Malware Analysis Report

2024-11-16 13:24

Sample ID 241009-y7gydstbql
Target aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN
SHA256 aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3d
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3d

Threat Level: Known bad

The file aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Loads dropped DLL

Checks computer location settings

Deletes itself

Executes dropped EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 20:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 20:25

Reported

2024-10-09 20:28

Platform

win7-20240729-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quvig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\quvig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bygul.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2592 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Users\Admin\AppData\Local\Temp\quvig.exe
PID 2592 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Users\Admin\AppData\Local\Temp\quvig.exe
PID 2592 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Users\Admin\AppData\Local\Temp\quvig.exe
PID 2592 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Users\Admin\AppData\Local\Temp\quvig.exe
PID 2592 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2448 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\quvig.exe C:\Users\Admin\AppData\Local\Temp\bygul.exe
PID 2448 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\quvig.exe C:\Users\Admin\AppData\Local\Temp\bygul.exe
PID 2448 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\quvig.exe C:\Users\Admin\AppData\Local\Temp\bygul.exe
PID 2448 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\quvig.exe C:\Users\Admin\AppData\Local\Temp\bygul.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe

"C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe"

C:\Users\Admin\AppData\Local\Temp\quvig.exe

"C:\Users\Admin\AppData\Local\Temp\quvig.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\bygul.exe

"C:\Users\Admin\AppData\Local\Temp\bygul.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2592-0-0x00000000010A0000-0x0000000001121000-memory.dmp

memory/2592-1-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\quvig.exe

MD5 6ca2ef7a086076fb479c7a1c9f6e8553
SHA1 3ab0a53e1bbc3e13ffa459a38e575137da9435b7
SHA256 c22f3230a4f72a6db82d0b74fd837c6becac0aa76e978bca004d1900ec3dd9d3
SHA512 232e68e92ebe5c6c89ceaaf99fb95f6dd4bd18574bfcf2fd3efae7c876bcf534c0bb51d692c8c4bba09aace77f4a8ee49ff9b300441576e3c54519c38caa6aad

memory/2592-7-0x0000000002610000-0x0000000002691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 341c4ce3e924b56dc4c616265edeb003
SHA1 46645aa2a5a673b4fe27a30fdebc9c7bffedfcb7
SHA256 4b590f8945bf4998a047f53d9c1d8f9b8f31608498739d5892e08c89c4a679bb
SHA512 67d85c39b7507c974e790a35314038f47cdbc9fc664963fb717fe2d42aa4e586c5ef54cbcc56d777df32684793197dd177741c886a0ca12ed12c5cecd5a02ab7

memory/2448-12-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2448-11-0x0000000000850000-0x00000000008D1000-memory.dmp

memory/2592-21-0x00000000010A0000-0x0000000001121000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 3c9f0d8030a16530bf4c75023c2db68c
SHA1 ee7069cf7a8fae0451c6bde0c2a2eab04ef4fcef
SHA256 a3a0f2ab02f67c4921a3fc15b6fa7a0dcb80e049f0871e45a32ab926faae6eac
SHA512 41606d8936c10d31bdf6450baeb25f9fd7dbaef6d9b7c12af9b89b4e0b57dbf3366299d999de07f7f4bbc5068a2defc94bf2567088829607da5c6acb743f076d

memory/2448-24-0x0000000000850000-0x00000000008D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\bygul.exe

MD5 97c97a129671e64bd7c673b487e61e9c
SHA1 e230ec8a78ac1348f8a84ff173f4b76bde278202
SHA256 ba44062571d6b7229954b0c0198f5940736e7d0dcd1bf4b451b4e6318044a89c
SHA512 717832ba1fff6de5ddf0a7e15fa78085833073a3b9f22d0db729aaa699362f425434a69e08ab83cfcbc67e97dbcca7d3ad65f2ba794b390d90ac3d318beeb250

memory/2448-39-0x00000000035E0000-0x0000000003679000-memory.dmp

memory/2920-45-0x0000000000CA0000-0x0000000000D39000-memory.dmp

memory/2920-42-0x0000000000CA0000-0x0000000000D39000-memory.dmp

memory/2448-40-0x0000000000850000-0x00000000008D1000-memory.dmp

memory/2920-47-0x0000000000CA0000-0x0000000000D39000-memory.dmp

memory/2920-48-0x0000000000CA0000-0x0000000000D39000-memory.dmp

memory/2920-49-0x0000000000CA0000-0x0000000000D39000-memory.dmp

memory/2920-50-0x0000000000CA0000-0x0000000000D39000-memory.dmp

memory/2920-51-0x0000000000CA0000-0x0000000000D39000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 20:25

