Malware Analysis Report

2024-11-16 13:27

Sample ID 240807-emesra1alm
Target e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3
SHA256 e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3

Threat Level: Known bad

The file e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

UPX packed file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-07 04:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 04:03

Reported

2024-08-07 04:05

Platform

win7-20240704-en

Max time kernel

147s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qyycd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uczeif.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bofef.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qyycd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uczeif.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bofef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1624 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Users\Admin\AppData\Local\Temp\qyycd.exe
PID 1624 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Users\Admin\AppData\Local\Temp\qyycd.exe
PID 1624 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Users\Admin\AppData\Local\Temp\qyycd.exe
PID 1624 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Users\Admin\AppData\Local\Temp\qyycd.exe
PID 1624 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Windows\SysWOW64\cmd.exe
PID 1624 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\qyycd.exe C:\Users\Admin\AppData\Local\Temp\uczeif.exe
PID 2644 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\qyycd.exe C:\Users\Admin\AppData\Local\Temp\uczeif.exe
PID 2644 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\qyycd.exe C:\Users\Admin\AppData\Local\Temp\uczeif.exe
PID 2644 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\qyycd.exe C:\Users\Admin\AppData\Local\Temp\uczeif.exe
PID 2840 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\uczeif.exe C:\Users\Admin\AppData\Local\Temp\bofef.exe
PID 2840 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\uczeif.exe C:\Users\Admin\AppData\Local\Temp\bofef.exe
PID 2840 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\uczeif.exe C:\Users\Admin\AppData\Local\Temp\bofef.exe
PID 2840 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\uczeif.exe C:\Users\Admin\AppData\Local\Temp\bofef.exe
PID 2840 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\uczeif.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\uczeif.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\uczeif.exe C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\uczeif.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe

"C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe"

C:\Users\Admin\AppData\Local\Temp\qyycd.exe

"C:\Users\Admin\AppData\Local\Temp\qyycd.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\uczeif.exe

"C:\Users\Admin\AppData\Local\Temp\uczeif.exe" OK

C:\Users\Admin\AppData\Local\Temp\bofef.exe

"C:\Users\Admin\AppData\Local\Temp\bofef.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/1624-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1624-37-0x0000000000526000-0x000000000087A000-memory.dmp

memory/1624-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1624-35-0x0000000000350000-0x0000000000351000-memory.dmp

memory/1624-33-0x0000000000350000-0x0000000000351000-memory.dmp

memory/1624-30-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1624-28-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1624-25-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1624-23-0x0000000000330000-0x0000000000331000-memory.dmp

memory/1624-20-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1624-18-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1624-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1624-15-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1624-13-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1624-11-0x0000000000290000-0x0000000000291000-memory.dmp

memory/1624-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1624-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1624-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1624-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1624-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1624-1-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\AppData\Local\Temp\qyycd.exe

MD5 3e2d058553e14876e76dd477f74ebe94
SHA1 64dca8e5959278af48a5aa32dde9f9fabddc00ce
SHA256 305ca66a2174ceb3177b0f3b01a7e41a70fccb5e1f85c68c4d5e66be523a7f6f
SHA512 5768f2ad4a216cd7168fad6d702d7e6dededde0304de5cba3ab462b1d7fd0d73227e68982871e3e79535435ade56fbd5c69c7a45527160d866f922c831722af3

memory/1624-47-0x0000000003D40000-0x000000000482C000-memory.dmp

memory/1624-48-0x0000000003D40000-0x000000000482C000-memory.dmp

memory/2644-53-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 97dcfa2576fd07b0297c2f6f10bf4bd5
SHA1 5cef9dfb7c8d0daf2f4b1c0cd11ee9173445769d
SHA256 29445118d03cee0fae50bd6bbad695fee514206264f77ad9e8a530171e49807d
SHA512 f508987ef9a1e17646914b5af8ad7de379a0089a0010ce2d3a0b80de34eb99ffee4861cd144b3d7a86f2b380de4fcdabb0e9e2af07248dded3e777236301e323

