Malware Analysis Report

2024-11-16 13:24

Sample ID 241009-ylbjgssfjj
Target 30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136
SHA256 30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136

Threat Level: Known bad

The file 30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 19:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 19:51

Reported

2024-10-09 19:54

Platform

win7-20240903-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zineu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zineu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liros.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2792 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Users\Admin\AppData\Local\Temp\zineu.exe
PID 2792 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Users\Admin\AppData\Local\Temp\zineu.exe
PID 2792 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Users\Admin\AppData\Local\Temp\zineu.exe
PID 2792 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Users\Admin\AppData\Local\Temp\zineu.exe
PID 2792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\zineu.exe C:\Users\Admin\AppData\Local\Temp\liros.exe
PID 2816 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\zineu.exe C:\Users\Admin\AppData\Local\Temp\liros.exe
PID 2816 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\zineu.exe C:\Users\Admin\AppData\Local\Temp\liros.exe
PID 2816 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\zineu.exe C:\Users\Admin\AppData\Local\Temp\liros.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe

"C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe"

C:\Users\Admin\AppData\Local\Temp\zineu.exe

"C:\Users\Admin\AppData\Local\Temp\zineu.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\liros.exe

"C:\Users\Admin\AppData\Local\Temp\liros.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2792-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2792-0-0x00000000011D0000-0x0000000001251000-memory.dmp

\Users\Admin\AppData\Local\Temp\zineu.exe

MD5 0330a615aee93bae11e7113787882490
SHA1 8a24df8bd6dca558756597ed095b194b6a3de1a9
SHA256 08d6382a674a7246387683ff54dde81e8164b2dd5b81861c1fc033ccdcd14104
SHA512 aa36551713e3af125a9d152e81976d2bfcab628a759bd98f04669ec5c79ac4d644dc0bcd1c721f8f1014f5f274c51b5f5c201907af1c77a553f48aa69349998d

memory/2792-7-0x0000000001050000-0x00000000010D1000-memory.dmp

memory/2816-19-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2816-18-0x0000000000A90000-0x0000000000B11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 9383283f479675881268cf6d444f593c
SHA1 0db979a0fca57a9680ab69c40c42a431a8e82e00
SHA256 731b0e5d4714239b1ba6ee58260f42e0f9e293c8e9e91148c9a3ad0a8a9f6ed6
SHA512 93a232308fb0eb027ff4cd1a08154f5b770fcb7840bfe513cc1f2412315ae0544a10537c8f2016973ab339390b59595e4bf329a387922a1953db07cf10f9fc5a

memory/2792-21-0x00000000011D0000-0x0000000001251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 0bcc3671b4acd4517440ef4727e9868f
SHA1 0dcc0b16081c313be322ccf41f5a598323eab4dd
SHA256 58009903b471f11b33e328cf059b8b8499b01f0587b67bdd2f953ffcb75a079d
SHA512 cb7e1de4b384f7d17255aa274378393bf17a41fd979c4ff43a655f0ea979b641461c4f64ee951a2d3fc39f0ce89e382a954c9e58fe4b83f5f03e27fe238d7bb3

memory/2816-24-0x0000000000A90000-0x0000000000B11000-memory.dmp

\Users\Admin\AppData\Local\Temp\liros.exe

MD5 ea09dedc40d50861e948f6541a18c9a3
SHA1 b1df8c17ce3adf102f4635375a0a05b4643b60b4
SHA256 ac6d02b0cdd51399766f2d9eb0f96923b00f4089a48c1e120839ef28de13f68b
SHA512 0215f8869bcf2e7ec4ba32adf9bc3137b899d095a982c6969f3cd66d8dde5b7f6203394f5a5dc4784a2d2d529c2e1ca5e4eb919fbe4c5d52d2b728ceb45b2c47

memory/772-42-0x0000000001330000-0x00000000013C9000-memory.dmp

memory/2816-40-0x0000000003480000-0x0000000003519000-memory.dmp

memory/2816-39-0x0000000000A90000-0x0000000000B11000-memory.dmp

memory/772-43-0x0000000001330000-0x00000000013C9000-memory.dmp

memory/772-47-0x0000000001330000-0x00000000013C9000-memory.dmp

memory/772-48-0x0000000001330000-0x00000000013C9000-memory.dmp

memory/772-49-0x0000000001330000-0x00000000013C9000-memory.dmp

memory/772-50-0x0000000001330000-0x00000000013C9000-memory.dmp

memory/772-51-0x0000000001330000-0x00000000013C9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 19:51

