Malware Analysis Report

2024-11-16 13:26

Sample ID 240811-bv7xqasgka
Target b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec
SHA256 b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec

Threat Level: Known bad

The file b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Executes dropped EXE

UPX packed file

Deletes itself

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 01:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 01:29

Reported

2024-08-11 01:31

Platform

win7-20240705-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ewbac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ardyuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\suvep.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ewbac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ardyuj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\suvep.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Users\Admin\AppData\Local\Temp\ewbac.exe
PID 2500 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Users\Admin\AppData\Local\Temp\ewbac.exe
PID 2500 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Users\Admin\AppData\Local\Temp\ewbac.exe
PID 2500 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Users\Admin\AppData\Local\Temp\ewbac.exe
PID 2500 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Windows\SysWOW64\cmd.exe
PID 2500 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Windows\SysWOW64\cmd.exe
PID 624 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ewbac.exe C:\Users\Admin\AppData\Local\Temp\ardyuj.exe
PID 624 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ewbac.exe C:\Users\Admin\AppData\Local\Temp\ardyuj.exe
PID 624 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ewbac.exe C:\Users\Admin\AppData\Local\Temp\ardyuj.exe
PID 624 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ewbac.exe C:\Users\Admin\AppData\Local\Temp\ardyuj.exe
PID 2040 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ardyuj.exe C:\Users\Admin\AppData\Local\Temp\suvep.exe
PID 2040 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ardyuj.exe C:\Users\Admin\AppData\Local\Temp\suvep.exe
PID 2040 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ardyuj.exe C:\Users\Admin\AppData\Local\Temp\suvep.exe
PID 2040 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\ardyuj.exe C:\Users\Admin\AppData\Local\Temp\suvep.exe
PID 2040 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ardyuj.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ardyuj.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ardyuj.exe C:\Windows\SysWOW64\cmd.exe
PID 2040 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ardyuj.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe

"C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe"

C:\Users\Admin\AppData\Local\Temp\ewbac.exe

"C:\Users\Admin\AppData\Local\Temp\ewbac.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\ardyuj.exe

"C:\Users\Admin\AppData\Local\Temp\ardyuj.exe" OK

C:\Users\Admin\AppData\Local\Temp\suvep.exe

"C:\Users\Admin\AppData\Local\Temp\suvep.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2500-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2500-1-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2500-28-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2500-25-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2500-23-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2500-20-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2500-18-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2500-15-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2500-13-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2500-11-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2500-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2500-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2500-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2500-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2500-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2500-38-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2500-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2500-35-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2500-33-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2500-30-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2500-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2500-42-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ewbac.exe

MD5 50b0ebaeb14276517c2a68a8424abfb0
SHA1 f258dd9d439169d7692f748e06cec8323ad9bf4c
SHA256 a4bc0af820d9f3c5f393e9a715112a9227ecb2a6195836b7816a17e36d053153
SHA512 1a70137b214a0c5975b91d2071f39894341e3da82e7c55d3028de250813999ac36311faf27c607f616c54589c34694f6a5abc5b88d6d0b9989701dbc84e85a2b

memory/2500-53-0x0000000003F90000-0x0000000004A7C000-memory.dmp

memory/624-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 4cdc2dc45799a22bb7c45b8602d06352
SHA1 84fe32317ef2f39ae3923fa1667c7ece1d4aa2dc
SHA256 fd58803f78b01c23ff27f296caeb80fda47e5005c6a1e9a77d591d9b4595901c
SHA512 62fdd113ac2e8e7499633d2897e34a042cb6c59ee51a88b345c4725814994fdb52c80a78780ca48eca46d6cb723c44a64adfb9636b1086e26a02201f5e710d3f

memory/2500-54-0x0000000003F90000-0x0000000004A7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 aea9cd2945bf14a35d6ec60c6f32e537
SHA1 c8c0ae807cbb917fef9907aea64a39e755ab3fbd
SHA256 8eb70bfc1d903030df06aeec5edb94a183688e50cdf1bbbc1b6cc5f4178da514
SHA512 cd179021f95dc95e20c10f656761dbc340f5cbe35f51a6dafe182557de6ab7618e08c826071729b464619c773faa8d50680b1e00f0169c786d683274308ac341

memory/624-90-0x0000000000330000-0x0000000000331000-memory.dmp

memory/624-88-0x0000000000330000-0x0000000000331000-memory.dmp

memory/624-105-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/624-85-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/624-83-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2500-64-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2500-63-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/624-115-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2040-116-0x0000000000400000-0x0000000000EEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\suvep.exe

MD5 356a715bb32bd264d6d70936e81463ef
SHA1 c11fb3f3ba56f1a88ab1fee52d37b2aa52f48df9
SHA256 1428994c273d56e39e8283f11a27f3cbdc8144610e21e3940a87b0861fd7c2f6
SHA512 58ef930d4abf7de3d9f0fcb9e008d65918e4590e4e1be0f81b912cba3c8effe74b5902e6b95e1848f9f2c5b61038631f2e58fed68e6a9903b87fc872a4e74aee

memory/2040-169-0x00000000047E0000-0x0000000004979000-memory.dmp

memory/1628-170-0x0000000000400000-0x0000000000599000-memory.dmp

memory/2040-171-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 ae11baa2925b700b97934f8200e6f0b2
SHA1 cbbe7bc880aa7ea7205943e0d31f1dffb90d95f3
SHA256 bc3bc2e801f2a7295ab0db4470f30c20524d8acf92b6da6715285d5fc81661ec
SHA512 2b4a719a1b693fb852bf59fa1246ed3a143a2cb77c1120d79258437fc7fb2ed4eeae408d1ae33c3a0c6f57fc4b62c1e8a6e301fe5e551c150345ee3624f63be2

