Malware Analysis Report

2024-11-16 13:24

Sample ID 241009-df88caxemr
Target c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb
SHA256 c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb

Threat Level: Known bad

The file c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 02:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 02:58

Reported

2024-10-09 03:01

Platform

win7-20240903-en

Max time kernel

149s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fewic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fewic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\egifg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Users\Admin\AppData\Local\Temp\fewic.exe
PID 1736 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Users\Admin\AppData\Local\Temp\fewic.exe
PID 1736 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Users\Admin\AppData\Local\Temp\fewic.exe
PID 1736 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Users\Admin\AppData\Local\Temp\fewic.exe
PID 1736 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1736 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Windows\SysWOW64\cmd.exe
PID 2440 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\fewic.exe C:\Users\Admin\AppData\Local\Temp\egifg.exe
PID 2440 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\fewic.exe C:\Users\Admin\AppData\Local\Temp\egifg.exe
PID 2440 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\fewic.exe C:\Users\Admin\AppData\Local\Temp\egifg.exe
PID 2440 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\fewic.exe C:\Users\Admin\AppData\Local\Temp\egifg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe

"C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe"

C:\Users\Admin\AppData\Local\Temp\fewic.exe

"C:\Users\Admin\AppData\Local\Temp\fewic.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\egifg.exe

"C:\Users\Admin\AppData\Local\Temp\egifg.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/1736-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1736-0-0x0000000000870000-0x00000000008F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\fewic.exe

MD5 9a125830878af97b5cce931a45c9f088
SHA1 9b49675372318d4a5a9da26ec0ad63f6e13848aa
SHA256 5236438db000c9b4db3f0ceb6691e69e8b9a4e278ba4626b5c92832129f60cb3
SHA512 7e18e44e980a966c32d4ae26f79ab144fc535e6acc56c16e2f3a2ded1e5de0d3a929ac5f674d4887eb9fa03b255f7cd5c066abeaaea15d2a2650b04a689dbfe2

memory/2440-19-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2440-18-0x0000000000BB0000-0x0000000000C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 27eb9daf208f7037672259c5ffa7e22d
SHA1 eaba537b6e850060417eed1f43334537f1c72f8d
SHA256 2f1e893d21676fba07a8daf902c4f48b3b838258c21bfa5da1f3aeb4150c42d6
SHA512 3ff71c7d47648141909027c8902d13e06aa8bdc816846b65b099aa449b793fa6ee892c8449ddcf1ed229b535d579df3d1ead4f20cb2ddbec5b580c7f3c2904e5

memory/1736-9-0x00000000022B0000-0x0000000002331000-memory.dmp

memory/1736-21-0x0000000000870000-0x00000000008F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 8121471e5155c91a47c8a31c473a681b
SHA1 c9b228a842da74d072167b5a3a0f8762dbd01674
SHA256 b5a87849aba6673ea8e9cc74fcbb24b84b2c8c641313f8e3fcd1e1bdd4eb76ef
SHA512 da76a4c0c036883e33c6a81537f452c0b8a2ae2d3efdfd58fe40ebae9dd1c820c28d4b7f8d83ce0e01af3d4c088cb75715f688b6e423922412160ad0b05e9ed0

memory/2440-24-0x0000000000BB0000-0x0000000000C31000-memory.dmp

memory/2440-38-0x0000000002CA0000-0x0000000002D39000-memory.dmp

memory/484-42-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/484-45-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/2440-41-0x0000000000BB0000-0x0000000000C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\egifg.exe

MD5 c1c7e990b3b4524717b4d9050bc3d71f
SHA1 455fb76ba51c477484b6bf7cc87f480fb4f0c151
SHA256 e494e81a831f6578b8ee1ad48477ac6a6e907d63bf8bb3e5dbd64afc88524543
SHA512 b666ab145eb8d43060f8d35b0565dd816f419922fafd72a6de18edcb6d81968c48ccae627fe347e5dc3359fecd89a576552099e8b4eec44470625e1de9cb2ae0

memory/484-47-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/484-48-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/484-49-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/484-50-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/484-51-0x0000000000DE0000-0x0000000000E79000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 02:58