memory/1624-62-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1624-94-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2644-87-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2644-85-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2644-82-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2644-93-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2644-80-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2644-95-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 903c0424cd1a108eccb1ab1132db601b
SHA1 2ce72e5c0313c1c6596835768417be0e443470a7
SHA256 da4339bea633de40e4383c324948b13cc5411d3a8c818c86fb1d6facc0b47eb8
SHA512 50057c4f6b1b965e0ca98471689eba2291bee7bd3c7093cea78d51a51a209413b44d44f0eb24e82bbf07d0b26232941cf228941ec71ebdb315c22b46991f7ae8

memory/2644-77-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2644-75-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2644-114-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2644-116-0x0000000003D70000-0x000000000485C000-memory.dmp

memory/2644-117-0x0000000003D70000-0x000000000485C000-memory.dmp

memory/2840-118-0x0000000000400000-0x0000000000EEC000-memory.dmp

\Users\Admin\AppData\Local\Temp\bofef.exe

MD5 1a74710f3155a9ed432ecc7fc34dd4b3
SHA1 d789cc453a146300d840cc02c341fcbd8f7d5ed9
SHA256 9e701fbc2286f5dd8ed033ab340e897dc88448a4294d5da48ead717867c5910a
SHA512 fd37305251331c3a021aed37b79f7d1ad8a16de2e76897c8c0a43342fdd1b4be6fb4f9db3424ce04989c75b2714fc0e39201309aaf9e44bcb8262ee0b1c55423

memory/2840-163-0x0000000004210000-0x00000000043A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 0d1c6034a1090fc2c28d488fb0f56b1a
SHA1 9b5d1440547c047a2ccd761f63ac609ca04d91af
SHA256 ed83d2618b9dbafed85b27e1b78d6c1f56c972340c5f428a8b6fbc33092042b2
SHA512 d8aa66e7cc8ec880db6958e60d64bd25358fa4b03b798cb34e3075cc636a321580727d31c83d89988fd96a501d7ae15d91471531ab4907e2713d53240978d72d

memory/1768-165-0x0000000000400000-0x0000000000599000-memory.dmp

memory/2840-173-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/1768-178-0x0000000000400000-0x0000000000599000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 04:03

Reported

2024-08-07 04:05

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\joepy.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\qeqixi.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\joepy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qeqixi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\joepy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qeqixi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\joepy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\joepy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qeqixi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qeqixi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zymav.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Users\Admin\AppData\Local\Temp\joepy.exe
PID 1912 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Users\Admin\AppData\Local\Temp\joepy.exe
PID 1912 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Users\Admin\AppData\Local\Temp\joepy.exe
PID 1912 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe C:\Windows\SysWOW64\cmd.exe
PID 1104 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\joepy.exe C:\Users\Admin\AppData\Local\Temp\qeqixi.exe
PID 1104 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\joepy.exe C:\Users\Admin\AppData\Local\Temp\qeqixi.exe
PID 1104 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\joepy.exe C:\Users\Admin\AppData\Local\Temp\qeqixi.exe
PID 620 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\qeqixi.exe C:\Users\Admin\AppData\Local\Temp\zymav.exe
PID 620 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\qeqixi.exe C:\Users\Admin\AppData\Local\Temp\zymav.exe
PID 620 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\qeqixi.exe C:\Users\Admin\AppData\Local\Temp\zymav.exe
PID 620 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\qeqixi.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\qeqixi.exe C:\Windows\SysWOW64\cmd.exe
PID 620 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\qeqixi.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe

"C:\Users\Admin\AppData\Local\Temp\e2b6004f2e84ad6df89d7484a557cf1970b2204c017d2fa89013818bfcdf55f3.exe"

C:\Users\Admin\AppData\Local\Temp\joepy.exe

"C:\Users\Admin\AppData\Local\Temp\joepy.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\qeqixi.exe

