Malware Analysis Report

2024-11-16 13:24

Sample ID 241010-f3yfgatfrj
Target 2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N
SHA256 2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312

Threat Level: Known bad

The file 2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 05:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 05:24

Reported

2024-10-10 05:27

Platform

win7-20240903-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lobum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lobum.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jovur.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\lobum.exe
PID 1680 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\lobum.exe
PID 1680 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\lobum.exe
PID 1680 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\lobum.exe
PID 1680 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 1672 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\lobum.exe C:\Users\Admin\AppData\Local\Temp\jovur.exe
PID 1672 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\lobum.exe C:\Users\Admin\AppData\Local\Temp\jovur.exe
PID 1672 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\lobum.exe C:\Users\Admin\AppData\Local\Temp\jovur.exe
PID 1672 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\lobum.exe C:\Users\Admin\AppData\Local\Temp\jovur.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe

"C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe"

C:\Users\Admin\AppData\Local\Temp\lobum.exe

"C:\Users\Admin\AppData\Local\Temp\lobum.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\jovur.exe

"C:\Users\Admin\AppData\Local\Temp\jovur.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/1680-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1680-0-0x0000000000EF0000-0x0000000000F71000-memory.dmp

memory/1680-21-0x0000000000EF0000-0x0000000000F71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 d8ca98f5566c72ce8f642652674bebd1
SHA1 00cb696909ab1f6ccf44a36a4c524c633fcdf634
SHA256 49118f9536946bf95785ac001138ed4fb605f69e533c755ace4772d1e58351c0
SHA512 738acd3d1cb95190afebe41c605a1cfa025c6d8cd5a99ad742e55ba62f0699e78e2a1e4fe21992298fb47fbbd54392472427b1eacd56be69cb966c7c6e4473ed

C:\Users\Admin\AppData\Local\Temp\lobum.exe

MD5 a544b095f653177a95055ef7f0a48700
SHA1 a2f45b4c48a66b0080afefd331a19a443ba90eb3
SHA256 9b5b4173e4cea57345da2590dbbce7e8e3e9caad069ecbc6fd620eec2cc67f5b
SHA512 34916ac13e7c2765643774b16ba80184429660d8191d3480e66f9ddaf5923545c388c8f7119af657fc0f7473475fa474e389ff55d7e6f817e236d272572b4df1

memory/1672-20-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1672-19-0x0000000000FE0000-0x0000000001061000-memory.dmp

memory/1680-17-0x0000000002650000-0x00000000026D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 dbff0e191a4ea6c63b88a60b9806e4d3
SHA1 be362fe1a0ccb781f91b7da7244cee545a7896f7
SHA256 d06b8d7fceb8606bacc16bb593715092f28757120498141d8d8abefd3ad556a6
SHA512 7072e9b997fb8cd148c0b9240deb847ed7448360c221fe2a22448483354e6404742759e4aad2bbb02efb121741ad65a45b6c7a430b98de22b3c697fe32123529

memory/1672-25-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1672-24-0x0000000000FE0000-0x0000000001061000-memory.dmp

memory/1672-39-0x0000000003410000-0x00000000034A9000-memory.dmp

memory/1672-42-0x0000000000FE0000-0x0000000001061000-memory.dmp

memory/1364-43-0x0000000000A20000-0x0000000000AB9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jovur.exe

MD5 826e7d644a7ac280067657d68ab30a02
SHA1 7a8fc2e521615d8750ea4db014f9636be145f20d
SHA256 038a9cbdcf34040181d6afd5ce429be0a1470caa03a39f561aace67d13d2c292
SHA512 0bc7840a5007a24e84eb8361b8d6a7d810faff238808260c50433156197a8eef7c3dbf0a5ff9f66b8f851d4de9deb1d32436574254bc3c0c019e556e0f752a41

memory/1364-44-0x0000000000A20000-0x0000000000AB9000-memory.dmp

memory/1364-48-0x0000000000A20000-0x0000000000AB9000-memory.dmp

memory/1364-49-0x0000000000A20000-0x0000000000AB9000-memory.dmp

memory/1364-50-0x0000000000A20000-0x0000000000AB9000-memory.dmp

memory/1364-51-0x0000000000A20000-0x0000000000AB9000-memory.dmp

memory/1364-52-0x0000000000A20000-0x0000000000AB9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 05:24

