Malware Analysis Report

2024-11-16 13:24

Sample ID 241010-pwpz7awcmg
Target 26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN
SHA256 26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfc
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfc

Threat Level: Known bad

The file 26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Loads dropped DLL

Deletes itself

Executes dropped EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 12:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 12:40

Reported

2024-10-10 12:43

Platform

win7-20240903-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\puput.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\puput.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukkod.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Users\Admin\AppData\Local\Temp\puput.exe
PID 2792 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Users\Admin\AppData\Local\Temp\puput.exe
PID 2792 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Users\Admin\AppData\Local\Temp\puput.exe
PID 2792 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Users\Admin\AppData\Local\Temp\puput.exe
PID 2792 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\puput.exe C:\Users\Admin\AppData\Local\Temp\ukkod.exe
PID 2260 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\puput.exe C:\Users\Admin\AppData\Local\Temp\ukkod.exe
PID 2260 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\puput.exe C:\Users\Admin\AppData\Local\Temp\ukkod.exe
PID 2260 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\puput.exe C:\Users\Admin\AppData\Local\Temp\ukkod.exe

Processes

C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe

"C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe"

C:\Users\Admin\AppData\Local\Temp\puput.exe

"C:\Users\Admin\AppData\Local\Temp\puput.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\ukkod.exe

"C:\Users\Admin\AppData\Local\Temp\ukkod.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2792-0-0x0000000000B50000-0x0000000000BD1000-memory.dmp

memory/2792-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2260-19-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 1bcf6e84593a2737b72f9e5f92ad7641
SHA1 94ae68f6245af06df5a0bc05f99ec90e7303cda6
SHA256 887ef62fe79f18188c91b50d989cecb9921e7880559238376bb4e470099c313c
SHA512 30da01bb8cb955e9e501f00b4e4a4c4a7215ec457b2ebc8a64af4c46bb444bbb514d7c89e8a878c1ff413451aef2bf55e21e88f9426125c97ef93a0889e91649

memory/2792-21-0x0000000000B50000-0x0000000000BD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\puput.exe

MD5 17b47673e62c3b5bfa05b936f7c551b3
SHA1 98bee63a4ca1c01729772a4859475e2a432039e8
SHA256 1362a7613206ec7a250e01684ad570cbdc80644301b697624fe877ee94d686d0
SHA512 1beb955a6601d882767b1821895f4a5ae3fd948e26c105f3351c3f0f1cb5c171d3902ca53c0466cf6fe3243a8e2c6cde908b43a1151bdb73dc1f28a660014719

memory/2260-18-0x0000000000B40000-0x0000000000BC1000-memory.dmp

memory/2792-17-0x0000000002510000-0x0000000002591000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 15bdf146bfa8d69a4c3e313e3c19178a
SHA1 a2eea39c8a765d8379e6441dc27b89e976bf776d
SHA256 961198d6a3b18b70e15fac6abec716df94ae249d516c17b6070f4da29044d8cc
SHA512 f39877e29be668bf93c72b64a053d8f793a660169cfe60a880ea1e9d9299e54d0f67ef8ff1a6a63379efb45b0957bb63f0c3bc9407f4896b9548d1eb9117a4b6

memory/2260-24-0x0000000000B40000-0x0000000000BC1000-memory.dmp

\Users\Admin\AppData\Local\Temp\ukkod.exe

MD5 6b4b78122905b97d8120956ebc52d243
SHA1 bcbcdf9fc6a18a461e1997fd5d770edb1c4a8cd5
SHA256 b93e35c3df28ee0b5165d4b278ccd87768adf5d7d46d54e3b1a9e5d2b04c1e9f
SHA512 14b7f673d38244bb810694bb8b42ba4f2020684fe2b63e9b97b64a202e64e571f3abd6a43c3e9e2c725a0aea652f0f3cd88fe7f2bef0cc4a6d3128808a20ebd0

memory/2260-38-0x0000000003790000-0x0000000003829000-memory.dmp

memory/680-43-0x00000000000A0000-0x0000000000139000-memory.dmp

memory/680-42-0x00000000000A0000-0x0000000000139000-memory.dmp

memory/2260-41-0x0000000000B40000-0x0000000000BC1000-memory.dmp

memory/680-47-0x00000000000A0000-0x0000000000139000-memory.dmp

memory/680-48-0x00000000000A0000-0x0000000000139000-memory.dmp

memory/680-49-0x00000000000A0000-0x0000000000139000-memory.dmp

memory/680-50-0x00000000000A0000-0x0000000000139000-memory.dmp

memory/680-51-0x00000000000A0000-0x0000000000139000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 12:40

