Malware Analysis Report

2024-11-16 13:26

Sample ID 241012-27hfps1bqk
Target 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b
SHA256 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b

Threat Level: Known bad

The file 71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 23:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 23:13

Reported

2024-10-12 23:15

Platform

win7-20240903-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hohab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hohab.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fuqic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Users\Admin\AppData\Local\Temp\hohab.exe
PID 2656 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Users\Admin\AppData\Local\Temp\hohab.exe
PID 2656 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Users\Admin\AppData\Local\Temp\hohab.exe
PID 2656 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Users\Admin\AppData\Local\Temp\hohab.exe
PID 2656 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\hohab.exe C:\Users\Admin\AppData\Local\Temp\fuqic.exe
PID 2588 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\hohab.exe C:\Users\Admin\AppData\Local\Temp\fuqic.exe
PID 2588 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\hohab.exe C:\Users\Admin\AppData\Local\Temp\fuqic.exe
PID 2588 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\hohab.exe C:\Users\Admin\AppData\Local\Temp\fuqic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe

"C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe"

C:\Users\Admin\AppData\Local\Temp\hohab.exe

"C:\Users\Admin\AppData\Local\Temp\hohab.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\fuqic.exe

"C:\Users\Admin\AppData\Local\Temp\fuqic.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2656-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2656-0-0x0000000000870000-0x00000000008F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\hohab.exe

MD5 9941d977f3f363bdcf6b0e61cb6da44d
SHA1 1946600e6bf1b10c469e47066bd50f8ae6cb3bff
SHA256 944dc36c1191e53f4a2d237d8029f84ef08c59dcbe748a651f348443095dc90c
SHA512 a3b3be23db0331b8a5696673d40834a3c4c598d02d0b5f9ea0ed607d255b0599dc913d33a5dfa287ec093155613616416ee2c445a7d3a5cb0e8b2357532c5ecf

memory/2588-11-0x0000000000970000-0x00000000009F1000-memory.dmp

memory/2656-7-0x00000000026B0000-0x0000000002731000-memory.dmp

memory/2588-12-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 061e1a7b6dd73689632ea9992e4df62f
SHA1 e30e7d684cb4a1d70e86c807f21d2a75c2bd4650
SHA256 7d46766c246f029c69281803481caa3628f96ede69e2b9c8988007228bd5486c
SHA512 62e339e31fc5b10b14b844fc251077549066f03b415867a9bc2a984f768e69e3f544d900e1e956757d52a07427074cb4d14cc3a65c8215944d3119e05493e2e5

memory/2656-21-0x0000000000870000-0x00000000008F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 711c59f36f3a5ded3a8a23b87ad57524
SHA1 48308d26c085a048c8a387524f0f854233ca1ae8
SHA256 7f8387f94d7102d587de3e0f07c59ac43ea1bf2a398fc6fa914e8108db9dc236
SHA512 a4929ed98abf4b6624fcf7245ef183cce2ef89e4c63a47a4dca060f77c10c22d24d924c541edaf3cb7303e27cd54f7940db1df9ec80a99fc267165a9e43b99c7

memory/2588-24-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2588-25-0x0000000000970000-0x00000000009F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\fuqic.exe

MD5 d2821f8b9da182be09677bafb56e92ba
SHA1 37ebca909fc2fe945f803618e61eb1fe10932068
SHA256 2df885d307cf14d137b9f5a24783ef1877ec42d06b502ab85a9344a37a6463a7
SHA512 389b607b2937499409b8f7f87f6cfe94ebdc795ea733f228e9a7c9a9409d7e61de7b64d3aa2577de1829a6191da3fc26fdb844eb3c712b0f54c417bd128df9d5

memory/1920-43-0x00000000003B0000-0x0000000000449000-memory.dmp

memory/2588-41-0x0000000004010000-0x00000000040A9000-memory.dmp

memory/2588-40-0x0000000000970000-0x00000000009F1000-memory.dmp

memory/1920-44-0x00000000003B0000-0x0000000000449000-memory.dmp

memory/1920-48-0x00000000003B0000-0x0000000000449000-memory.dmp

memory/1920-49-0x00000000003B0000-0x0000000000449000-memory.dmp

memory/1920-50-0x00000000003B0000-0x0000000000449000-memory.dmp

memory/1920-51-0x00000000003B0000-0x0000000000449000-memory.dmp

memory/1920-52-0x00000000003B0000-0x0000000000449000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 23:13

