Malware Analysis Report

2025-08-05 19:40

Sample ID 240317-b1nq2abf6y
Target cf98e1c96efb311bbd871d0e2b974135
SHA256 d14e7af0587c40e259d8b3400b9754d2df6359b3df0e522d261c9b9d117d3167
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d14e7af0587c40e259d8b3400b9754d2df6359b3df0e522d261c9b9d117d3167

Threat Level: Known bad

The file cf98e1c96efb311bbd871d0e2b974135 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas

Urelas family

Loads dropped DLL

Deletes itself

Executes dropped EXE

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 01:36

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 01:36

Reported

2024-03-17 01:39

Platform

win7-20240221-en

Max time kernel

149s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ajsof.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azyjhu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jifij.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Users\Admin\AppData\Local\Temp\ajsof.exe
PID 2276 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Users\Admin\AppData\Local\Temp\ajsof.exe
PID 2276 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Users\Admin\AppData\Local\Temp\ajsof.exe
PID 2276 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Users\Admin\AppData\Local\Temp\ajsof.exe
PID 2276 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\ajsof.exe C:\Users\Admin\AppData\Local\Temp\azyjhu.exe
PID 1944 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\ajsof.exe C:\Users\Admin\AppData\Local\Temp\azyjhu.exe
PID 1944 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\ajsof.exe C:\Users\Admin\AppData\Local\Temp\azyjhu.exe
PID 1944 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\ajsof.exe C:\Users\Admin\AppData\Local\Temp\azyjhu.exe
PID 2096 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\azyjhu.exe C:\Users\Admin\AppData\Local\Temp\jifij.exe
PID 2096 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\azyjhu.exe C:\Users\Admin\AppData\Local\Temp\jifij.exe
PID 2096 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\azyjhu.exe C:\Users\Admin\AppData\Local\Temp\jifij.exe
PID 2096 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\azyjhu.exe C:\Users\Admin\AppData\Local\Temp\jifij.exe
PID 2096 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\azyjhu.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\azyjhu.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\azyjhu.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\azyjhu.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe

"C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe"

C:\Users\Admin\AppData\Local\Temp\ajsof.exe

"C:\Users\Admin\AppData\Local\Temp\ajsof.exe" hi

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\azyjhu.exe

"C:\Users\Admin\AppData\Local\Temp\azyjhu.exe" OK

C:\Users\Admin\AppData\Local\Temp\jifij.exe

"C:\Users\Admin\AppData\Local\Temp\jifij.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2276-1-0x0000000000400000-0x00000000004679C5-memory.dmp

\Users\Admin\AppData\Local\Temp\ajsof.exe

MD5 9988d74b0b0eec5860390da023ac7cc9
SHA1 86bd4f60a55e2c112eb065cf539db6556dd92acb
SHA256 49bc0ca57b24ed7754e965e2d9ca15d75cd7bd4153f4e82336270ba5bdc5bfc8
SHA512 1fda0f84a027300d9f33bbfed45d1506561dd14bdadec9ead6f9ca064d80cd37ca95ee3f8ba51f7e9df134ce315ccbc2373b7b19d9dd0638cf8f769de18bffb8

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 004fbe7531846998273fa0f9a150bd5d
SHA1 2a80262a40599b131e39bdf93bde50105667c151
SHA256 da90476b573af311f9491b02be95d18c26019e7c3037ca76f74b4d650aebfb1b
SHA512 47fc50f1f90d8e065631cfa678c642be869663a9e023b0caca16f8cd3d7dc0074e37842b8bb719728e9a842d2083420316c618760af3b9e0c803a2ea31a5fd4e

