Malware Analysis Report

2025-08-05 19:40

Sample ID 240316-17tnasfe29
Target 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25
SHA256 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25

Threat Level: Known bad

The file 92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 22:17

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 22:17

Reported

2024-03-16 22:20

Platform

win7-20240215-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\miwyw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kebezo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xypey.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Users\Admin\AppData\Local\Temp\miwyw.exe
PID 1804 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Users\Admin\AppData\Local\Temp\miwyw.exe
PID 1804 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Users\Admin\AppData\Local\Temp\miwyw.exe
PID 1804 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Users\Admin\AppData\Local\Temp\miwyw.exe
PID 1804 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\miwyw.exe C:\Users\Admin\AppData\Local\Temp\kebezo.exe
PID 2264 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\miwyw.exe C:\Users\Admin\AppData\Local\Temp\kebezo.exe
PID 2264 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\miwyw.exe C:\Users\Admin\AppData\Local\Temp\kebezo.exe
PID 2264 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\miwyw.exe C:\Users\Admin\AppData\Local\Temp\kebezo.exe
PID 2676 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\kebezo.exe C:\Users\Admin\AppData\Local\Temp\xypey.exe
PID 2676 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\kebezo.exe C:\Users\Admin\AppData\Local\Temp\xypey.exe
PID 2676 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\kebezo.exe C:\Users\Admin\AppData\Local\Temp\xypey.exe
PID 2676 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\kebezo.exe C:\Users\Admin\AppData\Local\Temp\xypey.exe
PID 2676 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\kebezo.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\kebezo.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\kebezo.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\kebezo.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe

"C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe"

C:\Users\Admin\AppData\Local\Temp\miwyw.exe

"C:\Users\Admin\AppData\Local\Temp\miwyw.exe" hi

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\kebezo.exe

"C:\Users\Admin\AppData\Local\Temp\kebezo.exe" OK

C:\Users\Admin\AppData\Local\Temp\xypey.exe

"C:\Users\Admin\AppData\Local\Temp\xypey.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/1804-0-0x0000000000400000-0x000000000046E000-memory.dmp

\Users\Admin\AppData\Local\Temp\miwyw.exe

MD5 5edf145e67106382102275e7b67aa923
SHA1 c277d946fa3e532f82ba82a632a54fa95b719b35
SHA256 510f14316e1a8d5aa787d7231df864fe7eca69fafb995f8c906b3d92c9cc016c
SHA512 1826e029c14f091186c23d7410bd9185c4c8af44fcbbcad659ed26d3378a1af126e8755fa6769c5e6130a1f1c9c1ca48c1020832304d52bc6b8768cee8b6750d

memory/2264-9-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 d8b82ac2cbe7c30e9010c1abd7407965
SHA1 558ca5440ad4a26539f72e186c1d9a6cb3824a71
SHA256 c7e444e1f48284c3725ff0fbb5c44fa7c40a75820491272bc703ac4151f010c0
SHA512 cdcc590b3b70b98ecea3c4828d2258edbd9aaf7e20e5833160ce5de1a22abd4ed73258aa15991ca504d3496ad62bd51848536730a461152da6fe1f95deea25b1

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 a76e13bcc28ddab8b9f29db5cd0076a3
SHA1 1e86f77dbb2e8d033d56706203025ee77c844b61
SHA256 e1111640a0361091a433c072374681be71bd0b725e9a8082ff2a5d531b49c22f
SHA512 e131daf47e86ea2a08e4d8bafcaba04d2c5ef2c7853d9589f50b5c912e1a4c825739c170d32475d8e29e44d777e74042027d05d87431851923f7e02a07d41075

C:\Users\Admin\AppData\Local\Temp\kebezo.exe

MD5 516509699f1077360818f37aad972051
SHA1 0a6a01f8e32a0f7fea5c12b3a5f54a127af85362
SHA256 2d15570ebcd4b9b994488bcd982e0cf7a67cac553bfc49875054d1b5cfcfb387
SHA512 808e8469023671e46522b0217c541eb24802eb6f003070231438c252e5af515daf70924839a2e73d88e83ba67220841f97d83198c63e11b25f42f05f154c0d41

memory/1804-20-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2264-26-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2676-27-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2676-43-0x00000000039E0000-0x0000000003A80000-memory.dmp

memory/2676-44-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2352-45-0x00000000009C0000-0x0000000000A60000-memory.dmp

memory/2352-46-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 71149f47209dc9823bb14e0457040965
SHA1 e859c46a88aabcecf1cda83ba378bd451922ffc4
SHA256 ce3d1ba67b85e83a8ec8a03eaaa4bb9920d6fd3ccaa1e9e3f5bc5f8a04dd9532
SHA512 1c5b1875eb1ff3e439b0b9ef37cd3285c280281a374e508d81a69cd0dfc3750c436fd323002f9c674fc0bc22ff847c0ce4fafb2e22790e9505f8dbd53eb0edb6

C:\Users\Admin\AppData\Local\Temp\xypey.exe

MD5 1e823155e12b2d1d3ef2653eb50a09f2
SHA1 4d352d62ac020a61f962e24a64935f1deea36be5
SHA256 c13f5b9f47be5e7bcbf5cbaa126b86108a12aeae6a008acbc8afae7e1f2f3692
SHA512 e68cb97a72bdbb40ac3da7abd436c1e77226a8abd269a09e61f4d5bf07b8bdfd27d5cc0205ad2441d8750308da32b6cca08bdb9f60e408a5f406328447b2836a

memory/2352-50-0x00000000009C0000-0x0000000000A60000-memory.dmp

memory/2352-51-0x00000000009C0000-0x0000000000A60000-memory.dmp

memory/2352-52-0x00000000009C0000-0x0000000000A60000-memory.dmp

memory/2352-53-0x00000000009C0000-0x0000000000A60000-memory.dmp

memory/2352-54-0x00000000009C0000-0x0000000000A60000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 22:17

