Malware Analysis Report

2024-11-16 13:24

Sample ID 241008-1xfnpavgkf
Target 5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e
SHA256 5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e

Threat Level: Known bad

The file 5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Deletes itself

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-08 22:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-08 22:01

Reported

2024-10-08 22:04

Platform

win7-20240729-en

Max time kernel

149s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\moyzy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\moyzy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uftiv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Users\Admin\AppData\Local\Temp\moyzy.exe
PID 1456 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Users\Admin\AppData\Local\Temp\moyzy.exe
PID 1456 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Users\Admin\AppData\Local\Temp\moyzy.exe
PID 1456 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Users\Admin\AppData\Local\Temp\moyzy.exe
PID 1456 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Windows\SysWOW64\cmd.exe
PID 1456 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\moyzy.exe C:\Users\Admin\AppData\Local\Temp\uftiv.exe
PID 2940 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\moyzy.exe C:\Users\Admin\AppData\Local\Temp\uftiv.exe
PID 2940 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\moyzy.exe C:\Users\Admin\AppData\Local\Temp\uftiv.exe
PID 2940 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\moyzy.exe C:\Users\Admin\AppData\Local\Temp\uftiv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe

"C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe"

C:\Users\Admin\AppData\Local\Temp\moyzy.exe

"C:\Users\Admin\AppData\Local\Temp\moyzy.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\uftiv.exe

"C:\Users\Admin\AppData\Local\Temp\uftiv.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/1456-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1456-0-0x00000000012A0000-0x0000000001321000-memory.dmp

\Users\Admin\AppData\Local\Temp\moyzy.exe

MD5 44e98094889fba9a2806a9f4546e4559
SHA1 964a8229dee8ddba4fbe3e01c9169e6c5a3e6fc3
SHA256 d2a4f5da0f1294ac2211836b7ae90038a71b27a53d2fa8cc644bda71c1adf722
SHA512 84dc777438690c856624e12046b07302545808bc8969216bcf25d95e256a6f217b052d8ad9c281f1884726278d0620cc4eea49a3d991d84e6fa2ded13d112fe0

memory/1456-7-0x0000000000DB0000-0x0000000000E31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 fbfb7b91e0cdb39726fa90448b3a9d1f
SHA1 4ed30980d6912d8aec5bd36619ce12fd69b0fc8f
SHA256 0cc8e7ab90d9cba6e791c851edae93e2d72dea64fce3460f14b339f44228494d
SHA512 bcc96519fc24f6a9cbb41cc965a3ea95b94d219f736aba94fedda07183b603ee7059314d05f6090c247713a32bfa2623308cfc11a36e17e25783b99ed2e460c6

memory/2940-17-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1456-20-0x00000000012A0000-0x0000000001321000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 60648468bd63cbb99c56666d9194a785
SHA1 274f5b87a1216507f9c3f69eb3ab1e3b7254fcfb
SHA256 0622295469f95a0a16c7cb27fe9919eb68a59d695fa6c0a6d9f264f8b8baea0a
SHA512 05e8d80e23a0cf9185b799bd94d911f096a0a4134a5134c43b05f19dbdf00698959c752db869a7f8e5a1d9bea2ec76391853661bbe7f0568b1106bf088ed411d

memory/2940-23-0x0000000000E30000-0x0000000000EB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uftiv.exe

MD5 0de8212d2711bad3ea09e9ec1b9ab5d3
SHA1 f10e2da259c99b7abcce8c688c1a0cfed3f9eba1
SHA256 e71056b8ce3c3ff59422714eb3060ded31cefe7d18bdbc62bdb1f9b18104047c
SHA512 69478c3e9f367af4215b296378a72fd3f09de0a75e1e2c8ed169f85b8c2b930aa64cdcbe91f396c2e53a58bd142e779a23d842152996f27a764b19a51c6995ba

memory/348-41-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/2940-40-0x0000000003300000-0x0000000003399000-memory.dmp

memory/2940-39-0x0000000000E30000-0x0000000000EB1000-memory.dmp

memory/348-42-0x0000000000B30000-0x0000000000BC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\moyzy.exe

MD5 4fa5152d5ecdfa88cdd1742b7fd34212
SHA1 592d32fb202c3ae76979f3baa8049e806d782625
SHA256 29353bb596de19d3cb25b0836c4bf18be8e4207a368849dd82cafbcf40a15d56
SHA512 8be9aed579be4cc3d5fe82e75102f41deeb902613d500afb02f5a089205f680da4e3a654e5d6ec6fa77c3c1bd6d4413c12cd16ff180a430f1c07b318e664778b

memory/348-47-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/348-48-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/348-49-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/348-50-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/348-51-0x0000000000B30000-0x0000000000BC9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-08 22:01