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/1628-176-0x0000000000400000-0x0000000000599000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 01:29

Reported

2024-08-11 01:31

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ruynna.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zoakc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoakc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruynna.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zoakc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ruynna.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoakc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoakc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruynna.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruynna.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duads.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Users\Admin\AppData\Local\Temp\zoakc.exe
PID 2344 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Users\Admin\AppData\Local\Temp\zoakc.exe
PID 2344 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Users\Admin\AppData\Local\Temp\zoakc.exe
PID 2344 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe C:\Windows\SysWOW64\cmd.exe
PID 5112 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\zoakc.exe C:\Users\Admin\AppData\Local\Temp\ruynna.exe
PID 5112 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\zoakc.exe C:\Users\Admin\AppData\Local\Temp\ruynna.exe
PID 5112 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\zoakc.exe C:\Users\Admin\AppData\Local\Temp\ruynna.exe
PID 960 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\ruynna.exe C:\Users\Admin\AppData\Local\Temp\duads.exe
PID 960 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\ruynna.exe C:\Users\Admin\AppData\Local\Temp\duads.exe
PID 960 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\ruynna.exe C:\Users\Admin\AppData\Local\Temp\duads.exe
PID 960 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ruynna.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ruynna.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ruynna.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe

"C:\Users\Admin\AppData\Local\Temp\b45bff869f81581ed462df014ff9f0aa26687efc938d2ed8825be17ef17d6dec.exe"

C:\Users\Admin\AppData\Local\Temp\zoakc.exe

"C:\Users\Admin\AppData\Local\Temp\zoakc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\ruynna.exe

"C:\Users\Admin\AppData\Local\Temp\ruynna.exe" OK

C:\Users\Admin\AppData\Local\Temp\duads.exe

"C:\Users\Admin\AppData\Local\Temp\duads.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2344-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2344-1-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2344-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2344-8-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/2344-7-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/2344-6-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/2344-5-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/2344-4-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/2344-3-0x0000000001090000-0x0000000001091000-memory.dmp

memory/2344-2-0x0000000001080000-0x0000000001081000-memory.dmp

memory/2344-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zoakc.exe

MD5 8b259354d817f2b1cdac8cda809f001c
SHA1 b89cd965f727022d796cc7fd1965302649fff975
SHA256 b4b12938e2ceb46a65f60aa3ba271c35afdddb0aab8fd456b4f2aca908f6e0b1
SHA512 cc6735e66d74128f8656f27135332eaddfaad8051389ae516ebd2ed426996c630463ef580aaff9f93087dca175cb827db7602440e6410ca09fff80793c7c6394

memory/5112-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2344-26-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2344-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 4cdc2dc45799a22bb7c45b8602d06352
SHA1 84fe32317ef2f39ae3923fa1667c7ece1d4aa2dc
SHA256 fd58803f78b01c23ff27f296caeb80fda47e5005c6a1e9a77d591d9b4595901c
SHA512 62fdd113ac2e8e7499633d2897e34a042cb6c59ee51a88b345c4725814994fdb52c80a78780ca48eca46d6cb723c44a64adfb9636b1086e26a02201f5e710d3f

memory/5112-34-0x00000000011F0000-0x00000000011F1000-memory.dmp

memory/5112-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/5112-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 04b2acef1b20459df328167147b831d2
SHA1 2035eaf86939e0c1f8e8650521cf99f1e222578c
SHA256 56409deb29f3c9d5dde4834b038d7ca60874d53a7ebc4c8f2470dd9f6fbc20a9
SHA512 628e17da1406da91dccfedb7ddb4699a0f0e40ca14e05a4c25b3f1aa1e607dc91de8a44e5c00849d35659b4865b56ffffd1ea8b49a4e794ae8d0cbfe854efd39

memory/5112-33-0x00000000010D0000-0x00000000010D1000-memory.dmp

memory/5112-32-0x00000000010C0000-0x00000000010C1000-memory.dmp

memory/5112-31-0x0000000001080000-0x0000000001081000-memory.dmp

memory/5112-30-0x0000000001070000-0x0000000001071000-memory.dmp

memory/5112-29-0x0000000001060000-0x0000000001061000-memory.dmp

memory/5112-28-0x0000000001050000-0x0000000001051000-memory.dmp

memory/5112-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/960-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/5112-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/960-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/960-56-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/960-55-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/960-54-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/960-53-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/960-52-0x0000000000F60000-0x0000000000F61000-memory.dmp

memory/960-51-0x0000000000F50000-0x0000000000F51000-memory.dmp

memory/960-50-0x0000000000F40000-0x0000000000F41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\duads.exe

MD5 b0afb044e83202742aa31a63c91c66a8
SHA1 9e90d6262cb6bca8bd06451474d466bae37995d2
SHA256 470c420ed397d9a77a1764563e373d1935a4699598eea297ecdc02e1097d910a
SHA512 53174b373bc3ca80b9d8613b5cb6304c006943feaedc598bb85be44570aa27c8691bf6626783644ed58bf22749819f25add056d2866b562accaab97b9edb6bc7

memory/220-71-0x0000000000400000-0x0000000000599000-memory.dmp

memory/960-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 121d02073a9b5b921ecb76a6cddc6436
SHA1 8a0e4231939ac117f49857bdd37273c0cf52fe77
SHA256 ca59f91b64fe92849ab9912bbcc0a9954da76133e3b1bed179404761504b41dd
SHA512 f36998268338031c2a09dad222efaa7f89e0318f42c8368b8ea9f9feee7801dbcac178a597b63413f302bf5dda58e0b0629c7d676d27e1d47113dd92f3aeec03

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/220-75-0x0000000000400000-0x0000000000599000-memory.dmp

memory/220-79-0x0000000000400000-0x0000000000599000-memory.dmp