Reported

2024-10-10 12:43

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\uvnoq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uvnoq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uvnoq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ecofg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4480 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Users\Admin\AppData\Local\Temp\uvnoq.exe
PID 4480 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Users\Admin\AppData\Local\Temp\uvnoq.exe
PID 4480 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Users\Admin\AppData\Local\Temp\uvnoq.exe
PID 4480 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe C:\Windows\SysWOW64\cmd.exe
PID 1036 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\uvnoq.exe C:\Users\Admin\AppData\Local\Temp\ecofg.exe
PID 1036 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\uvnoq.exe C:\Users\Admin\AppData\Local\Temp\ecofg.exe
PID 1036 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\uvnoq.exe C:\Users\Admin\AppData\Local\Temp\ecofg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe

"C:\Users\Admin\AppData\Local\Temp\26c4a6de7809c79c16b57d01d37b8356aabfc2048a6c9884d72cfaafb01f2dfcN.exe"

C:\Users\Admin\AppData\Local\Temp\uvnoq.exe

"C:\Users\Admin\AppData\Local\Temp\uvnoq.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\ecofg.exe

"C:\Users\Admin\AppData\Local\Temp\ecofg.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4480-0-0x0000000000220000-0x00000000002A1000-memory.dmp

memory/4480-1-0x0000000000750000-0x0000000000751000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uvnoq.exe

MD5 482059179adc5c8e0fe3c7e337f33bda
SHA1 efd80c2626a3499b063ab68eafe55d1816ba890a
SHA256 a72db3b9e28453dfd9524e80c4763b29d04e84cc27704caab5cc317c9ab17a9b
SHA512 11d133330fa43ee0c026494cb2d3bb7382fb4db6fb717ea0a5e87ac08026d7ff94eec6135ee7af93f80bffeb5f938bbd212fbffa337edb09de2999f0a42d6dea

memory/1036-11-0x0000000000810000-0x0000000000891000-memory.dmp

memory/1036-14-0x0000000000380000-0x0000000000381000-memory.dmp

memory/4480-17-0x0000000000220000-0x00000000002A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 1bcf6e84593a2737b72f9e5f92ad7641
SHA1 94ae68f6245af06df5a0bc05f99ec90e7303cda6
SHA256 887ef62fe79f18188c91b50d989cecb9921e7880559238376bb4e470099c313c
SHA512 30da01bb8cb955e9e501f00b4e4a4c4a7215ec457b2ebc8a64af4c46bb444bbb514d7c89e8a878c1ff413451aef2bf55e21e88f9426125c97ef93a0889e91649

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 cfbe2fa26882c48ca924d6f6712fa3fe
SHA1 e5125cdf46669e2bff83b09410af7ae63d89db55
SHA256 11efd0c6f1c19c2fcd8e1fe55c2d5687c0f4aa4fcccea5353049f3caaa899a1d
SHA512 499bed0f5222b085b40cf4e6fbfe59cd2b4f6a2c9567babec28f91efe65a5a07602bc5d5b9acb07aa0aee7208d942a3f6256a60ec549cb9b68464f0174bdac64

memory/1036-21-0x0000000000380000-0x0000000000381000-memory.dmp

memory/1036-20-0x0000000000810000-0x0000000000891000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ecofg.exe

MD5 acf36ac2c013bf925855ef5de75d78b7
SHA1 905a4d545c8f67c97e8349fb4a89d7cdd37f0f74
SHA256 ae60886047436c5439ae6a6231b4a69f7f7f7e27bf430b5a1d1e47adf99288bc
SHA512 1e8b34ea71c60e99ccff8f826792531856807a3c076ee0a965f635366027112026434358a7ef147314c44fb045e1c6efebe46495a397fb08708e4e0c28e3089d

memory/2964-39-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2964-38-0x0000000000AB0000-0x0000000000B49000-memory.dmp

memory/1036-41-0x0000000000810000-0x0000000000891000-memory.dmp

memory/2964-42-0x0000000000AB0000-0x0000000000B49000-memory.dmp

memory/2964-46-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/2964-47-0x0000000000AB0000-0x0000000000B49000-memory.dmp

memory/2964-48-0x0000000000AB0000-0x0000000000B49000-memory.dmp

memory/2964-49-0x0000000000AB0000-0x0000000000B49000-memory.dmp

memory/2964-50-0x0000000000AB0000-0x0000000000B49000-memory.dmp

memory/2964-51-0x0000000000AB0000-0x0000000000B49000-memory.dmp