Malware Analysis Report

2025-08-05 19:40

Sample ID 240316-23mvmagd65
Target addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e
SHA256 addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e

Threat Level: Known bad

The file addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 23:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 23:06

Reported

2024-03-16 23:09

Platform

win7-20240215-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cisyz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nigowi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyrol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Users\Admin\AppData\Local\Temp\cisyz.exe
PID 2896 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Users\Admin\AppData\Local\Temp\cisyz.exe
PID 2896 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Users\Admin\AppData\Local\Temp\cisyz.exe
PID 2896 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Users\Admin\AppData\Local\Temp\cisyz.exe
PID 2896 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\cisyz.exe C:\Users\Admin\AppData\Local\Temp\nigowi.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\cisyz.exe C:\Users\Admin\AppData\Local\Temp\nigowi.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\cisyz.exe C:\Users\Admin\AppData\Local\Temp\nigowi.exe
PID 2908 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\cisyz.exe C:\Users\Admin\AppData\Local\Temp\nigowi.exe
PID 2576 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\nigowi.exe C:\Users\Admin\AppData\Local\Temp\gyrol.exe
PID 2576 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\nigowi.exe C:\Users\Admin\AppData\Local\Temp\gyrol.exe
PID 2576 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\nigowi.exe C:\Users\Admin\AppData\Local\Temp\gyrol.exe
PID 2576 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\nigowi.exe C:\Users\Admin\AppData\Local\Temp\gyrol.exe
PID 2576 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\nigowi.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\nigowi.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\nigowi.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\nigowi.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe

"C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe"

C:\Users\Admin\AppData\Local\Temp\cisyz.exe

"C:\Users\Admin\AppData\Local\Temp\cisyz.exe" hi

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\nigowi.exe

"C:\Users\Admin\AppData\Local\Temp\nigowi.exe" OK

C:\Users\Admin\AppData\Local\Temp\gyrol.exe

"C:\Users\Admin\AppData\Local\Temp\gyrol.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2896-0-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2896-3-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2896-4-0x00000000001C0000-0x00000000001C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\cisyz.exe

MD5 3305ec17a2c8583f6ad04f0c35f05966
SHA1 f8bc33baeb6ca433724af114384cb17957bbd520
SHA256 1326aae1549af67915a388060b6db22cfe68057fe0abbb3b0b0c3263e8cf56c7
SHA512 936dd276cf320cf2737c8a36bd1f41d4f80324e17d20308f9ac5efddda4f35b8d742633eee97c1217143ea8dd529faa6d81d0c165e68d573eae110e49275bcbe

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 633205ec749975506223464132d91c15
SHA1 65a767479594aedf26b17ab0252bf06f45020cb3
SHA256 ca36527edbcf227f7d06d1b784ff170bc82363fe534c78e4d9272b7d8104b221
SHA512 2a4c72d658e2dc1a859101e1e7be378179a71545b6e839fe9c362cdf6c766eb6459ce6c8ac77406018e77e96cf717dd0c200a09f02bd95bdc59ce4a9f7fe1ed3

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 e5df67d153f327d244f3c05fa5485889
SHA1 340597a9037191a48fd76df4f8daa36de8b78845
SHA256 16c4af27114a1542e008ce519e0cbcdcacefc348e269425b130125200996fa16
SHA512 1aeb136bd3e3d0c851ef760ac2ace10cb74bde0be3598ec754c89bb9536966835126e2f333c26d5d7684c68bb03d041d420728a69669cffe6e69b94bfb0e4816

memory/2908-20-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nigowi.exe

MD5 caa1b7ddcee696a9c6ae78566f2abb88
SHA1 0797d8cc0f822fe575ea291d88d570016657ca17
SHA256 40b738aeecf59c400db2861eb14f2692ca8a468b3ce493f32f88721c8777982d
SHA512 a855fe013d9c8ab8409db9a48b022e6f07b9812f39f4bd5cff3ea83a9258dd58ec5ca592bbbf0af7b77aebebe65d826cf3d8680825c1372f3ba0a03bc6070445

memory/2908-22-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2896-19-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2908-30-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2576-33-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2576-34-0x0000000000400000-0x000000000046F000-memory.dmp

