Malware Analysis Report

2024-11-16 13:28

Sample ID 240807-1lqphsyamd
Target 5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e
SHA256 5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e

Threat Level: Known bad

The file 5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Deletes itself

UPX packed file

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-07 21:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 21:44

Reported

2024-08-07 21:47

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pyeqs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kyqoky.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pyeqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyqoky.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pyeqs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kyqoky.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pyeqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pyeqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyqoky.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyqoky.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\boufe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3988 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Users\Admin\AppData\Local\Temp\pyeqs.exe
PID 3988 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Users\Admin\AppData\Local\Temp\pyeqs.exe
PID 3988 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Users\Admin\AppData\Local\Temp\pyeqs.exe
PID 3988 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\pyeqs.exe C:\Users\Admin\AppData\Local\Temp\kyqoky.exe
PID 4784 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\pyeqs.exe C:\Users\Admin\AppData\Local\Temp\kyqoky.exe
PID 4784 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\pyeqs.exe C:\Users\Admin\AppData\Local\Temp\kyqoky.exe
PID 4748 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\kyqoky.exe C:\Users\Admin\AppData\Local\Temp\boufe.exe
PID 4748 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\kyqoky.exe C:\Users\Admin\AppData\Local\Temp\boufe.exe
PID 4748 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\kyqoky.exe C:\Users\Admin\AppData\Local\Temp\boufe.exe
PID 4748 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\kyqoky.exe C:\Windows\SysWOW64\cmd.exe
PID 4748 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\kyqoky.exe C:\Windows\SysWOW64\cmd.exe
PID 4748 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\kyqoky.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe

"C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe"

C:\Users\Admin\AppData\Local\Temp\pyeqs.exe

"C:\Users\Admin\AppData\Local\Temp\pyeqs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\kyqoky.exe

"C:\Users\Admin\AppData\Local\Temp\kyqoky.exe" OK

C:\Users\Admin\AppData\Local\Temp\boufe.exe

"C:\Users\Admin\AppData\Local\Temp\boufe.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3988-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3988-2-0x0000000001050000-0x0000000001051000-memory.dmp

memory/3988-3-0x0000000001060000-0x0000000001061000-memory.dmp

memory/3988-10-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3988-1-0x0000000001040000-0x0000000001041000-memory.dmp

memory/3988-8-0x00000000010C0000-0x00000000010C1000-memory.dmp

memory/3988-7-0x00000000010B0000-0x00000000010B1000-memory.dmp

memory/3988-6-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/3988-5-0x0000000000526000-0x000000000087A000-memory.dmp

memory/3988-4-0x0000000001090000-0x0000000001091000-memory.dmp

memory/3988-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pyeqs.exe

MD5 c4819d80f3e956bf84b346a540ff63ef
SHA1 0a2255c7b1da0f4c1ea82c260164f1813d87fa04
SHA256 8c4dc416c07e0fad1d062cd8bfe7e1f7da445d47e95c105912ae28ae70d40399
SHA512 76e1b0cc362a5424f74dcae024fb135b92a625ce21f46a368bd5184f9e98540c60f567bf379e736461fca89c8dea8a1035ca6b0abc891885b1125308acb4f61f

memory/4784-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3988-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3988-26-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 a372b778baecac45e4ad237d72914b23
SHA1 f865dd3a4c1ac1458e7a1ac4c2f125382c35face
SHA256 14617c5d5c0b16e1d8c845cbed998de813b2524a98d56dd6efadc7155fb54f56
SHA512 48749be43a59dd9ed8cf5472c891f56037e30c3ba2383b789fc3bdcf79ae0a6cf21a728b0eea0c54af16a66549adc7d2b98ede89bcb11d74e1c9bb7d9b90e408

memory/4784-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 8d0ae61ebb0a3b537e5a69739fbbcfed
SHA1 be360f991ba1d88ea284ece09dcdbe41ee1db6c7
SHA256 1fae80014ae2e4b6205a9a0abd7c379ac0813daff49b23dd392454146c172d82
SHA512 884ae10250144b037ef76d5afb0692ad53311aceb6fb2324bd40d156b78d890de2fc9e21e34b57369f26b79f56e5a53d11d4eba52973bae3c7cde41f34a2554e

