Malware Analysis Report

2024-11-16 13:24

Sample ID 241008-s5lkxatcnj
Target 12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N
SHA256 12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04

Threat Level: Known bad

The file 12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-08 15:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-08 15:42

Reported

2024-10-08 15:45

Platform

win7-20240729-en

Max time kernel

149s

Max time network

78s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tetox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tetox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\biwyk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Users\Admin\AppData\Local\Temp\tetox.exe
PID 1456 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Users\Admin\AppData\Local\Temp\tetox.exe
PID 1456 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Users\Admin\AppData\Local\Temp\tetox.exe
PID 1456 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Users\Admin\AppData\Local\Temp\tetox.exe
PID 1456 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\tetox.exe C:\Users\Admin\AppData\Local\Temp\biwyk.exe
PID 2940 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\tetox.exe C:\Users\Admin\AppData\Local\Temp\biwyk.exe
PID 2940 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\tetox.exe C:\Users\Admin\AppData\Local\Temp\biwyk.exe
PID 2940 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\tetox.exe C:\Users\Admin\AppData\Local\Temp\biwyk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe

"C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe"

C:\Users\Admin\AppData\Local\Temp\tetox.exe

"C:\Users\Admin\AppData\Local\Temp\tetox.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\biwyk.exe

"C:\Users\Admin\AppData\Local\Temp\biwyk.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/1456-0-0x0000000000EE0000-0x0000000000F61000-memory.dmp

memory/1456-1-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\tetox.exe

MD5 e6b905206d0d2f738b073a011992986a
SHA1 843627cc13e23c9091222a94758975d57ab0669a
SHA256 613b2f4186dfa420956d606dbd84462a7aa605411e29f71bb93d93740819c446
SHA512 9691abc521c4307311fce8edd0f146c237a36b55a9218fd5c485013ddec6f71ecffb1d2dd0f29b822f5d31370476f5493ed1fe5aaf68a52fca6d941fa7f43184

memory/1456-7-0x0000000002780000-0x0000000002801000-memory.dmp

memory/2940-18-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 3c51bcaa5da5fa784fb29c00bfda4618
SHA1 f98248a0f4c3bc4b2ff4a509de8bf8d42e85d174
SHA256 feeee607be7e00b06fc8319a237ae7637d12ffd097f4d57c433ad86f872a4649
SHA512 a5d8f0f4c4a1fd2943193bc1c9a83500eb8920579815086e6cc847d4b514cf57c9675d79abcca8fb1a0665253b09f521b7d243debc0bc80179facb828aa5d6b5

memory/2940-13-0x0000000000C10000-0x0000000000C91000-memory.dmp

memory/1456-21-0x0000000000EE0000-0x0000000000F61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 9736f58558b741767606417811c85052
SHA1 675356951e174842eace35f78f2d32a61b581eed
SHA256 91efedd19e40c3cb35af4a9597b2a85a228e4da8f4d4cf3c18ff7255def145c6
SHA512 74ed465c9e35ae11cca47c7b7b146b6624a9ed96b75db52e03e4f5096e7d1ed9f2fde00e9078d2a62bf1f6661b60ee7faace6f2e547a5a08066e3e3ff4c6005c

memory/2940-24-0x0000000000C10000-0x0000000000C91000-memory.dmp

\Users\Admin\AppData\Local\Temp\biwyk.exe

MD5 8ba74132f824084ab9e8af6d8fd6f82a
SHA1 11ffa1626daf4e319959f00b0509cd988a51bfc4
SHA256 975d924311c801c8267c51daa0e30b7c0157844aa167b2175c7149ed0f5fc8d5
SHA512 44d16a5bdefee16d632fc1da99e209184ce02a1da7f6b88f7cc4ff099df1c50935394a0de7ff64ad5f49f144cec8e265c51794b86b64da74c4c64b498c58652e

memory/2948-42-0x00000000012B0000-0x0000000001349000-memory.dmp

memory/2940-40-0x0000000000C10000-0x0000000000C91000-memory.dmp

memory/2940-38-0x0000000003670000-0x0000000003709000-memory.dmp

memory/2948-43-0x00000000012B0000-0x0000000001349000-memory.dmp

memory/2948-47-0x00000000012B0000-0x0000000001349000-memory.dmp

memory/2948-48-0x00000000012B0000-0x0000000001349000-memory.dmp

memory/2948-49-0x00000000012B0000-0x0000000001349000-memory.dmp

memory/2948-50-0x00000000012B0000-0x0000000001349000-memory.dmp

memory/2948-51-0x00000000012B0000-0x0000000001349000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-08 15:42