Reported

2024-03-16 22:20

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tymib.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ipfaju.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tymib.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipfaju.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wadag.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1032 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Users\Admin\AppData\Local\Temp\tymib.exe
PID 1032 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Users\Admin\AppData\Local\Temp\tymib.exe
PID 1032 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Users\Admin\AppData\Local\Temp\tymib.exe
PID 1032 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Windows\SysWOW64\cmd.exe
PID 1032 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Windows\SysWOW64\cmd.exe
PID 1032 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\tymib.exe C:\Users\Admin\AppData\Local\Temp\ipfaju.exe
PID 3044 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\tymib.exe C:\Users\Admin\AppData\Local\Temp\ipfaju.exe
PID 3044 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\tymib.exe C:\Users\Admin\AppData\Local\Temp\ipfaju.exe
PID 864 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ipfaju.exe C:\Users\Admin\AppData\Local\Temp\wadag.exe
PID 864 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ipfaju.exe C:\Users\Admin\AppData\Local\Temp\wadag.exe
PID 864 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ipfaju.exe C:\Users\Admin\AppData\Local\Temp\wadag.exe
PID 864 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\ipfaju.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\ipfaju.exe C:\Windows\SysWOW64\cmd.exe
PID 864 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\ipfaju.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe

"C:\Users\Admin\AppData\Local\Temp\92b968351ca0f23713d1eed75d682397b7e43cffa3b80d0a3df7da3038754c25.exe"

C:\Users\Admin\AppData\Local\Temp\tymib.exe

"C:\Users\Admin\AppData\Local\Temp\tymib.exe" hi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\ipfaju.exe

"C:\Users\Admin\AppData\Local\Temp\ipfaju.exe" OK

C:\Users\Admin\AppData\Local\Temp\wadag.exe

"C:\Users\Admin\AppData\Local\Temp\wadag.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
KR 218.54.31.226:11110 tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.134.221.88.in-addr.arpa udp

Files

memory/1032-0-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tymib.exe

MD5 9b8aed63feb8b65ea8764deb3128aac5
SHA1 fca27336de0b5c06523d82788b46395fc1d42381
SHA256 1e4c90eeb1f9b5044460d9d64076c39541992c332a7bd39773850b1ff8abd0d4
SHA512 a5ea00825976ced039bd81afdb3db588571917d49851ebc00f7f5a173964092714e5ce4c297c6783201864355031abe557217c817fab3b79bd0c15dd43910ecd

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 057da1d21a28c463978a7879cffa3b41
SHA1 19c14e44c74facaaa7ff7761159d29e1e6e36fef
SHA256 3f471c16aaa1991d07b92c03b25f6122860eaff5511b4cc0a4ca18618fd4ea9f
SHA512 b692d01d76265e5c8762b5ee34e30108837baf703556de6856be29207fdf113cfeb731438769d68ddd2d7236a530856bc5e07dc3bf289cee958cbbcae73285f7

memory/1032-15-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 a76e13bcc28ddab8b9f29db5cd0076a3
SHA1 1e86f77dbb2e8d033d56706203025ee77c844b61
SHA256 e1111640a0361091a433c072374681be71bd0b725e9a8082ff2a5d531b49c22f
SHA512 e131daf47e86ea2a08e4d8bafcaba04d2c5ef2c7853d9589f50b5c912e1a4c825739c170d32475d8e29e44d777e74042027d05d87431851923f7e02a07d41075

C:\Users\Admin\AppData\Local\Temp\ipfaju.exe

MD5 423a4931703c323e28ee1c05d7e3a621
SHA1 9317280dcff0b898446da264539a1d2a8ef01950
SHA256 98da8b4fdeb1519f240efd17142d44e47bafd3ac8d6a67ca4e899e89a9fba8eb
SHA512 a885bcd474e2243e91eee34b4c314043b7f73756c9b6daa908fb3343c95b2057a1f69d521645574ba61a55018f2018c7eae90da9b13fcc7ddf42c61646caac49

memory/3044-24-0x0000000000400000-0x000000000046E000-memory.dmp

memory/864-25-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wadag.exe

MD5 61a15fc8654559aa3182464ea09b9454
SHA1 40883e4bcf63a1a55d5fb5f3aba2f426961394df
SHA256 9f05d5f35f91d1680e8a0fdd7960b18965f6aabaeca960f67bdb5c8cda939bdb
SHA512 13a12d15d9516c112d17342d560ed7590649f329a54912388bf2c13ca894c45f094136e3bda5245d9812b237e0dd5d2612c63b126de0e3468f209511193a8b02

memory/5060-36-0x0000000000390000-0x0000000000430000-memory.dmp

memory/5060-38-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/864-40-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 65cc4d9ba6ead3f011512c2fe89cd539
SHA1 0216586f28e2aeddb906e71d450b8b373d177862
SHA256 bf8a259d91234833c0761e819fd2586a7c955ed4ff802c981a12109d89a4b22d
SHA512 a9d63e92455245c34da2e749c60a0638887795f33e5e369417f6344903e6fc32388900b7546b49339f8cd08285275d422b1f7dced65dc35d6dab5d5b9b568ab6

memory/5060-42-0x0000000000390000-0x0000000000430000-memory.dmp

memory/5060-43-0x0000000000390000-0x0000000000430000-memory.dmp

memory/5060-44-0x0000000000390000-0x0000000000430000-memory.dmp

memory/5060-45-0x0000000000390000-0x0000000000430000-memory.dmp

memory/5060-46-0x0000000000390000-0x0000000000430000-memory.dmp