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 36c9bf4a55cb8300c6139f9307c087b4
SHA1 f02fac771ac36c38d63174907ce30d8272a9960c
SHA256 3c6c5d512387419fec7f9e766ab4d85a515748b908e0e91f999fd45b584443e1
SHA512 71af02057fe77265d918bf6c06d7414b4f0208ee971ead4101f1f719c614c67a711666ffab32eab5af1f5302b507e30b2da0a06b5b7870cff54b001408df259c

memory/1944-21-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/2276-22-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/2276-23-0x00000000028E0000-0x0000000002948000-memory.dmp

memory/2276-7-0x00000000028E0000-0x0000000002948000-memory.dmp

\Users\Admin\AppData\Local\Temp\azyjhu.exe

MD5 d170e20e8f3738165fc0f8b5df188490
SHA1 ee9876568c232fb1ebb9412ef34a1e0e8b122e25
SHA256 465e05056d17a858364dd23c9a653db1d77bd445fc98ce14d97f9a5279188363
SHA512 0adc977f22ead660184298582f01d17d6c64e6742f0a4468869183130e3b777323a19ee1dc81238d5a5d636fc21e8edd40ed46c1a9a0011dbeca70bcc239f803

memory/1944-34-0x0000000002280000-0x00000000022E8000-memory.dmp

memory/1944-35-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/2096-37-0x0000000000400000-0x00000000004679C5-memory.dmp

\Users\Admin\AppData\Local\Temp\jifij.exe

MD5 4daa1f8aeb1f6012b0a222d5654f6984
SHA1 50b40350c694833b6026169a357a873d45be1483
SHA256 cbdb5ee3f06dfd7f45724995a54bdd2a176c02d1dd4822dd7a8ca94e7647e1b5
SHA512 b40e37b90aff3d9e1758c01c3db8c496ae5f723872799ccb133eb89128a50f29752b0d5f7c80feee97ca447eb625afd3209f86dcd9767217a75533110e1e6784

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 161e3775e241a787082aeb2e66a94e99
SHA1 c4d097fd4df7053acf15ae5982c4fb74d57159e9
SHA256 6f770f463c62c890f32046afe19b6714a365201fb2ba442725a56a9b3cde8e34
SHA512 350ec03a3d5909b05a9942cf88471d6215595a79603b19ddcf19f7e8a6e3fdc379f0417e53d01a6ca2d936f53ab27a3f43f1ad224b98f2568ac7892fd79dd4a7

memory/1236-54-0x00000000000D0000-0x0000000000170000-memory.dmp

memory/2096-44-0x0000000003AC0000-0x0000000003B60000-memory.dmp

memory/2096-52-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/1236-55-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1236-59-0x00000000000D0000-0x0000000000170000-memory.dmp

memory/1236-60-0x00000000000D0000-0x0000000000170000-memory.dmp

memory/1236-61-0x00000000000D0000-0x0000000000170000-memory.dmp

memory/1236-62-0x00000000000D0000-0x0000000000170000-memory.dmp

memory/1236-63-0x00000000000D0000-0x0000000000170000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 01:36

Reported

2024-03-17 01:39

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gyfog.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\miekdu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gyfog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\miekdu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ancio.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3524 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Users\Admin\AppData\Local\Temp\gyfog.exe
PID 3524 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Users\Admin\AppData\Local\Temp\gyfog.exe
PID 3524 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Users\Admin\AppData\Local\Temp\gyfog.exe
PID 3524 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Windows\SysWOW64\cmd.exe
PID 3524 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\gyfog.exe C:\Users\Admin\AppData\Local\Temp\miekdu.exe
PID 4816 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\gyfog.exe C:\Users\Admin\AppData\Local\Temp\miekdu.exe
PID 4816 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\gyfog.exe C:\Users\Admin\AppData\Local\Temp\miekdu.exe
PID 4796 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\miekdu.exe C:\Users\Admin\AppData\Local\Temp\ancio.exe
PID 4796 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\miekdu.exe C:\Users\Admin\AppData\Local\Temp\ancio.exe
PID 4796 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\miekdu.exe C:\Users\Admin\AppData\Local\Temp\ancio.exe
PID 4796 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\miekdu.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\miekdu.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\miekdu.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe

"C:\Users\Admin\AppData\Local\Temp\cf98e1c96efb311bbd871d0e2b974135.exe"

