Malware Analysis Report

2024-11-16 13:25

Sample ID 241010-db7tqawane
Target 574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN
SHA256 574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53e
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53e

Threat Level: Known bad

The file 574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 02:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 02:51

Reported

2024-10-10 02:53

Platform

win7-20240708-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\moreu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\moreu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oqidm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Users\Admin\AppData\Local\Temp\moreu.exe
PID 2052 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Users\Admin\AppData\Local\Temp\moreu.exe
PID 2052 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Users\Admin\AppData\Local\Temp\moreu.exe
PID 2052 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Users\Admin\AppData\Local\Temp\moreu.exe
PID 2052 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2052 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\moreu.exe C:\Users\Admin\AppData\Local\Temp\oqidm.exe
PID 2136 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\moreu.exe C:\Users\Admin\AppData\Local\Temp\oqidm.exe
PID 2136 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\moreu.exe C:\Users\Admin\AppData\Local\Temp\oqidm.exe
PID 2136 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\moreu.exe C:\Users\Admin\AppData\Local\Temp\oqidm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe

"C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe"

C:\Users\Admin\AppData\Local\Temp\moreu.exe

"C:\Users\Admin\AppData\Local\Temp\moreu.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\oqidm.exe

"C:\Users\Admin\AppData\Local\Temp\oqidm.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2052-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2052-0-0x0000000000E50000-0x0000000000ED1000-memory.dmp

\Users\Admin\AppData\Local\Temp\moreu.exe

MD5 bb933fbe1ca2c57f620d8b017bb1b4a4
SHA1 cab0f62bd8bed9fa98e0c5d5d33bc1a15e1541e8
SHA256 8d41e0adab8864ede196517a2f898f02493ef9b7fab489bcb02105471eaf4396
SHA512 6e3cbccb15a0222ce2da323cf41b0b7ed4f4c3fb116e7c4309a709fb235b7ca76ea5090ac1b96c7eb7ae8f6173f23a03386371c840e41f6a220ae50e049e7bd5

memory/2052-19-0x0000000000E50000-0x0000000000ED1000-memory.dmp

memory/2136-21-0x0000000000EE0000-0x0000000000F61000-memory.dmp

memory/2136-20-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2052-16-0x0000000000C00000-0x0000000000C81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 2ac8bad7a05f3bdc1723eef5800eb79c
SHA1 a044dd8d21f925f722d8928ab090ed0700440102
SHA256 4e21be48d3d6bf7a95c749ba0d9f9fddef739edcb6445032282dffe033169d28
SHA512 480e592af44a045b8f0ef68f5b71404bc6ed09c66c9443821dc562435386e8ab886ce2c75ae82a07ed31a35481c5cb22f837253a9ff518144198858334c3dace

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 957de31757e9549a9373adb0f3d7d7e8
SHA1 5474c74a301b507cb9ea8e5f13eb3af862b2dbab
SHA256 3bba5775049c93a70c4d43ca98d0b93490808db27422693679578586ad611a1f
SHA512 f5447acb2cb3bca93814f8e9f81dd5b0cc4c029dc9d7e8295051016c10a5035b6e29b9b88ba80e8be110d13bd86bb24dcdc960cf9c38bf81ba011bb50ff771e8

memory/2136-24-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2136-25-0x0000000000EE0000-0x0000000000F61000-memory.dmp

\Users\Admin\AppData\Local\Temp\oqidm.exe

MD5 25643646cdfa09142cf3b815c76367f5
SHA1 8581eb14f1bf584a033e17a29e22edc4611cae0e
SHA256 b78579b7ccf24d26ba82b7c8b5d3ded7701f312c82cbe528be992c452f6e6efa
SHA512 849466cb8b011237715314407384a515a221fb09afe52a03f61371f92f6bd6ebcc0d0bb6df33d51b76c56e95b542d6d41f4bb4a199d8bb2a3857108dbbbfce26

memory/1884-46-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/1884-43-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/2136-42-0x0000000000EE0000-0x0000000000F61000-memory.dmp

memory/2136-39-0x0000000000B20000-0x0000000000BB9000-memory.dmp

memory/1884-48-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/1884-49-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/1884-50-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/1884-51-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/1884-52-0x0000000000DE0000-0x0000000000E79000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 02:51