Reported

2024-10-08 22:04

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dywut.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dywut.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dywut.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sunet.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Users\Admin\AppData\Local\Temp\dywut.exe
PID 3036 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Users\Admin\AppData\Local\Temp\dywut.exe
PID 3036 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Users\Admin\AppData\Local\Temp\dywut.exe
PID 3036 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe C:\Windows\SysWOW64\cmd.exe
PID 4288 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\dywut.exe C:\Users\Admin\AppData\Local\Temp\sunet.exe
PID 4288 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\dywut.exe C:\Users\Admin\AppData\Local\Temp\sunet.exe
PID 4288 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\dywut.exe C:\Users\Admin\AppData\Local\Temp\sunet.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe

"C:\Users\Admin\AppData\Local\Temp\5b1b39b7dddb0bd4165e5787ae90e6ebf2ee0aa53ea78685a4b29fbf9a22490e.exe"

C:\Users\Admin\AppData\Local\Temp\dywut.exe

"C:\Users\Admin\AppData\Local\Temp\dywut.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\sunet.exe

"C:\Users\Admin\AppData\Local\Temp\sunet.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
JP 133.242.129.155:11300 tcp

Files

memory/3036-0-0x0000000000BD0000-0x0000000000C51000-memory.dmp

memory/3036-1-0x0000000000D30000-0x0000000000D31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dywut.exe

MD5 5fb89bfe9c587b5acf47d8a1d9b149ef
SHA1 9a7f800c9a040c03b14b1b88ee113d49cb2291cf
SHA256 b651f1b439416c74a4f524de9f88a9304da30f47d068cf2ffd7236b429492b71
SHA512 0fb563cf1c4ccf78f7810f615e7744cc52b6623a25b840e65c16e1463847a9b57f86e97cdfb46e05441712cbaf83c671b9ecbae0d13142c9112fa93f928551fe

memory/4288-11-0x00000000009A0000-0x0000000000A21000-memory.dmp

memory/4288-14-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/3036-16-0x0000000000BD0000-0x0000000000C51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 fbfb7b91e0cdb39726fa90448b3a9d1f
SHA1 4ed30980d6912d8aec5bd36619ce12fd69b0fc8f
SHA256 0cc8e7ab90d9cba6e791c851edae93e2d72dea64fce3460f14b339f44228494d
SHA512 bcc96519fc24f6a9cbb41cc965a3ea95b94d219f736aba94fedda07183b603ee7059314d05f6090c247713a32bfa2623308cfc11a36e17e25783b99ed2e460c6

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 7b2e9b68eb5742db76ebc45b99509c69
SHA1 9f655ee8392c919f3cb091b7cbbafc259b10a4b7
SHA256 7fd140c8eddb6ff8d651cc81503e210e8dddf2595e1e2df222a6460f2f309ae9
SHA512 88bd9c0080ba51347ccde73294a6f18c4ca397529eac35a291c65c5e1057aa58f9d3986cfac84d3614f304d2baea1c6964a3b4b3f8d605f8f913804b474d2aa3

memory/4288-19-0x00000000009A0000-0x0000000000A21000-memory.dmp

memory/4288-20-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sunet.exe

MD5 dc3619b94cadd205f52bd837b2d1693c
SHA1 155714e7c92be4530cd3e5e87fbffaba5315b6f4
SHA256 ea957562dd02dac3511071630744c3615f2ccdc94e3c41bcdc0f2be384df7d17
SHA512 18884299a036fa6bfd76b2618c8d36f0bbe0b132a530e32405a51d3e7ee561df0adc2f48cfd1bcf12b48135fad637c7c132b66648db229f8f588d4872b8566db

memory/760-38-0x00000000013B0000-0x00000000013B2000-memory.dmp

memory/760-37-0x0000000000730000-0x00000000007C9000-memory.dmp

memory/4288-40-0x00000000009A0000-0x0000000000A21000-memory.dmp

memory/760-41-0x0000000000730000-0x00000000007C9000-memory.dmp

memory/760-46-0x00000000013B0000-0x00000000013B2000-memory.dmp

memory/760-45-0x0000000000730000-0x00000000007C9000-memory.dmp

memory/760-47-0x0000000000730000-0x00000000007C9000-memory.dmp

memory/760-48-0x0000000000730000-0x00000000007C9000-memory.dmp

memory/760-49-0x0000000000730000-0x00000000007C9000-memory.dmp

memory/760-50-0x0000000000730000-0x00000000007C9000-memory.dmp