C:\Users\Admin\AppData\Local\Temp\gyfog.exe

"C:\Users\Admin\AppData\Local\Temp\gyfog.exe" hi

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\miekdu.exe

"C:\Users\Admin\AppData\Local\Temp\miekdu.exe" OK

C:\Users\Admin\AppData\Local\Temp\ancio.exe

"C:\Users\Admin\AppData\Local\Temp\ancio.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3524-0-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gyfog.exe

MD5 da35388d0d0abffc322389f03f61609e
SHA1 ffd82d19943e8fcedc681b9d1ca5c07b28765944
SHA256 cfbeb85db59d0d984ad81188bc3124e50d17ad51c3b1d45bf80f2213509f68f0
SHA512 15722a4c6fdb8d9923cfa712caa195a79ef69f9b4c14da611ce5f4e35589625668189a2ecec8bd757316d484a199b1ff264a9ed7a6bf09a8f80e088d6512ff35

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 1deed40f1e6cfdc389c44eb46afbefdc
SHA1 ee306aaf80375feac79f509e4bdddcbbe94597f3
SHA256 1bebe60310ce420d85f842f89087d1ac8d85859468011352da89cc72e2c06a06
SHA512 2f3a96314d54c9a6f9ec90a4730189271bbb33529bd12bc1991fea720a16694b45f71f3f750c237ece4a7331f2c7a78d7c97c6d8027ba1cb25515f65d037e596

memory/4816-14-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/3524-15-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 36c9bf4a55cb8300c6139f9307c087b4
SHA1 f02fac771ac36c38d63174907ce30d8272a9960c
SHA256 3c6c5d512387419fec7f9e766ab4d85a515748b908e0e91f999fd45b584443e1
SHA512 71af02057fe77265d918bf6c06d7414b4f0208ee971ead4101f1f719c614c67a711666ffab32eab5af1f5302b507e30b2da0a06b5b7870cff54b001408df259c

C:\Users\Admin\AppData\Local\Temp\miekdu.exe

MD5 b91b14da85ea731a3d740f14b5267292
SHA1 c0cb8dc43b6004c3082dd7e161d10955876615f1
SHA256 68a79a90b472d741a9204b7d450267dcaff1ea0c44626b4a8b9ed0eed3533866
SHA512 d23089a6175bde2db98b956326905c700b1819455dc6b47e8d7d585176c12dfcb749007cc0318385eba3e14c28e8ef7e553edeefbb8593f286906d5aa42c0c44

memory/4816-25-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/4796-26-0x0000000000400000-0x00000000004679C5-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ancio.exe

MD5 535dc6c4d29838b8bc8a7299596f62d5
SHA1 77dbc16b7739b5a96d4ae4e90b7c81781c362a7e
SHA256 de3bbbef9d6864db6f21be44037e4904cd563a4a231d218f08fc6235853cef4a
SHA512 228c6648b112fde47fd12ba79bb469bd3a7bb8dc6067727f5729b28f5aea3f7071be28a21c894441c428da76acbc9a0503bcdd2914d6938f738aa9776ab30159

memory/4796-40-0x0000000000400000-0x00000000004679C5-memory.dmp

memory/1788-39-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

memory/1788-38-0x00000000006F0000-0x0000000000790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 9786f1c23f7d338ca04684c58a97edee
SHA1 d6af8b67253f2cc37b3060f8c3415d8c1bdec4d0
SHA256 9b36c443f6f2a68be8de192543bccd33f55f851c37e0d011cbd952aa1db9b4bd
SHA512 52ad90d7c0eb55b6475067bbdc6c0fd2626745d774e29129ad556879e0e1983097b30e9620388e42396b056964a6ad4cededbbc3a3de4aa1e860d9c63c2a3bee

memory/1788-43-0x00000000006F0000-0x0000000000790000-memory.dmp

memory/1788-44-0x00000000006F0000-0x0000000000790000-memory.dmp

memory/1788-45-0x00000000006F0000-0x0000000000790000-memory.dmp

memory/1788-46-0x00000000006F0000-0x0000000000790000-memory.dmp

memory/1788-47-0x00000000006F0000-0x0000000000790000-memory.dmp