Malware Analysis Report

2024-11-16 13:24

Sample ID 241007-n2rkjatfnl
Target 918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N
SHA256 918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170

Threat Level: Known bad

The file 918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 11:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 11:53

Reported

2024-10-07 11:57

Platform

win7-20240903-en

Max time kernel

149s

Max time network

83s

Command Line

"C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tafoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tafoe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajvou.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 488 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Users\Admin\AppData\Local\Temp\tafoe.exe
PID 488 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Users\Admin\AppData\Local\Temp\tafoe.exe
PID 488 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Users\Admin\AppData\Local\Temp\tafoe.exe
PID 488 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Users\Admin\AppData\Local\Temp\tafoe.exe
PID 488 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Windows\SysWOW64\cmd.exe
PID 488 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Windows\SysWOW64\cmd.exe
PID 2428 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\tafoe.exe C:\Users\Admin\AppData\Local\Temp\ajvou.exe
PID 2428 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\tafoe.exe C:\Users\Admin\AppData\Local\Temp\ajvou.exe
PID 2428 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\tafoe.exe C:\Users\Admin\AppData\Local\Temp\ajvou.exe
PID 2428 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\tafoe.exe C:\Users\Admin\AppData\Local\Temp\ajvou.exe

Processes

C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe

"C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe"

C:\Users\Admin\AppData\Local\Temp\tafoe.exe

"C:\Users\Admin\AppData\Local\Temp\tafoe.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\ajvou.exe

"C:\Users\Admin\AppData\Local\Temp\ajvou.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/488-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/488-0-0x00000000000D0000-0x0000000000151000-memory.dmp

\Users\Admin\AppData\Local\Temp\tafoe.exe

MD5 d5ec62d03b18cabf0e2bb4361b83b15d
SHA1 b1d10fa6bfdbf0d3c2e40d1ca0a9fcbe99cc491e
SHA256 fd22209772991c6503efca49e0cb3c3729666fb35c13b042513dd1679a0ef928
SHA512 0166c9e36df6952d5cba66053259d478ad1da0ea44cb6529dee124710ec5a66417d56536a3f42a8b130038cfe7e0f37ce8a27e8f6d3798858f3fc14078afe017

memory/488-9-0x00000000025E0000-0x0000000002661000-memory.dmp

memory/2428-21-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2428-20-0x0000000000EC0000-0x0000000000F41000-memory.dmp

memory/488-19-0x00000000000D0000-0x0000000000151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 398b693664e2956c2bc3e3f798674b61
SHA1 ba41c38c2976a65c6ec5b3c45e74255daf254ea1
SHA256 4fcccbdbf1222ebe99b4c127304aef73b0ce95ecd6b25453b6dc2a75de33a30a
SHA512 b4fb040828ad6c4d1d1dd3cbd6d36b2d533dccb00e9a1327663877f08b692a76eb8b311be5fad9aa0b64867504bba56f16cb085602f74f26c61b14ec1f019776

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 812388eaa7a4405a672e115da0a54dec
SHA1 9ed3e3b0ecc8a2a90630cc489cd2299d06ac445e
SHA256 9a2c34946c832e00cdf24c95a2356e253ac1fd105012c003319e086db34c9ceb
SHA512 c9e2f90c871b1f4cf19a2c68ba05cc348bb6046b2883a4b5c2dae42c1af90ec63f01c9189ae0ce01f3fe2011cda4ff313edaca135f8b4a8e33267d99c15896d1

memory/2428-24-0x0000000000EC0000-0x0000000000F41000-memory.dmp

memory/2428-37-0x0000000003980000-0x0000000003A19000-memory.dmp

\Users\Admin\AppData\Local\Temp\ajvou.exe

MD5 a667cda550847383ee8572bb36252eff
SHA1 21e9267e4aeac695e7a91bb5bdb793747a354646
SHA256 c9abc151eab57e720ff0b6509a86fd89b747d0241cbf499b8c46d229dfee8637
SHA512 52de8a9408144d5b63c96e1b033b71c51839b39eb64df16cb8ed6d8e1b5f047b566a1ab87118f99e8e5442edf059c816ba71169d71274470ab1acc594bbb7ec6

memory/1988-43-0x0000000000280000-0x0000000000319000-memory.dmp

memory/1988-42-0x0000000000280000-0x0000000000319000-memory.dmp

memory/2428-41-0x0000000000EC0000-0x0000000000F41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tafoe.exe

MD5 46ec469bd1e447d04562bf8d91280578
SHA1 cdab05853778b17479565225b502a366a24fee19
SHA256 c76d8aa4a98e4add5e97c62acd64e511783378438b93a95756b610563d0bba58
SHA512 eea085dce1e65f6f9aa79245fc00d60d8a6cce261077202c4a13bcec901985cf30366b5121da55fcdaed5c45fab7de8f2c7bf4f57b407622a050906a1746041c

memory/1988-48-0x0000000000280000-0x0000000000319000-memory.dmp

memory/1988-49-0x0000000000280000-0x0000000000319000-memory.dmp

memory/1988-50-0x0000000000280000-0x0000000000319000-memory.dmp

memory/1988-51-0x0000000000280000-0x0000000000319000-memory.dmp

memory/1988-52-0x0000000000280000-0x0000000000319000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 11:53