Reported

2024-10-09 03:00

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zaaxx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaaxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zaaxx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liqoi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Users\Admin\AppData\Local\Temp\zaaxx.exe
PID 1200 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Users\Admin\AppData\Local\Temp\zaaxx.exe
PID 1200 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Users\Admin\AppData\Local\Temp\zaaxx.exe
PID 1200 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Windows\SysWOW64\cmd.exe
PID 1200 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe C:\Windows\SysWOW64\cmd.exe
PID 2192 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\zaaxx.exe C:\Users\Admin\AppData\Local\Temp\liqoi.exe
PID 2192 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\zaaxx.exe C:\Users\Admin\AppData\Local\Temp\liqoi.exe
PID 2192 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\zaaxx.exe C:\Users\Admin\AppData\Local\Temp\liqoi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe

"C:\Users\Admin\AppData\Local\Temp\c1cf040556cee9769a8c2707907ad50168cb1d5c21679871ac305829f748fbfb.exe"

C:\Users\Admin\AppData\Local\Temp\zaaxx.exe

"C:\Users\Admin\AppData\Local\Temp\zaaxx.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\liqoi.exe

"C:\Users\Admin\AppData\Local\Temp\liqoi.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 udp

Files

memory/1200-0-0x0000000000B70000-0x0000000000BF1000-memory.dmp

memory/1200-1-0x0000000000540000-0x0000000000541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zaaxx.exe

MD5 0588ee2fb017b85781a42149fda76de1
SHA1 5e117a7120d54bab6faaf4da827af7f063af5547
SHA256 40cc416209bdefb3a307b8c692f9a781a3fdc69c5d5b3198c7aac71dbf3f1266
SHA512 d5874da25dd3a365072425f0e08c8a6c2bc0ba97fba51f0224d3c135c7739fafaeb0bcc7cd77a2f576ac7f1fbdd6263a7de889a41da62061596c82bcc4203c4d

memory/2192-14-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2192-11-0x0000000000010000-0x0000000000091000-memory.dmp

memory/1200-17-0x0000000000B70000-0x0000000000BF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 27eb9daf208f7037672259c5ffa7e22d
SHA1 eaba537b6e850060417eed1f43334537f1c72f8d
SHA256 2f1e893d21676fba07a8daf902c4f48b3b838258c21bfa5da1f3aeb4150c42d6
SHA512 3ff71c7d47648141909027c8902d13e06aa8bdc816846b65b099aa449b793fa6ee892c8449ddcf1ed229b535d579df3d1ead4f20cb2ddbec5b580c7f3c2904e5

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 e627945028010a37c2cc5e84233dc9ed
SHA1 f43d26ae0f05dbc730f20423898cc739fd91291c
SHA256 8ec2c080b957a664edc69e76693b6592037cd816ed9d21920732a294d40367d3
SHA512 de0ec270eb65045301c4daa7a1d840758eb98082fb82da94b0c57a46aca003fcfc374fcac459c07845c20c17eee77b50beb02fbd80a371ef0eedcce2c355a709

memory/2192-21-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2192-20-0x0000000000010000-0x0000000000091000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\liqoi.exe

MD5 85783ef41b0f2f3db0b3c839cf76ddce
SHA1 9fa956acb86c2798b7bd881f62f6f73649763f5b
SHA256 6be166de5a89ddf312cdab5aa17e6a90bc1342410d128a91049eff3f07b56b06
SHA512 c66f18b83a99d8e48ca3e5988b0646589358b97ce4784fc09e87c3a517adea9aca0914564a76989132950d294f2c1beb7e94c405a566c3c2fff049c9165a5022

memory/4484-37-0x0000000000890000-0x0000000000929000-memory.dmp

memory/2192-40-0x0000000000010000-0x0000000000091000-memory.dmp

memory/4484-44-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/4484-41-0x0000000000890000-0x0000000000929000-memory.dmp

memory/4484-46-0x0000000000890000-0x0000000000929000-memory.dmp

memory/4484-47-0x0000000000890000-0x0000000000929000-memory.dmp

memory/4484-48-0x0000000000890000-0x0000000000929000-memory.dmp

memory/4484-49-0x0000000000890000-0x0000000000929000-memory.dmp

memory/4484-50-0x0000000000890000-0x0000000000929000-memory.dmp