Reported

2024-10-10 02:53

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\qekoz.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qekoz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qekoz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cipoj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3100 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Users\Admin\AppData\Local\Temp\qekoz.exe
PID 3100 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Users\Admin\AppData\Local\Temp\qekoz.exe
PID 3100 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Users\Admin\AppData\Local\Temp\qekoz.exe
PID 3100 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Windows\SysWOW64\cmd.exe
PID 3100 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe C:\Windows\SysWOW64\cmd.exe
PID 1000 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\qekoz.exe C:\Users\Admin\AppData\Local\Temp\cipoj.exe
PID 1000 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\qekoz.exe C:\Users\Admin\AppData\Local\Temp\cipoj.exe
PID 1000 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\qekoz.exe C:\Users\Admin\AppData\Local\Temp\cipoj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe

"C:\Users\Admin\AppData\Local\Temp\574bca65b0b385c9649f0d5cc3e0f58b9e912fbe60beaec3285f356dae7cc53eN.exe"

C:\Users\Admin\AppData\Local\Temp\qekoz.exe

"C:\Users\Admin\AppData\Local\Temp\qekoz.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\cipoj.exe

"C:\Users\Admin\AppData\Local\Temp\cipoj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3100-0-0x00000000002D0000-0x0000000000351000-memory.dmp

memory/3100-1-0x0000000000570000-0x0000000000571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qekoz.exe

MD5 3132bf33042f4ae6b883db5154c94c1a
SHA1 b359faa2e1482dfde712cdc4b59a902e37878b90
SHA256 526b1d1acd9134386dd71d8aacabf9f317f2e54eea3c6db3dd3c047ea14634c8
SHA512 e991786386bc11f7ad9bb98d04c4887d4367f6e773b397aa9389b2398e16ce50d506d8c8eca4043ce6dc6cb82afefa88be8f79bfb78a6d7d3f0b667c8bde0ed0

memory/1000-11-0x0000000000880000-0x0000000000901000-memory.dmp

memory/1000-14-0x0000000000840000-0x0000000000841000-memory.dmp

memory/3100-17-0x00000000002D0000-0x0000000000351000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 2ac8bad7a05f3bdc1723eef5800eb79c
SHA1 a044dd8d21f925f722d8928ab090ed0700440102
SHA256 4e21be48d3d6bf7a95c749ba0d9f9fddef739edcb6445032282dffe033169d28
SHA512 480e592af44a045b8f0ef68f5b71404bc6ed09c66c9443821dc562435386e8ab886ce2c75ae82a07ed31a35481c5cb22f837253a9ff518144198858334c3dace

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 1f825bd1d2f8366713c2ba72083579ff
SHA1 b86a4edc26bdf897e4e340ebe8ecf49c53a799bd
SHA256 a055b21159d71a37a91ad912fb07f66c54b3736c38670f89a7c4014cd49ae919
SHA512 dfd2a18b239a39593de0c922c8857326c4741f76bf9413f8c6da60dd62892d8e3accc4d01ddf72ee95aa61290924bbb70f8d28d28b06e3fec94cc55649c97e42

memory/1000-20-0x0000000000880000-0x0000000000901000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cipoj.exe

MD5 1f17f5be646a5678e43bd59ddc1264d8
SHA1 87f17cfe5f7f1462812074772ca10427af0fb8f4
SHA256 3ed9c61079d98f69e4c6ffbaa1160ae09c6ca5ff8214a6a29e420431e00393f7
SHA512 3eeebc20e4a8752646fbf8470a63fdacad1f22697e3a4f848d183be113e20f018426703bc9d2add4e6530456e451ad172440342907470ed48d46e0466dee6679

memory/4936-39-0x0000000000A60000-0x0000000000AF9000-memory.dmp

memory/4936-37-0x0000000000A60000-0x0000000000AF9000-memory.dmp

memory/1000-43-0x0000000000880000-0x0000000000901000-memory.dmp

memory/4936-38-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/4936-45-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/4936-46-0x0000000000A60000-0x0000000000AF9000-memory.dmp

memory/4936-47-0x0000000000A60000-0x0000000000AF9000-memory.dmp

memory/4936-48-0x0000000000A60000-0x0000000000AF9000-memory.dmp

memory/4936-49-0x0000000000A60000-0x0000000000AF9000-memory.dmp

memory/4936-50-0x0000000000A60000-0x0000000000AF9000-memory.dmp