Malware Analysis Report

2024-11-16 13:25

Sample ID 241012-n1w4matcll
Target 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN
SHA256 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46b
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46b

Threat Level: Known bad

The file 8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-12 11:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-12 11:52

Reported

2024-10-12 11:54

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ujqoa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ujqoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ujqoa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuzuy.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe

"C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"

C:\Users\Admin\AppData\Local\Temp\ujqoa.exe

"C:\Users\Admin\AppData\Local\Temp\ujqoa.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\nuzuy.exe

"C:\Users\Admin\AppData\Local\Temp\nuzuy.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 udp

Files

memory/404-0-0x00000000001E0000-0x0000000000261000-memory.dmp

memory/404-1-0x0000000001110000-0x0000000001111000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ujqoa.exe

MD5 e6d9541b402f61ca688a3a4cbbdc1ed1
SHA1 97e5971a7827a89e0b1a6a611c1ca13c9735b9cd
SHA256 5c43d27da8d5361c7eb38180d428f94ce323ed0321231cc54ede12dba54015f4
SHA512 9d88390bdc1d6f3c6e405a5581dd713649cfaecdcb47e258359ace15a5d94290ddf0a571dec73d240483e8b566a2b6c323a1b01654bede4b3f3fe91ac88508b0

memory/628-14-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/628-11-0x00000000000B0000-0x0000000000131000-memory.dmp

memory/404-17-0x00000000001E0000-0x0000000000261000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 4f237e2fc86c1f1f2b92b627c68ffafb
SHA1 c0d7607700d7804b07de537051e7fe2ca95d3a3c
SHA256 e4aa4bb70edc5b78037c60a80aa48ebfba1e99a3c2ea382304509a81be74deb2
SHA512 4b7953774ceb9abf63175fe1c086733d7367b3ab471a7bd68bf0f82b6b856978aff19923b2f45a8aa42808a76157772e3baf6e95ff7bb33e148fb1e140d9c0f7

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b66922e07df073c93a644e5ca075827f
SHA1 cac1cc430e92dd90eb355b97cbfd880b6d8b8171
SHA256 5adfcb39a77b2361dbe9ef25811cc51f9ccd9f906fe6c7f162af09891336c78e
SHA512 95ea7279f524e9d9550683b125b8d41c5cca8dcf03f7f7a0e7385c87981235a11b3161e9e995d07b6b4e59db963995b6f4e553816e663d6dc6bd4f2fd5eb45a0

memory/628-20-0x00000000000B0000-0x0000000000131000-memory.dmp

memory/628-21-0x00000000005E0000-0x00000000005E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nuzuy.exe

MD5 ca9b8f1aeb4ecb5a604f5a3bbf38fb59
SHA1 34395139279f52805df07434aca840821a29fb8b
SHA256 9314175d4bf7f3f56ff2b0380752942ce58a480e16915ffea70a6f03cc7fd37e
SHA512 2b5b63074a651213a98223621f1986301834441a82ff0b2d4993d6294a29fc251db6e1594e8b465ce5400537ffd88b5b36504c3f924ed302c776908898a15220

memory/5080-39-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/628-41-0x00000000000B0000-0x0000000000131000-memory.dmp

memory/5080-38-0x00000000004F0000-0x0000000000589000-memory.dmp

memory/5080-42-0x00000000004F0000-0x0000000000589000-memory.dmp

memory/5080-47-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/5080-46-0x00000000004F0000-0x0000000000589000-memory.dmp

memory/5080-48-0x00000000004F0000-0x0000000000589000-memory.dmp

memory/5080-49-0x00000000004F0000-0x0000000000589000-memory.dmp

memory/5080-50-0x00000000004F0000-0x0000000000589000-memory.dmp

memory/5080-51-0x00000000004F0000-0x0000000000589000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-12 11:52

