Admin\AppData\Local\Temp\ulogv.exe
PID 2672 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\remexu.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\remexu.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\remexu.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\remexu.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe

"C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe"

C:\Users\Admin\AppData\Local\Temp\ciurw.exe

"C:\Users\Admin\AppData\Local\Temp\ciurw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\remexu.exe

"C:\Users\Admin\AppData\Local\Temp\remexu.exe" OK

C:\Users\Admin\AppData\Local\Temp\ulogv.exe

"C:\Users\Admin\AppData\Local\Temp\ulogv.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2276-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2276-25-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2276-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2276-37-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2276-35-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2276-33-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2276-30-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2276-28-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2276-23-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2276-20-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2276-18-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2276-15-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2276-13-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2276-11-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2276-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2276-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2276-6-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\ciurw.exe

MD5 05081d09ac6153681387b5b531395d71
SHA1 6602c79cd7d2f282ff9ee07eca22a6188e778d5f
SHA256 8932f553d61e8a0309ddf1a0cfde9492b6d61c889fa7e6bf353cc6597a4b8eee
SHA512 25f74fb82e2520bbd6b5105cb022e8f8752dbdc3cb854dea10cc05ea088a66e71a4774f06ab5b999d96652faf160839744579f22b24725b830c9571265a3077e

memory/2276-50-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2276-58-0x0000000003F70000-0x0000000004A5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 0b2d310c5081261ed7a37dfd3658d7f3
SHA1 01c5b603fe269e06d90277c4c3600dfd4430431d
SHA256 8e19fa7ab7dedd21d74ccb808dc41f46d31da1ff64a01a6bd85d9bfabf905c5a
SHA512 a72ccac058bbafb6e9a96fc51fe634351f036bb177323dc91ea4589d50e615b3494005e16b8e3d9f5c706910bafa7db49a0327ee7f4dab21de797c85fddc6053

memory/2276-61-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2276-60-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2276-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2276-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2276-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1508-70-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1508-67-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1508-87-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1508-85-0x0000000000280000-0x0000000000281000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ab102d3d1c8b730046521b5e0f16ef17
SHA1 90302460c4761878a723cd4ae1bac2080a3ac5f1
SHA256 d78f0341fa26141120bc039c69f251c8d55d96a9201114031399075ca00d8d84
SHA512 84a84b53859781f3c02b8347e25016db45ae8c7929cd869c8aa30af837e3212b8331e8f36d4f9491342a10abdcd29e38d08bf137e40b114e100a2c76c498fedb

memory/1508-82-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1508-80-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1508-77-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1508-75-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1508-111-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1508-112-0x0000000004560000-0x000000000504C000-memory.dmp

memory/2672-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1508-72-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1508-65-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\ulogv.exe

MD5 8ccfbb7da99103b7ec3dea57074320a0
SHA1 1046a90c4b070664e203bed0ae7fee47791a8580
SHA256 0a33525b3f49db82dd9a56f067f706f360ba102e32e2176b49765c1eae2d9d35
SHA512 8388e9732b19c57204f886bcb5b74978b698346abd5c25693657b3ae819f0540050f7e05deacba51a3fc23e9f12acb89a5f5ee29b22dc002b1df23033bad9f04

memory/524-167-0x0000000000400000-0x0000000000599000-memory.dmp

memory/2672-158-0x0000000004750000-0x00000000048E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 f1482ae6624e18bfdb0a9d8efaf5eb4b
SHA1 50a51f75cfe722c9bd7b13f52bb249cf2ee7957c
SHA256 6d9ba1642bb4ff817b0bfc9c1f590d356d214b2be58ba03d7e87b56a1875d840
SHA512 6757bfde6a50647b04614a4b24f5bf8584796891de9098be3fb11a6e95c5401cf5b856c0d8f36e0abac5eb9eff69e924f9b571c79553fe58e786ca3170e61365

memory/2672-168-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/524-173-0x0000000000400000-0x0000000000599000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-10 22:05

Reported

2024-08-10 22:08

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tytox.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\jososi.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tytox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jososi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tytox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jososi.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tytox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tytox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jososi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jososi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wobeq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2828 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Users\Admin\AppData\Local\Temp\tytox.exe
PID 2828 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Users\Admin\AppData\Local\Temp\tytox.exe
PID 2828 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Users\Admin\AppData\Local\Temp\tytox.exe
PID 2828 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Windows\SysWOW64\cmd.exe
PID 2828 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe C:\Windows\SysWOW64\cmd.exe
PID 4300 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\tytox.exe C:\Users\Admin\AppData\Local\Temp\jososi.exe
PID 4300 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\tytox.exe C:\Users\Admin\AppData\Local\Temp\jososi.exe
PID 4300 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\tytox.exe C:\Users\Admin\AppData\Local\Temp\jososi.exe
PID 2164 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\jososi.exe C:\Users\Admin\AppData\Local\Temp\wobeq.exe
PID 2164 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\jososi.exe C:\Users\Admin\AppData\Local\Temp\wobeq.exe
PID 2164 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\jososi.exe C:\Users\Admin\AppData\Local\Temp\wobeq.exe
PID 2164 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\jososi.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\jososi.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\jososi.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe

"C:\Users\Admin\AppData\Local\Temp\5fe47c71538b936a5e27c73c2e3466ec809396475e00e2e1ea057b6d63520aa3.exe"

C:\Users\Admin\AppData\Local\Temp\tytox.exe

"C:\Users\Admin\AppData\Local\Temp\tytox.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\jososi.exe

"C:\Users\Admin\AppData\Local\Temp\jososi.exe" OK

C:\Users\Admin\AppData\Local\Temp\wobeq.exe

"C:\Users\Admin\AppData\Local\Temp\wobeq.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/2828-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2828-9-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2828-2-0x0000000002D50000-0x0000000002D51000-memory.dmp

memory/2828-7-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

memory/2828-6-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

memory/2828-5-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/2828-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/2828-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2828-1-0x0000000002C40000-0x0000000002C41000-memory.dmp

memory/2828-3-0x0000000002D60000-0x0000000002D61000-memory.dmp

memory/2828-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tytox.exe

MD5 c1c8244b78c2e7f7f179ab64e7c378ce
SHA1 f61bf8f9ebc98ee7d3181705d5adab4fcb902243
SHA256 15e8e02a35c7d9e3672c6cda994c5f99f65c73be2f7314fd2c22b578255d76f6
SHA512 28ede1a156d7ef20250ab816c3a8f3a92107647209b479191ed1d0140e3e809b5eb9f17792cc432f4f7c17aef0a236507158aeac6006a4bcd4004cba96a17e56

memory/2828-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4300-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2828-27-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 0b2d310c5081261ed7a37dfd3658d7f3
SHA1 01c5b603fe269e06d90277c4c3600dfd4430431d
SHA256 8e19fa7ab7dedd21d74ccb808dc41f46d31da1ff64a01a6bd85d9bfabf905c5a
SHA512 a72ccac058bbafb6e9a96fc51fe634351f036bb177323dc91ea4589d50e615b3494005e16b8e3d9f5c706910bafa7db49a0327ee7f4dab21de797c85fddc6053

memory/4300-35-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/4300-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b085407cd25790de5e6b73905f18cf45
SHA1 a610c5d9213f538de0bb7119d040345308db0121
SHA256 681ef3876e28509b177c51a3e55180dceadc20e5ad1de777647996a9109e6fda
SHA512 90513c9efdc981700c694f72ec7a3febd916ffb6d70943e00476e2c56b3c57037731894b82762219359ae263fe2e13f26559d96e9fec0bbe4e975521c26bfd2e

memory/4300-34-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/4300-33-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/4300-32-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/4300-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4300-31-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/4300-30-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/4300-29-0x0000000000F40000-0x0000000000F41000-memory.dmp

memory/4300-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2164-56-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/2164-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2164-55-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/2164-54-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/2164-53-0x00000000010B0000-0x00000000010B1000-memory.dmp

memory/2164-52-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/2164-51-0x0000000001090000-0x0000000001091000-memory.dmp

memory/2164-50-0x0000000001080000-0x0000000001081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wobeq.exe

MD5 560eb273fa631557367534ecba8bbe51
SHA1 e2fc9a11515e2157d7466bb5dc4b5cd57cd497d8
SHA256 a1f6f045911b67b73faaeaf9987582166f99abc8dc87b652afb477da5c618e8f
SHA512 01b731ce78815aca1112f6e0a395a01cde2631cf386baa7882e316abcef0fa443a6cbf2a78eb16c7a88534565155864dfeb3623286fc58806f80ee65fea9eeb9

memory/3504-71-0x0000000000400000-0x0000000000599000-memory.dmp

memory/2164-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 0f8b4cb70e98f7695e4e600f825a7dbf
SHA1 cde3f55df1f711fee49545124d4ea4351e5d758b
SHA256 84e45ba427d76c19f9ca3e61457c2cdd90a5a72629e28b85d3bc3d56eccf820b
SHA512 2b6aa3c76c8f2f2d441728867b316435c214373d7734ab867ea3415e0ea50f1596562cc2f56e594d5185c7d078f6b29cd427c5e7a9256573253be330acf24a72

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/3504-75-0x0000000000400000-0x0000000000599000-memory.dmp