Reported

2024-10-10 05:27

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\xouhy.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xouhy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xouhy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umviz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 448 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\xouhy.exe
PID 448 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\xouhy.exe
PID 448 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\xouhy.exe
PID 448 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 448 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\xouhy.exe C:\Users\Admin\AppData\Local\Temp\umviz.exe
PID 5016 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\xouhy.exe C:\Users\Admin\AppData\Local\Temp\umviz.exe
PID 5016 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\xouhy.exe C:\Users\Admin\AppData\Local\Temp\umviz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe

"C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe"

C:\Users\Admin\AppData\Local\Temp\xouhy.exe

"C:\Users\Admin\AppData\Local\Temp\xouhy.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\umviz.exe

"C:\Users\Admin\AppData\Local\Temp\umviz.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/448-0-0x0000000000AF0000-0x0000000000B71000-memory.dmp

memory/448-1-0x0000000000780000-0x0000000000781000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xouhy.exe

MD5 eac73a1010a6f97a9a8113d4b0efee8a
SHA1 bdfcf4b7c53afcee6bbe794a9f523836c6654208
SHA256 42f0970ad502f385917a9afe0bec32673517efeba5e73b7caea018b420c27203
SHA512 06fb3e7efe41b35c001145285527d0c81049cf2bd11a66090dac90e4efcc3cf920cfea98a12bd0f314423387606933b8d39a2019c3f683ad5da7d5ad03e8a3dd

memory/5016-11-0x0000000000BD0000-0x0000000000C51000-memory.dmp

memory/5016-14-0x0000000000F80000-0x0000000000F81000-memory.dmp

memory/448-17-0x0000000000AF0000-0x0000000000B71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 d8ca98f5566c72ce8f642652674bebd1
SHA1 00cb696909ab1f6ccf44a36a4c524c633fcdf634
SHA256 49118f9536946bf95785ac001138ed4fb605f69e533c755ace4772d1e58351c0
SHA512 738acd3d1cb95190afebe41c605a1cfa025c6d8cd5a99ad742e55ba62f0699e78e2a1e4fe21992298fb47fbbd54392472427b1eacd56be69cb966c7c6e4473ed

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a4dddd60e540478b876ea01812c33655
SHA1 207c97072aa1a2c5c279da9a1fb424611e5a07c8
SHA256 77b634fa326109d9246a77f4ec72f7f26d4e2c95400083583382d92e5e1892a3
SHA512 464fe304f1ad708161a18b5a5f352b74e1f1efa2c0a2f6e63a06d4832ae12e907ad8e225a20725b7a935a9510524b03d00aed0bf2d7d87afba2523040751efe0

memory/5016-20-0x0000000000BD0000-0x0000000000C51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\umviz.exe

MD5 35ffdd06c720ca086866dcc5e66ab99c
SHA1 7a90c2ff7969243886003839d8a20a6c19b57d9f
SHA256 830ef262c39925dfa12bce92e531321aae2103807b751f0739b555f99ed454c4
SHA512 d2053f00c5c3ac673fe24de0cdb631bb947afe821c87cecb59a925736313aa24032adde6b65ad48d5a5d48952245f896ec5144b3fbefec700c13b3106cf774a7

memory/1580-37-0x0000000000DA0000-0x0000000000E39000-memory.dmp

memory/1580-38-0x0000000000190000-0x0000000000192000-memory.dmp

memory/1580-41-0x0000000000DA0000-0x0000000000E39000-memory.dmp

memory/5016-40-0x0000000000BD0000-0x0000000000C51000-memory.dmp

memory/1580-45-0x0000000000190000-0x0000000000192000-memory.dmp

memory/1580-46-0x0000000000DA0000-0x0000000000E39000-memory.dmp

memory/1580-47-0x0000000000DA0000-0x0000000000E39000-memory.dmp

memory/1580-48-0x0000000000DA0000-0x0000000000E39000-memory.dmp

memory/1580-49-0x0000000000DA0000-0x0000000000E39000-memory.dmp

memory/1580-50-0x0000000000DA0000-0x0000000000E39000-memory.dmp