Reported

2024-10-12 11:54

Platform

win7-20240729-en

Max time kernel

149s

Max time network

76s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\loaxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\awujx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe C:\Users\Admin\AppData\Local\Temp\loaxu.exe
PID 2296 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe C:\Users\Admin\AppData\Local\Temp\loaxu.exe
PID 2296 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe C:\Users\Admin\AppData\Local\Temp\loaxu.exe
PID 2296 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe C:\Users\Admin\AppData\Local\Temp\loaxu.exe
PID 2296 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\loaxu.exe C:\Users\Admin\AppData\Local\Temp\awujx.exe
PID 1748 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\loaxu.exe C:\Users\Admin\AppData\Local\Temp\awujx.exe
PID 1748 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\loaxu.exe C:\Users\Admin\AppData\Local\Temp\awujx.exe
PID 1748 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\loaxu.exe C:\Users\Admin\AppData\Local\Temp\awujx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe

"C:\Users\Admin\AppData\Local\Temp\8a3cd75ba42ce6863d3d920c13490c65b54b03c50d499fc432230224938fc46bN.exe"

C:\Users\Admin\AppData\Local\Temp\loaxu.exe

"C:\Users\Admin\AppData\Local\Temp\loaxu.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\awujx.exe

"C:\Users\Admin\AppData\Local\Temp\awujx.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2296-0-0x00000000002D0000-0x0000000000351000-memory.dmp

memory/2296-1-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\loaxu.exe

MD5 403e0aa177f509f25090c542ca0767eb
SHA1 0d20f6e4df03f1553c3debea32d8a80871a04d77
SHA256 8a93073a1783a2cabf29d7b11964660fba85be90bde5e52175097482b39da79e
SHA512 576d3afe18395cf948501d922cb42d07154917396101e3dce0755373c2c7d8501ef19c574482530674084a6b09880bc720848a391a3843d508e4219457e12d52

memory/1748-11-0x0000000000E80000-0x0000000000F01000-memory.dmp

memory/2296-9-0x0000000001DF0000-0x0000000001E71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 4f237e2fc86c1f1f2b92b627c68ffafb
SHA1 c0d7607700d7804b07de537051e7fe2ca95d3a3c
SHA256 e4aa4bb70edc5b78037c60a80aa48ebfba1e99a3c2ea382304509a81be74deb2
SHA512 4b7953774ceb9abf63175fe1c086733d7367b3ab471a7bd68bf0f82b6b856978aff19923b2f45a8aa42808a76157772e3baf6e95ff7bb33e148fb1e140d9c0f7

memory/1748-21-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2296-20-0x00000000002D0000-0x0000000000351000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 1528cb2dbf1e7e03ec96f5aeb6fee5f6
SHA1 9117d274e63ad1fdeebdd966b5331d83471eb7b1
SHA256 2255a0548e70b8d750b14e89ad07f0fcb09dbbf7b83568a660e8ddcb340a36f6
SHA512 d3f032f1a8192e6c14e8e06afb918710568f49336d934e96aeafadf5bb5d8b5e350c40db31b1d827d89bfaba5979c2cb69ba3c656174aca782551cc856f0be18

memory/1748-24-0x0000000000E80000-0x0000000000F01000-memory.dmp

memory/1748-25-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\awujx.exe

MD5 76cd1fcdb6d5878c4af057641d093fc7
SHA1 954a523d6723ecbcec808c38cb13122b0c619daa
SHA256 44d7adae420055b55a7be2533caee02910f43cc9b10bc1547770700d2c85b371
SHA512 4046612c5417581ef66bb3de8fd78c22e507df4bf30471c2c9b3c3dcad74702da8401770ebf7ca60e83e2991b3169d6f212a3a726966118bf6f7d7bed9996c99

memory/1748-38-0x0000000003710000-0x00000000037A9000-memory.dmp

memory/2868-46-0x0000000000E90000-0x0000000000F29000-memory.dmp

memory/2868-43-0x0000000000E90000-0x0000000000F29000-memory.dmp

memory/1748-42-0x0000000000E80000-0x0000000000F01000-memory.dmp

memory/2868-48-0x0000000000E90000-0x0000000000F29000-memory.dmp

memory/2868-49-0x0000000000E90000-0x0000000000F29000-memory.dmp

memory/2868-50-0x0000000000E90000-0x0000000000F29000-memory.dmp

memory/2868-51-0x0000000000E90000-0x0000000000F29000-memory.dmp

memory/2868-52-0x0000000000E90000-0x0000000000F29000-memory.dmp