\Users\Admin\AppData\Local\Temp\gyrol.exe

MD5 df61975e83ef564c718326d68b5dd40d
SHA1 8c7928857586025512a66cf0d0a51c21cd3f1e15
SHA256 d38c6b1313a305a92c8d50a37ebd8e03bef0b7508daaa9633f16f308a64935f0
SHA512 23bbeb76a4f5c58fce400b0fbd13960e9b777f656737b499c55d9df384388fddac84e9e99583f5fb7dcab309274779b263f8dedc8f2610c5b068d0dc87dfe1ec

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 f96e79f0f7d92f772bf4e0fbc999fabb
SHA1 1af182ceb066ba43d67a1022aba478709f052dab
SHA256 320a7deae8a910faaef321244610135053e32bd1d370962e9498ba7b77119e0d
SHA512 0ed67bc433d8000b152d8de6854de72533b827a16e90a5fdf34a0e8a52e0ef89dcaad14102065b68b706d84c50b11fb37af2d2e3c4b56b06183c764da3235729

memory/2576-42-0x0000000003D10000-0x0000000003DB0000-memory.dmp

memory/1752-51-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1752-52-0x00000000011A0000-0x0000000001240000-memory.dmp

memory/2576-50-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1752-56-0x00000000011A0000-0x0000000001240000-memory.dmp

memory/1752-57-0x00000000011A0000-0x0000000001240000-memory.dmp

memory/1752-58-0x00000000011A0000-0x0000000001240000-memory.dmp

memory/1752-59-0x00000000011A0000-0x0000000001240000-memory.dmp

memory/1752-60-0x00000000011A0000-0x0000000001240000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 23:06

Reported

2024-03-16 23:09

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ujjyt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\qyresu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ujjyt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyresu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufogw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3704 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Users\Admin\AppData\Local\Temp\ujjyt.exe
PID 3704 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Users\Admin\AppData\Local\Temp\ujjyt.exe
PID 3704 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Users\Admin\AppData\Local\Temp\ujjyt.exe
PID 3704 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe C:\Windows\SysWOW64\cmd.exe
PID 4740 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ujjyt.exe C:\Users\Admin\AppData\Local\Temp\qyresu.exe
PID 4740 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ujjyt.exe C:\Users\Admin\AppData\Local\Temp\qyresu.exe
PID 4740 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\ujjyt.exe C:\Users\Admin\AppData\Local\Temp\qyresu.exe
PID 1336 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\qyresu.exe C:\Users\Admin\AppData\Local\Temp\ufogw.exe
PID 1336 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\qyresu.exe C:\Users\Admin\AppData\Local\Temp\ufogw.exe
PID 1336 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\qyresu.exe C:\Users\Admin\AppData\Local\Temp\ufogw.exe
PID 1336 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\qyresu.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\qyresu.exe C:\Windows\SysWOW64\cmd.exe
PID 1336 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\qyresu.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe

"C:\Users\Admin\AppData\Local\Temp\addd61fe6a61a0582b2ca0bfd7b690ad44c51aeea622df7fb48d8d3033e38e5e.exe"

C:\Users\Admin\AppData\Local\Temp\ujjyt.exe

"C:\Users\Admin\AppData\Local\Temp\ujjyt.exe" hi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\qyresu.exe

"C:\Users\Admin\AppData\Local\Temp\qyresu.exe" OK

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\ufogw.exe

"C:\Users\Admin\AppData\Local\Temp\ufogw.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 216.58.201.106:443 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3704-0-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3704-2-0x00000000021D0000-0x0000000002213000-memory.dmp

memory/3704-1-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3704-3-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ujjyt.exe