Reported

2024-10-08 15:45

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\vekoz.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vekoz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vekoz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\belou.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\belou.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Users\Admin\AppData\Local\Temp\vekoz.exe
PID 2276 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Users\Admin\AppData\Local\Temp\vekoz.exe
PID 2276 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Users\Admin\AppData\Local\Temp\vekoz.exe
PID 2276 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe C:\Windows\SysWOW64\cmd.exe
PID 3808 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\vekoz.exe C:\Users\Admin\AppData\Local\Temp\belou.exe
PID 3808 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\vekoz.exe C:\Users\Admin\AppData\Local\Temp\belou.exe
PID 3808 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\vekoz.exe C:\Users\Admin\AppData\Local\Temp\belou.exe

Processes

C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe

"C:\Users\Admin\AppData\Local\Temp\12d82ad2f555d80fc23d5386bc265fd5e6e14e827063c7af523ede6fa7a72d04N.exe"

C:\Users\Admin\AppData\Local\Temp\vekoz.exe

"C:\Users\Admin\AppData\Local\Temp\vekoz.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\belou.exe

"C:\Users\Admin\AppData\Local\Temp\belou.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2276-0-0x0000000000470000-0x00000000004F1000-memory.dmp

memory/2276-1-0x0000000001200000-0x0000000001201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vekoz.exe

MD5 0c9f21830fe67a1f90d96b1e1ffe469e
SHA1 ae399e92cb4b77c29b286f042d497a7f69936dcb
SHA256 bbe877630af4519868c972661a9906c011ceafd20ec7d918036a0a990fa152d2
SHA512 c07971d22d33a40fa456b821e3550f30f126a2e5477449845f9890530179b9a2ec565c6f53090e4ba4f495a7a3dc698687d73d3aca6004bb5fe1b07838c128b7

memory/3808-14-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/3808-11-0x0000000000B10000-0x0000000000B91000-memory.dmp

memory/2276-17-0x0000000000470000-0x00000000004F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 3c51bcaa5da5fa784fb29c00bfda4618
SHA1 f98248a0f4c3bc4b2ff4a509de8bf8d42e85d174
SHA256 feeee607be7e00b06fc8319a237ae7637d12ffd097f4d57c433ad86f872a4649
SHA512 a5d8f0f4c4a1fd2943193bc1c9a83500eb8920579815086e6cc847d4b514cf57c9675d79abcca8fb1a0665253b09f521b7d243debc0bc80179facb828aa5d6b5

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ccbb3679795f249040d619c7f85f42eb
SHA1 d922b4f00a0902428b2fd09004f92b77e5764e20
SHA256 77f3fb5565ad83ad23a39c2cd959ccbc2a4022cb0abfefd737f3b3922bf9fdbe
SHA512 5efb9039ffe1e3a6980b2dfd5cc3c6d4dfef3373cf5ebb235d89907fc5fdf8c4de7f95f21a91b0bca278f6685481adec6ae368e7bc0fc418dcfee1b2f21c412e

memory/3808-21-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/3808-20-0x0000000000B10000-0x0000000000B91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\belou.exe

MD5 9dc9b94af5facd8969f7e04d79587f0e
SHA1 580c964298aa45caaa11975342b124f15cc8a4fb
SHA256 f0ba314310aef98612c3d3d8dd5a0b81183e6e6e9139ea78fc0753ddc8459922
SHA512 d7f1a0fdae32736de8bee4773ba78a55b299a4600a37a6532613c3e94d447adc7c1375f452fcc0c9b6b94e1ca1d3c283dcc05ffab3ea7e679b2118ba69b84029

memory/2600-39-0x00000000004D0000-0x00000000004D2000-memory.dmp

memory/2600-38-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/2600-40-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/3808-44-0x0000000000B10000-0x0000000000B91000-memory.dmp

memory/2600-47-0x00000000004D0000-0x00000000004D2000-memory.dmp

memory/2600-46-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/2600-48-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/2600-49-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/2600-50-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/2600-51-0x0000000000B30000-0x0000000000BC9000-memory.dmp