Reported

2024-10-07 11:56

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wihuk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wihuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wihuk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\afpos.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 648 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Users\Admin\AppData\Local\Temp\wihuk.exe
PID 648 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Users\Admin\AppData\Local\Temp\wihuk.exe
PID 648 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Users\Admin\AppData\Local\Temp\wihuk.exe
PID 648 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Windows\SysWOW64\cmd.exe
PID 648 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\wihuk.exe C:\Users\Admin\AppData\Local\Temp\afpos.exe
PID 4608 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\wihuk.exe C:\Users\Admin\AppData\Local\Temp\afpos.exe
PID 4608 wrote to memory of 3328 N/A C:\Users\Admin\AppData\Local\Temp\wihuk.exe C:\Users\Admin\AppData\Local\Temp\afpos.exe

Processes

C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe

"C:\Users\Admin\AppData\Local\Temp\918d079c8e3477fac8ed1a86287f4a2434f228ad7555afe8485618edcd7dc170N.exe"

C:\Users\Admin\AppData\Local\Temp\wihuk.exe

"C:\Users\Admin\AppData\Local\Temp\wihuk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\afpos.exe

"C:\Users\Admin\AppData\Local\Temp\afpos.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/648-0-0x0000000000AA0000-0x0000000000B21000-memory.dmp

memory/648-1-0x0000000000A40000-0x0000000000A41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wihuk.exe

MD5 c41ed6c9f8bef9f70d484d99530e4be0
SHA1 590913482f7a7602ee18629d5b3dd490f1d63c01
SHA256 f4d81b5541a0c85da0e21ee01ce8794bd514bcf409f14fe45f6c169ab0078777
SHA512 30b270c105ed0bfb46ae33edea34b3d37b9dea23e96daa0c5d9eec353b40c11d3a51576eb298d12e6587262585461c158a50bba735dba2c0ef8a9c091553b75b

memory/4608-14-0x00000000007D0000-0x00000000007D1000-memory.dmp

memory/4608-11-0x0000000000B70000-0x0000000000BF1000-memory.dmp

memory/648-17-0x0000000000AA0000-0x0000000000B21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 398b693664e2956c2bc3e3f798674b61
SHA1 ba41c38c2976a65c6ec5b3c45e74255daf254ea1
SHA256 4fcccbdbf1222ebe99b4c127304aef73b0ce95ecd6b25453b6dc2a75de33a30a
SHA512 b4fb040828ad6c4d1d1dd3cbd6d36b2d533dccb00e9a1327663877f08b692a76eb8b311be5fad9aa0b64867504bba56f16cb085602f74f26c61b14ec1f019776

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 22de7aaa0bf08e4bd1225b5bb04f935f
SHA1 bb9a3513e3ce1d9c39b2525741938a23b1072298
SHA256 fa8463e35d72269e3e487d8bb586db3ee686c6215047fe066fd495eeee7c27e6
SHA512 4993665aeb6f3ee1d32775233afe24b348ae1e2e145d4fd26013d1f83008f7f3ffe6b2bde961cef844e88bf4cabaa200664148c4c28ef6f0d2f69a5dbd85a23c

memory/4608-20-0x0000000000B70000-0x0000000000BF1000-memory.dmp

memory/4608-21-0x00000000007D0000-0x00000000007D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\afpos.exe

MD5 30dd051dbfb8c4168acfccab9eadf8bb
SHA1 11e195a770745ec99effe7892229bfbaa0d972ac
SHA256 98a8c667fed588591999b2e0c5f3dc2e31068969eb7e23167f2c172a35016915
SHA512 85a0a421050cd8a83de8b1418127ae24086b25f53918e63103b397d881d853e876aed50b11fc5fe05cef94526ae719b027a6d10d8526c013505ef2229ece93e4

memory/3328-38-0x0000000000BD0000-0x0000000000C69000-memory.dmp

memory/3328-39-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

memory/3328-40-0x0000000000BD0000-0x0000000000C69000-memory.dmp

memory/4608-44-0x0000000000B70000-0x0000000000BF1000-memory.dmp

memory/3328-47-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

memory/3328-46-0x0000000000BD0000-0x0000000000C69000-memory.dmp

memory/3328-48-0x0000000000BD0000-0x0000000000C69000-memory.dmp

memory/3328-49-0x0000000000BD0000-0x0000000000C69000-memory.dmp

memory/3328-50-0x0000000000BD0000-0x0000000000C69000-memory.dmp

memory/3328-51-0x0000000000BD0000-0x0000000000C69000-memory.dmp