Reported

2024-10-09 20:28

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\uzbeo.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzbeo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uzbeo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rizel.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Users\Admin\AppData\Local\Temp\uzbeo.exe
PID 1528 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Users\Admin\AppData\Local\Temp\uzbeo.exe
PID 1528 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Users\Admin\AppData\Local\Temp\uzbeo.exe
PID 1528 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\uzbeo.exe C:\Users\Admin\AppData\Local\Temp\rizel.exe
PID 2496 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\uzbeo.exe C:\Users\Admin\AppData\Local\Temp\rizel.exe
PID 2496 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\uzbeo.exe C:\Users\Admin\AppData\Local\Temp\rizel.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe

"C:\Users\Admin\AppData\Local\Temp\aa186eeca709ab4a3f4aba6501e216a1a7a68ed2a11667cc9c1602b2113eab3dN.exe"

C:\Users\Admin\AppData\Local\Temp\uzbeo.exe

"C:\Users\Admin\AppData\Local\Temp\uzbeo.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\rizel.exe

"C:\Users\Admin\AppData\Local\Temp\rizel.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1528-0-0x00000000009A0000-0x0000000000A21000-memory.dmp

memory/1528-1-0x0000000000B80000-0x0000000000B81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uzbeo.exe

MD5 c3620731851398454662c61dfd033573
SHA1 f9b7abe75ea6e2513d2f63b8a3156c46a4619027
SHA256 2da9a0ac120de177d35eaa74610e52c44feb974039e39e292d5af5ff64486b7d
SHA512 4385144c1e675d963b273a26e423c2edcd1d901ee4062ada2bb82047506572fdfa06f028174cdaca6c40c5afff710208459f588bfc81552dca205731831b1a3d

memory/2496-11-0x0000000000910000-0x0000000000991000-memory.dmp

memory/2496-13-0x0000000000760000-0x0000000000761000-memory.dmp

memory/1528-17-0x00000000009A0000-0x0000000000A21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 341c4ce3e924b56dc4c616265edeb003
SHA1 46645aa2a5a673b4fe27a30fdebc9c7bffedfcb7
SHA256 4b590f8945bf4998a047f53d9c1d8f9b8f31608498739d5892e08c89c4a679bb
SHA512 67d85c39b7507c974e790a35314038f47cdbc9fc664963fb717fe2d42aa4e586c5ef54cbcc56d777df32684793197dd177741c886a0ca12ed12c5cecd5a02ab7

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 aa22c580155a5836fc07569d77663998
SHA1 0256df47b0745e79584457d871a16e9c8188accf
SHA256 4a0cd29b0eb4303464e77b39051207450e45a36611b1bc0eefa3fa985e031e9c
SHA512 4b748b3b804c23d069b733bce84229a5a2eb7827b257707a6651320a9e075208f2583f192da0756307b70fa9ed3ec46fed0222e2f6052e42a7e720db7b49a6f3

memory/2496-20-0x0000000000910000-0x0000000000991000-memory.dmp

memory/2496-21-0x0000000000760000-0x0000000000761000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rizel.exe

MD5 9b83edb28658a4e694afe50ff7a2507c
SHA1 d14818f0300ee782a72f5d5fd8d9103886877223
SHA256 9f256fc9a9d3fa9230efa5d68c3f1ef0b3acddb77003de3091068e963a3e8e5c
SHA512 7d7e28e67c12316530d8e0d79020c220474a2ed0e3e835d1982f9b40d99a6340eb246d2e6bd634ba21b4c6421867f47e11526b173145660ef0cf78e4191fcf7c

memory/1344-39-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

memory/1344-38-0x0000000000C90000-0x0000000000D29000-memory.dmp

memory/2496-41-0x0000000000910000-0x0000000000991000-memory.dmp

memory/1344-42-0x0000000000C90000-0x0000000000D29000-memory.dmp

memory/1344-46-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

memory/1344-47-0x0000000000C90000-0x0000000000D29000-memory.dmp

memory/1344-48-0x0000000000C90000-0x0000000000D29000-memory.dmp

memory/1344-49-0x0000000000C90000-0x0000000000D29000-memory.dmp

memory/1344-50-0x0000000000C90000-0x0000000000D29000-memory.dmp

memory/1344-51-0x0000000000C90000-0x0000000000D29000-memory.dmp