"C:\Users\Admin\AppData\Local\Temp\qeqixi.exe" OK

C:\Users\Admin\AppData\Local\Temp\zymav.exe

"C:\Users\Admin\AppData\Local\Temp\zymav.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/1912-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1912-3-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/1912-10-0x0000000000526000-0x000000000087A000-memory.dmp

memory/1912-8-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1912-6-0x0000000001020000-0x0000000001021000-memory.dmp

memory/1912-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1912-5-0x0000000001010000-0x0000000001011000-memory.dmp

memory/1912-4-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/1912-2-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

memory/1912-7-0x0000000001030000-0x0000000001031000-memory.dmp

memory/1912-1-0x0000000000F80000-0x0000000000F81000-memory.dmp

memory/1912-14-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\joepy.exe

MD5 5807dc63a25d07d9d8dc7d740f88d9ff
SHA1 b0bedeb4829f1a88e660e23cd2738f49cf73ec05
SHA256 751a380cb2b6bba7b2d82dacdc57258842b42f2f0b5c38044f5bf6fbf762b718
SHA512 e2ac0b3e693c7dd8cf1a955954bed4e71c8e78f65ea92dac747c9150b97b082488515343536f7595f0321e8a859ddba598b8e62e51380ac9a4622b68f52add7a

memory/1104-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1912-27-0x0000000000526000-0x000000000087A000-memory.dmp

memory/1912-26-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 97dcfa2576fd07b0297c2f6f10bf4bd5
SHA1 5cef9dfb7c8d0daf2f4b1c0cd11ee9173445769d
SHA256 29445118d03cee0fae50bd6bbad695fee514206264f77ad9e8a530171e49807d
SHA512 f508987ef9a1e17646914b5af8ad7de379a0089a0010ce2d3a0b80de34eb99ffee4861cd144b3d7a86f2b380de4fcdabb0e9e2af07248dded3e777236301e323

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 433f9470cdee864f3a73653a46db9421
SHA1 d7cc4ad83bde83cfabf0eb3bfd79dff4f0a0f0b2
SHA256 f4cdc192c6611038f96628258b71ba7cdcb2a6787ff18c2f50d3b9d136de0e85
SHA512 51efb2d633529f37bbdafc1773a9ab306a67f6b8e504770e0aab1335e44713d60e7a70a758916c64170cee9354a72d11c16d0f2be2f842267618ccd597bebb49

memory/1104-35-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/1104-34-0x0000000002B70000-0x0000000002B71000-memory.dmp

memory/1104-33-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/1104-32-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/1104-31-0x0000000001180000-0x0000000001181000-memory.dmp

memory/1104-30-0x0000000001170000-0x0000000001171000-memory.dmp

memory/1104-29-0x0000000001160000-0x0000000001161000-memory.dmp

memory/1104-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1104-40-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/620-50-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/1104-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/620-56-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/620-57-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/620-58-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/620-54-0x0000000001050000-0x0000000001051000-memory.dmp

memory/620-53-0x0000000001040000-0x0000000001041000-memory.dmp

memory/620-52-0x0000000000F10000-0x0000000000F11000-memory.dmp

memory/620-51-0x0000000000F00000-0x0000000000F01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zymav.exe

MD5 ed0504351c0cdda57db5b931880c4647
SHA1 9f3eee02ee8e8a3c56731cfc5a74a3f3a04241db
SHA256 88cf9236a6e132a0e598fc46698f8d20d0cdda865b8e1865f7aaba3b240af153
SHA512 7693ccb87abe50745077b6a40f0d5d2b1db81fda3ad760a02e73c2d1faec86dcfa3a7af2b47fb66598e44e62cdc8c0617378801e3629b6039e04c3208ebe23f7

memory/4208-71-0x0000000000400000-0x0000000000599000-memory.dmp

memory/620-73-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/4208-75-0x0000000000400000-0x0000000000599000-memory.dmp