Malware Analysis Report

2024-11-16 13:28

Sample ID 240809-2mc1gssgrl
Target 6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3
SHA256 6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3

Threat Level: Known bad

The file 6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Loads dropped DLL

UPX packed file

Checks computer location settings

Deletes itself

Executes dropped EXE

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-09 22:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-09 22:41

Reported

2024-08-09 22:44

Platform

win7-20240729-en

Max time kernel

150s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\giojn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xejulo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tusaw.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tusaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\giojn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xejulo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Users\Admin\AppData\Local\Temp\giojn.exe
PID 2244 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Users\Admin\AppData\Local\Temp\giojn.exe
PID 2244 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Users\Admin\AppData\Local\Temp\giojn.exe
PID 2244 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Users\Admin\AppData\Local\Temp\giojn.exe
PID 2244 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Windows\SysWOW64\cmd.exe
PID 1896 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\giojn.exe C:\Users\Admin\AppData\Local\Temp\xejulo.exe
PID 1896 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\giojn.exe C:\Users\Admin\AppData\Local\Temp\xejulo.exe
PID 1896 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\giojn.exe C:\Users\Admin\AppData\Local\Temp\xejulo.exe
PID 1896 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\giojn.exe C:\Users\Admin\AppData\Local\Temp\xejulo.exe
PID 2776 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\xejulo.exe C:\Users\Admin\AppData\Local\Temp\tusaw.exe
PID 2776 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\xejulo.exe C:\Users\Admin\AppData\Local\Temp\tusaw.exe
PID 2776 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\xejulo.exe C:\Users\Admin\AppData\Local\Temp\tusaw.exe
PID 2776 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\xejulo.exe C:\Users\Admin\AppData\Local\Temp\tusaw.exe
PID 2776 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\xejulo.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\xejulo.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\xejulo.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\xejulo.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe

"C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe"

C:\Users\Admin\AppData\Local\Temp\giojn.exe

"C:\Users\Admin\AppData\Local\Temp\giojn.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\xejulo.exe

"C:\Users\Admin\AppData\Local\Temp\xejulo.exe" OK

C:\Users\Admin\AppData\Local\Temp\tusaw.exe

"C:\Users\Admin\AppData\Local\Temp\tusaw.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2244-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2244-36-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2244-37-0x0000000000526000-0x000000000087A000-memory.dmp

memory/2244-35-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2244-33-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2244-30-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2244-28-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2244-25-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2244-23-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2244-20-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2244-18-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2244-15-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2244-13-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2244-11-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2244-10-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2244-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2244-6-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2244-5-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2244-3-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2244-1-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\giojn.exe

MD5 9c380a15619a5d4549ca08188c4139ee
SHA1 0256d309fb12562870ade3137ee29a284ae3347d
SHA256 3da1829a6012acd5531c2f01cad5e8166a18b394f99d127e07007a5fb90dd655
SHA512 db5e94e7174988d44458e6768689e1e81d90018deef6d2020bf0de50af5286306b218ec425a7177a79e98f9ba7921a0774da904ad92a2392aa326a8208b9957a

memory/2244-41-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 039e362378baa40b93ba578a94a32228
SHA1 1b13a409b3322e3c18e94c24e6114a829166a5e5
SHA256 a7d7fc1c9393629d90bb2ab25bf087c6fda29dd7c91d27a2fcdfa1d254615b45
SHA512 ba3ac3ed079df544e8edede02fb85569bd0362f8ac005c0a51f54596cb22f2370b2758f977e224d9a46fdc92544a974fd141b7f58ca4f2a93e3af421ebff963b

memory/2244-60-0x0000000003DA0000-0x000000000488C000-memory.dmp

memory/2244-52-0x0000000003DA0000-0x000000000488C000-memory.dmp

memory/2244-61-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2244-102-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 1fb93d650f42da54af68b2df300cacc9
SHA1 649c9d38af9e9e72dda827717ab4eeafe2fc3975
SHA256 680afc015a9e77caa0ed54d0004d8b48c31c7cee937060998ff265b52ff83bed
SHA512 1d4d7ccd627cfdbc24b8028b40a1dc7a024bd5c5d3e8a0e65cfd801191807234d442b3473714569a4d78c6d1031a58bab049afa3061bf99caf9382fc1cd6e0f3