Reported

2024-10-09 19:54

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\xotyk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xotyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xotyk.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pikuj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Users\Admin\AppData\Local\Temp\xotyk.exe
PID 4708 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Users\Admin\AppData\Local\Temp\xotyk.exe
PID 4708 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Users\Admin\AppData\Local\Temp\xotyk.exe
PID 4708 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe C:\Windows\SysWOW64\cmd.exe
PID 1472 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\xotyk.exe C:\Users\Admin\AppData\Local\Temp\pikuj.exe
PID 1472 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\xotyk.exe C:\Users\Admin\AppData\Local\Temp\pikuj.exe
PID 1472 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\xotyk.exe C:\Users\Admin\AppData\Local\Temp\pikuj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe

"C:\Users\Admin\AppData\Local\Temp\30a5b31cfb87d7cae8f36e56ff696b44b4ff71dea47dd7bad2ca849a86c8c136.exe"

C:\Users\Admin\AppData\Local\Temp\xotyk.exe

"C:\Users\Admin\AppData\Local\Temp\xotyk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\pikuj.exe

"C:\Users\Admin\AppData\Local\Temp\pikuj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4708-0-0x0000000000F80000-0x0000000001001000-memory.dmp

memory/4708-1-0x0000000000690000-0x0000000000691000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\xotyk.exe

MD5 3d92d4653358cbb1a0d514adcd412d52
SHA1 19d99a15d3f5888dfd0e7fb0efb8b54331e3cc9f
SHA256 3bbb5dca15638cbd30336e4cfdd883c0736102708d620acc14d6406384e3dbd4
SHA512 bf1cd6879ab3fc01bc65bd3bb3763832d379fdb03a741e07e849524cdbef0814ef0c94b52cad750bc4b65c7ab34f07f05a170a380b09e8c8b3dddf5caf16b6da

memory/1472-14-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/1472-13-0x0000000000FA0000-0x0000000001021000-memory.dmp

memory/4708-16-0x0000000000F80000-0x0000000001001000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 9383283f479675881268cf6d444f593c
SHA1 0db979a0fca57a9680ab69c40c42a431a8e82e00
SHA256 731b0e5d4714239b1ba6ee58260f42e0f9e293c8e9e91148c9a3ad0a8a9f6ed6
SHA512 93a232308fb0eb027ff4cd1a08154f5b770fcb7840bfe513cc1f2412315ae0544a10537c8f2016973ab339390b59595e4bf329a387922a1953db07cf10f9fc5a

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 3523c2e56c4a6894f226d95ae9ab776d
SHA1 fbcb5cd2a487b6ad02cca94da9820b8574a8a104
SHA256 08ffea0a8c9dcd6003999c129449aee70dfb376d26a0787c87d58c492372addb
SHA512 e2e6e99067e218f642f61c2c1919f7e0d6f6d2f9ed27b9ea3489a1fc19eaaf9024e6441b0b85d54d465422aa2e90b01a71a271b990a5b7ed9c0e0d7532a348b5

memory/1472-19-0x0000000000FA0000-0x0000000001021000-memory.dmp

memory/1472-20-0x00000000005F0000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pikuj.exe

MD5 6765d073079a52d2e9f817b2f023aa7c
SHA1 f7d6753e5e1fe559bdfff7dad9c585d12bc7084f
SHA256 6308ee60385ab0cf55fda48b036943a97450c49e2e5769bb5a5c9b79e261343e
SHA512 6a2cf733a02c353bcb5f0acc8065925910572fb1cb9de430ec2701b04be63f06a69b148e29ce9882b03d035e0d7d4cb6750365fb57f3024b5a930acb38c02579

memory/2932-38-0x0000000000D50000-0x0000000000D52000-memory.dmp

memory/2932-37-0x0000000000BE0000-0x0000000000C79000-memory.dmp

memory/2932-39-0x0000000000BE0000-0x0000000000C79000-memory.dmp

memory/1472-43-0x0000000000FA0000-0x0000000001021000-memory.dmp

memory/2932-45-0x0000000000D50000-0x0000000000D52000-memory.dmp

memory/2932-46-0x0000000000BE0000-0x0000000000C79000-memory.dmp

memory/2932-47-0x0000000000BE0000-0x0000000000C79000-memory.dmp

memory/2932-48-0x0000000000BE0000-0x0000000000C79000-memory.dmp

memory/2932-49-0x0000000000BE0000-0x0000000000C79000-memory.dmp

memory/2932-50-0x0000000000BE0000-0x0000000000C79000-memory.dmp