memory/4784-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4784-35-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4784-34-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/4784-33-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/4784-32-0x0000000001090000-0x0000000001091000-memory.dmp

memory/4784-31-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

memory/4784-30-0x0000000000F90000-0x0000000000F91000-memory.dmp

memory/4784-29-0x0000000000F80000-0x0000000000F81000-memory.dmp

memory/4784-28-0x0000000000F70000-0x0000000000F71000-memory.dmp

memory/4784-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4748-55-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/4748-54-0x00000000011C0000-0x00000000011C1000-memory.dmp

memory/4748-56-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4748-53-0x00000000011B0000-0x00000000011B1000-memory.dmp

memory/4748-52-0x00000000011A0000-0x00000000011A1000-memory.dmp

memory/4748-51-0x0000000001170000-0x0000000001171000-memory.dmp

memory/4748-50-0x0000000001160000-0x0000000001161000-memory.dmp

memory/4748-49-0x0000000001150000-0x0000000001151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\boufe.exe

MD5 78a0b650b0a7c464b000cd64f8214dd9
SHA1 823b930a88dee63d4d78d45592ab997a0e352be1
SHA256 b4a898d61e6ddbb61d73a348a44c3fda0ecefae39fabaffecbf54853a98e7339
SHA512 b10c38c2414a028444eba0c8c6460ae52b770a40abe5e02cc961b3a68cf858a6f19c609556d1c5a21c14b61f64e059ba01f70d24465ee2581d5fa19191cc9cf2

memory/4544-69-0x0000000000400000-0x0000000000599000-memory.dmp

memory/4748-71-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 fbda5501e0cc5d81f18db3e932f5f92d
SHA1 561a1409b02236a4a3b8fce97cc4269bf722b5d9
SHA256 f583f215cc4b75178c1b05bed17694223aaa494b6298dc48d5971b2bcf5194ce
SHA512 932edd3e01e7b9576f1e3a1e94988cec2cef0775938d4a6ba02dbb2f48dd1d869225e5a8236c5ba4896ffd03db1cfcba7d26ae95824ae41aac1bc34f5a81019b

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/4544-74-0x0000000000400000-0x0000000000599000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 21:44

Reported

2024-08-07 21:47

Platform

win7-20240705-en

Max time kernel

147s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xuybx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mubedi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\voysh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xuybx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mubedi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\voysh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Users\Admin\AppData\Local\Temp\xuybx.exe
PID 1996 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Users\Admin\AppData\Local\Temp\xuybx.exe
PID 1996 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Users\Admin\AppData\Local\Temp\xuybx.exe
PID 1996 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Users\Admin\AppData\Local\Temp\xuybx.exe
PID 1996 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\xuybx.exe C:\Users\Admin\AppData\Local\Temp\mubedi.exe
PID 1992 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\xuybx.exe C:\Users\Admin\AppData\Local\Temp\mubedi.exe
PID 1992 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\xuybx.exe C:\Users\Admin\AppData\Local\Temp\mubedi.exe
PID 1992 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\xuybx.exe C:\Users\Admin\AppData\Local\Temp\mubedi.exe
PID 2144 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\mubedi.exe C:\Users\Admin\AppData\Local\Temp\voysh.exe
PID 2144 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\mubedi.exe C:\Users\Admin\AppData\Local\Temp\voysh.exe
PID 2144 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\mubedi.exe C:\Users\Admin\AppData\Local\Temp\voysh.exe
PID 2144 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\mubedi.exe C:\Users\Admin\AppData\Local\Temp\voysh.exe
PID 2144 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\mubedi.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\mubedi.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\mubedi.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\mubedi.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe

"C:\Users\Admin\AppData\Local\Temp\5093d8c54f936d750247861626900165ed1a1a0b4031b2ed178ccf2125ae5e8e.exe"