memory/1896-87-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1896-85-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1896-82-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1896-80-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1896-77-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1896-75-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1896-72-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1896-70-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1896-67-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1896-65-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/1896-112-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2776-113-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/2776-158-0x0000000004840000-0x00000000049D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 0700a281846149940eeab87fa8c9c57c
SHA1 981a22c53d358a0e5bcf602a4c30853c9bb69f92
SHA256 623328cbc95616c2564e761202b8d4710f142901804d63659d20c6ca9c0e0301
SHA512 fe17f908686e293f74976f945a040d0a71f3d37400a23e6e804d55c1951e2230451d1f1c91770d9d54e2f8d51ab44c5c65ef6b8d9467123dd6ed0f64b5d2f6a2

memory/1232-167-0x0000000000400000-0x0000000000599000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tusaw.exe

MD5 aa1688e9cce429f79a82c64eb06182dc
SHA1 e9fc858bbee9a87d256b0d03df9ba970664ab71b
SHA256 3e63fe5abc80de7401286fda2b1860f395cb8906f916a10a0674c31d2f71a49d
SHA512 daa0fcf4aef6f2e1169a12a586d162eef2a0351db4dfe35cf838cd18e5f1c20b45a2449da07cc48ce38e798dd87f6aefe2cb5e37e8d47547fb1369a8ff20c2ce

memory/2776-168-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/1232-173-0x0000000000400000-0x0000000000599000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-09 22:41

Reported

2024-08-09 22:44

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\toavd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gomaaf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toavd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gomaaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gomaaf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\toavd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toavd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toavd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gomaaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gomaaf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyijz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3280 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Users\Admin\AppData\Local\Temp\toavd.exe
PID 3280 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Users\Admin\AppData\Local\Temp\toavd.exe
PID 3280 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Users\Admin\AppData\Local\Temp\toavd.exe
PID 3280 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe C:\Windows\SysWOW64\cmd.exe
PID 3720 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\toavd.exe C:\Users\Admin\AppData\Local\Temp\gomaaf.exe
PID 3720 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\toavd.exe C:\Users\Admin\AppData\Local\Temp\gomaaf.exe
PID 3720 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\toavd.exe C:\Users\Admin\AppData\Local\Temp\gomaaf.exe
PID 4576 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\gomaaf.exe C:\Users\Admin\AppData\Local\Temp\kyijz.exe
PID 4576 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\gomaaf.exe C:\Users\Admin\AppData\Local\Temp\kyijz.exe
PID 4576 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\gomaaf.exe C:\Users\Admin\AppData\Local\Temp\kyijz.exe
PID 4576 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\gomaaf.exe C:\Windows\SysWOW64\cmd.exe
PID 4576 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\gomaaf.exe C:\Windows\SysWOW64\cmd.exe
PID 4576 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\gomaaf.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe

"C:\Users\Admin\AppData\Local\Temp\6ed65dc712475b850329b728fda9bda8aa7e386758c39aa4f30ba0f75ef87dd3.exe"

C:\Users\Admin\AppData\Local\Temp\toavd.exe

"C:\Users\Admin\AppData\Local\Temp\toavd.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\gomaaf.exe

"C:\Users\Admin\AppData\Local\Temp\gomaaf.exe" OK

C:\Users\Admin\AppData\Local\Temp\kyijz.exe

"C:\Users\Admin\AppData\Local\Temp\kyijz.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3280-0-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3280-3-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/3280-6-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

memory/3280-8-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

memory/3280-13-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3280-7-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

memory/3280-5-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/3280-9-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3280-2-0x0000000000F50000-0x0000000000F51000-memory.dmp