MD5 b4354da8a4809ffd67ec1ebf38cbdb39
SHA1 96286e0b0bf78f3d5a4ad480c27f09eda96f63c1
SHA256 5c86f9b7f40c740ca16a24c17641865c4c94d84043e2496215040de362dde293
SHA512 2c7c0f9e2392597e83e1a3ac33cd32a366d7eae5ae774d0489eb129351e0e92162c776bcd9d874cb418ed8e42545146ca1ce3a66ada31f64db53c7118679de1d

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 07073eb0c2388e49ab3e96a8384064b2
SHA1 a815cb39d58138068fa01ca42a089260ab4cfebe
SHA256 f348e20e6cf3f8d546de665db01372bdaa874906f6147f18a66f20289e093d02
SHA512 418b9d7e5718dbb3d6228c0209ce61122113601d65301ccb378ccede01e27d5f7dc79a3f403035546692abedae97ba440b0f591e866dc278cb64c8259ddde4c8

memory/4740-17-0x0000000000400000-0x000000000046F000-memory.dmp

memory/3704-20-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 633205ec749975506223464132d91c15
SHA1 65a767479594aedf26b17ab0252bf06f45020cb3
SHA256 ca36527edbcf227f7d06d1b784ff170bc82363fe534c78e4d9272b7d8104b221
SHA512 2a4c72d658e2dc1a859101e1e7be378179a71545b6e839fe9c362cdf6c766eb6459ce6c8ac77406018e77e96cf717dd0c200a09f02bd95bdc59ce4a9f7fe1ed3

C:\Users\Admin\AppData\Local\Temp\qyresu.exe

MD5 a62f77fc6f5cf3135dc519e60066c226
SHA1 164d7f5b6a24584cd3f037fd4eedbe715cd83542
SHA256 d942689254065f7ac74d6aa94def53c420d97471de059c194539fde5de1d6a63
SHA512 f0481a3f83e227210633b4ee38714d3c7d5c0470fb71b56de2aa555e2853faf5c335dbd2d38a6c48c263d72a3473c5aa335155845b9ffc3f3ff7abec536ad921

memory/4740-29-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1336-30-0x00000000005B0000-0x00000000005F3000-memory.dmp

memory/1336-32-0x0000000000400000-0x000000000046F000-memory.dmp

memory/1336-33-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ufogw.exe

MD5 ac8ccfb03cae0dea0480f0ccfe47b16e
SHA1 1524d516b5a84b8a0b678679d3ed9422288e6810
SHA256 22a491ac53fb6aba9864e45ab17a7d0912d84fb10ab5e074f3e325831f58ef0b
SHA512 cb15ff9aa8902fca35c22061304226b21b3b67c6de9d4faa8a90c11b7e9310bd1ef4a00f0c2d5e973096a7c15468597d71ef8a467cbabc9ec992ecdee6ffd8d8

memory/916-44-0x0000000000B70000-0x0000000000C10000-memory.dmp

memory/916-46-0x0000000000780000-0x0000000000781000-memory.dmp

memory/1336-47-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 9a8503d17c559b2af93906532bf42f05
SHA1 d0137f68f47dc67830ee8e448cfa2cb2ecc437d9
SHA256 33b63c5cea03524e0139018d8d7861a0ffa6c6b8af874d80e06c7304cad24458
SHA512 db33775d1a07d3417f9f748ca47dfd13756ccbb6a2fcd7bd13b16343a502eff9f56546aff551d966f9330d3df1e0c5d1be80f5c8af242d0280c2fdd8e08ef723

memory/916-50-0x0000000000B70000-0x0000000000C10000-memory.dmp

memory/916-51-0x0000000000B70000-0x0000000000C10000-memory.dmp

memory/916-52-0x0000000000B70000-0x0000000000C10000-memory.dmp

memory/916-53-0x0000000000B70000-0x0000000000C10000-memory.dmp