Reported

2024-10-12 23:15

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\hitoc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hitoc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hitoc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\weybw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Users\Admin\AppData\Local\Temp\hitoc.exe
PID 2204 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Users\Admin\AppData\Local\Temp\hitoc.exe
PID 2204 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Users\Admin\AppData\Local\Temp\hitoc.exe
PID 2204 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\hitoc.exe C:\Users\Admin\AppData\Local\Temp\weybw.exe
PID 1520 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\hitoc.exe C:\Users\Admin\AppData\Local\Temp\weybw.exe
PID 1520 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\hitoc.exe C:\Users\Admin\AppData\Local\Temp\weybw.exe

Processes

C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe

"C:\Users\Admin\AppData\Local\Temp\71cb3790ba116e1dfa5e6a03ce0f6fa63d816d844ce7ab901fd6a8de1fa0d93b.exe"

C:\Users\Admin\AppData\Local\Temp\hitoc.exe

"C:\Users\Admin\AppData\Local\Temp\hitoc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\weybw.exe

"C:\Users\Admin\AppData\Local\Temp\weybw.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/2204-0-0x00000000001A0000-0x0000000000221000-memory.dmp

memory/2204-1-0x00000000010D0000-0x00000000010D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hitoc.exe

MD5 9ab6980564e7d735e8e1b28856aca443
SHA1 4bf9d6777a47adbefc60b71c2c6786ad4babfd0d
SHA256 08d0844c74dc10be43c22853d09f68d05b02e603e6c244ecf5fa6af6a2a33a5a
SHA512 ea3747a81d18ff6da6faf8897f97d8c077dce954a8adbf3228abf3fd20d53b6210d9d37307441aabc052971e4adb5c829215f62992275801060eb31cee9d94b3

memory/1520-14-0x0000000001460000-0x0000000001461000-memory.dmp

memory/1520-13-0x0000000000A90000-0x0000000000B11000-memory.dmp

memory/2204-16-0x00000000001A0000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 061e1a7b6dd73689632ea9992e4df62f
SHA1 e30e7d684cb4a1d70e86c807f21d2a75c2bd4650
SHA256 7d46766c246f029c69281803481caa3628f96ede69e2b9c8988007228bd5486c
SHA512 62e339e31fc5b10b14b844fc251077549066f03b415867a9bc2a984f768e69e3f544d900e1e956757d52a07427074cb4d14cc3a65c8215944d3119e05493e2e5

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 bc419d2d468f8008aa9d944c24f8aad9
SHA1 e47aa37b355deb18941c4cabbbf81602a2ceb629
SHA256 8ecbf27be9a3b09041ffa3f7fb4a013c327daee37b251c2d54c3580b56556a19
SHA512 54f1533731d355e1ddd5cbd2aa83b3941fd97ab8be0e42e251a79f13051baab2c6c7a80fb43825c192e1a835bec5076cb72940afa4f2a1983893a2ea8fc3075a

memory/1520-20-0x0000000001460000-0x0000000001461000-memory.dmp

memory/1520-19-0x0000000000A90000-0x0000000000B11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\weybw.exe

MD5 48a5bf97c43bef50a63c2e6a572d6a37
SHA1 c60dc436e5773857bba41ade8e12cb77b3e8d946
SHA256 24f798f430539d5d34c28ec655c4cd5d71c77ef09bc4a8e907614857dd9df194
SHA512 df209b8c945d7cc72588d2777676596755f2809caa20e4bb26f97b24448ee7ab40f4ec8e8b7e79e4bff08f84460350ee417d6d344de8ec8984479b7fa19c3169

memory/5052-36-0x0000000000C10000-0x0000000000CA9000-memory.dmp

memory/5052-38-0x0000000000C10000-0x0000000000CA9000-memory.dmp

memory/1520-43-0x0000000000A90000-0x0000000000B11000-memory.dmp

memory/5052-42-0x0000000000ED0000-0x0000000000ED2000-memory.dmp

memory/5052-45-0x0000000000C10000-0x0000000000CA9000-memory.dmp

memory/5052-46-0x0000000000C10000-0x0000000000CA9000-memory.dmp

memory/5052-47-0x0000000000C10000-0x0000000000CA9000-memory.dmp

memory/5052-48-0x0000000000C10000-0x0000000000CA9000-memory.dmp

memory/5052-49-0x0000000000C10000-0x0000000000CA9000-memory.dmp