memory/3280-1-0x0000000000F40000-0x0000000000F41000-memory.dmp

memory/3280-4-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toavd.exe

MD5 c703358a4ca1ebe362981df777307d63
SHA1 afc518742d48f15332d12925f0ded89e8f22dc80
SHA256 0d0aab82001a8440c4878484c464c4f46f391b79db11ba4693655c80c6eb2973
SHA512 cecae82b226c85af554968c23f40fa42015ae4b3b46ca0bbfb83d91443a178318d8d4e3b1632cf16756d8a732e5180a7e38977421c26928755ef4faa38651597

memory/3720-24-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3280-25-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3280-26-0x0000000000526000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 039e362378baa40b93ba578a94a32228
SHA1 1b13a409b3322e3c18e94c24e6114a829166a5e5
SHA256 a7d7fc1c9393629d90bb2ab25bf087c6fda29dd7c91d27a2fcdfa1d254615b45
SHA512 ba3ac3ed079df544e8edede02fb85569bd0362f8ac005c0a51f54596cb22f2370b2758f977e224d9a46fdc92544a974fd141b7f58ca4f2a93e3af421ebff963b

memory/3720-38-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a6f8a77aec6df19f966a08a95e231475
SHA1 1630f8f4e10e2bcafff094054f34ed3dda37940a
SHA256 b67a28eea2cc2426591b1931d3bc3426711e07c3c7b8e75e49c92cc2f19d1284
SHA512 070fd1c423f34a4fa00e1a0813cfc091abc27281e62c413291746adebeee87750ceda5e4213294780aa7bcefd86728c1bbc6f649a89d4d67cc5484dfc750c82e

memory/3720-34-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/3720-33-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/3720-32-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/3720-31-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/3720-30-0x0000000001040000-0x0000000001041000-memory.dmp

memory/3720-29-0x0000000001030000-0x0000000001031000-memory.dmp

memory/3720-28-0x0000000001020000-0x0000000001021000-memory.dmp

memory/3720-39-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/3720-48-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4576-49-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4576-55-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/4576-57-0x0000000000400000-0x0000000000EEC000-memory.dmp

memory/4576-56-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/4576-54-0x0000000001000000-0x0000000001001000-memory.dmp

memory/4576-53-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/4576-52-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

memory/4576-51-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

memory/4576-50-0x0000000000F90000-0x0000000000F91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kyijz.exe

MD5 14b5979af8e4ce5a7ef0405bc4c1c766
SHA1 f0714ebd45aa35b67e4b9960ea47482a22728348
SHA256 bf8c1e54bed9dc013e71a6b73ffa9f57cff042fbe6045c793b46f21bc166d76f
SHA512 aaa98ff56016b5defc71520d0c737707655c3f625b195a8589d1b99c1981e80829c6ed9b2376d03d1a61136354021abd8a7ca56360936b19a0977b60395caabe

memory/2892-71-0x0000000000400000-0x0000000000599000-memory.dmp

memory/4576-72-0x0000000000400000-0x0000000000EEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 7d88b17633cce15699894f7155869eeb
SHA1 2a17eb5881b1b1a6585e27aa0096c315627633e7
SHA256 605372a1cdb381a3079cc34ebefdef80084816cca402e8244002eb94d8f11db2
SHA512 4f52b726ecbbf214f3f9bb42782afe3883dae498b22069d5c676bcfe12abd3257609ea253362fce08e48b1a03465ae44435fef983700387795dc68742ed15113

C:\Users\Admin\AppData\Local\Temp\gbp.ini

MD5 dbef593bccc2049f860f718cd6fec321
SHA1 e7e9f8235b4eb70aa99dd2c38009f2152575a8d0
SHA256 30f820bb1ca6c20bcd77113c7377e01f31cdf0ec5b64864f22887d41a9bf3c7a
SHA512 3e87c661c343b72f5dff4587b99688dbf655be9d6d903a75151bd9f204f55858e90388591f660bcbded5278ef94e322bf3e7c57374c9b16fce1eef7082395a2a

memory/2892-75-0x0000000000400000-0x0000000000599000-memory.dmp

memory/2892-77-0x0000000000400000-0x0000000000599000-memory.dmp