C:\Users\Admin\AppData\Local\Temp\xuybx.exe

"C:\Users\Admin\AppData\Local\Temp\xuybx.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\mubedi.exe

"C:\Users\Admin\AppData\Local\Temp\mubedi.exe" OK

C:\Users\Admin\AppData\Local\Temp\voysh.exe

"C:\Users\Admin\AppData\Local\Temp\voysh.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/1996-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1996-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1996-37-0x0000000000526000-0x000000000087A000-memory.dmp

memory/1996-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1996-35-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1996-33-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1996-30-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1996-28-0x0000000000280000-0x0000000000281000-memory.dmp

memory/1996-25-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1996-23-0x0000000000270000-0x0000000000271000-memory.dmp

memory/1996-20-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1996-18-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1996-15-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1996-13-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1996-11-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1996-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1996-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1996-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1996-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1996-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1996-1-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\xuybx.exe

MD5 bb3bce9f6cd42c6039e5ab6690990fc0
SHA1 90ac41d14ca0e45892dbac6a8932ee5ee132b383
SHA256 2ec794b1309392dc217a575c4409753665e9ae5acbfc3a8d90b6a81559654d06
SHA512 d7c641239d8c6a0596e3f98dd9fadc730e36ea2771e238659639318ff4228cca8662fa2fe91e258efac4523633a72a2ffe1f423dc6dc93f394af76a2dfe9c3a2

memory/1996-50-0x0000000004160000-0x0000000004C4C000-memory.dmp

memory/1996-52-0x0000000004160000-0x0000000004C4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 a372b778baecac45e4ad237d72914b23
SHA1 f865dd3a4c1ac1458e7a1ac4c2f125382c35face
SHA256 14617c5d5c0b16e1d8c845cbed998de813b2524a98d56dd6efadc7155fb54f56
SHA512 48749be43a59dd9ed8cf5472c891f56037e30c3ba2383b789fc3bdcf79ae0a6cf21a728b0eea0c54af16a66549adc7d2b98ede89bcb11d74e1c9bb7d9b90e408

memory/1996-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1996-62-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 4d9e93e01065463d6f6159c36ad6cbe2
SHA1 590549488a4e5a3c16dbce84dcc25926486df38e
SHA256 eed65654eb4872a16f60eebae4d40daf4a88a7b81b8963bbeb8b094dbd9f15b4
SHA512 1a502d78d7fb475210d0856140961ed8ed9053fc6af84ed2d2f686cb18836d4393bc9390936f827566c549e45b9b489b964d0d3466649c6c0e20157680d9bb16

memory/1992-110-0x0000000004470000-0x0000000004F5C000-memory.dmp

memory/1992-112-0x0000000004470000-0x0000000004F5C000-memory.dmp

memory/1992-111-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2144-115-0x0000000000400000-0x0000000000EEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\voysh.exe

MD5 8878641d16e55e942144d9d3af55f69e
SHA1 cd13f24065dd8301612a43b8537471ab128279c7
SHA256 8d991b6751877448a66854c2f37276b236b611d156e37025c262d8aeb9f7b606
SHA512 bd584e885fb1deabc27c5f88c670d84d315d05501211d1f85db96c3b0479af4c7eefc9ae8a3636eb95b30f72dd531d4b7b2df72ccbe2ab56feaef931b7d8af2c

memory/2144-160-0x0000000004770000-0x0000000004909000-memory.dmp

memory/2492-169-0x0000000000400000-0x0000000000599000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 ae79b104461bbc087a9a54ea31fe8dc8
SHA1 1392ce4588f543fffa0931544ade647a3e876223
SHA256 876e01574c57b8a58573a09a86290bcc315933abbcfaa15f497603cc7684acd2
SHA512 02ad40260fa87a55dffc8a29bfacd11b9ba45336f8157f1ed0b9b9d2f479f6761eb0cd6e82d22d6b779f37014bb30e42fd5a11345bd358fdbc3613e351ec7370

memory/2144-170-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/2492-175-0x0000000000400000-0x0000000000599000-memory.dmp