Malware Analysis Report

2024-11-16 13:26

Sample ID 241010-x6m8casekg
Target 7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N
SHA256 7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1

Threat Level: Known bad

The file 7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 19:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 19:28

Reported

2024-10-10 19:30

Platform

win7-20241010-en

Max time kernel

150s

Max time network

82s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\odfeg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\odfeg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qityx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\odfeg.exe
PID 1680 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\odfeg.exe
PID 1680 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\odfeg.exe
PID 1680 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\odfeg.exe
PID 1680 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\odfeg.exe C:\Users\Admin\AppData\Local\Temp\qityx.exe
PID 2932 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\odfeg.exe C:\Users\Admin\AppData\Local\Temp\qityx.exe
PID 2932 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\odfeg.exe C:\Users\Admin\AppData\Local\Temp\qityx.exe
PID 2932 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\odfeg.exe C:\Users\Admin\AppData\Local\Temp\qityx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe

"C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe"

C:\Users\Admin\AppData\Local\Temp\odfeg.exe

"C:\Users\Admin\AppData\Local\Temp\odfeg.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\qityx.exe

"C:\Users\Admin\AppData\Local\Temp\qityx.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/1680-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1680-0-0x0000000000070000-0x00000000000F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\odfeg.exe

MD5 976071c8de928e8fb2d85ee2da8c7bf2
SHA1 787c57b2b2827bbc1ed1e38a911683c7bad5f945
SHA256 8e14d4f03097763b08bf8130d799367b502cac362d50cd592dbf4f36955f6397
SHA512 5147f904a1d62ce17b828b9d5d5906af9d469ac4511f8ce1972b8ad878ba12fd10271f00ce71c836ff44de246cb7a9e17277f8a8c9c1fa174a7bbe16bcc06ed5

memory/2932-19-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 27218cda5675ca52eb82d36f8f60a7df
SHA1 8f22e3c007d9d7b444b6ccb39cb0f15822693609
SHA256 b48effa75c2c365bd1440a63de608c75e0f4cf3640f7d543b4bbf99f3e32560d
SHA512 803e0cba1e7a0452cac368872c70424def2002fa22caae7281223680c963de71a3d03f208742abe29490537621060afac9cac3f1f3aeed57db5a89f748507930

memory/1680-9-0x00000000024D0000-0x0000000002551000-memory.dmp

memory/2932-18-0x0000000000AA0000-0x0000000000B21000-memory.dmp

memory/1680-21-0x0000000000070000-0x00000000000F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a210530789de19bdd5da750bc3aae8f3
SHA1 80333b1bc67a88ce599dc3f9aaf44c91ab369589
SHA256 bf79ee223d9a10fc754ec14df86fb3c8544c77c98a49960720642ff9428889ff
SHA512 0c1ec3ab91602d9f84e64b066d3559cf3718187d442cfd0271a7e4d470e20f8855e93fbd18a28d6242472ed419960a2e8a6792ec85b23ab520b0d6164443afca

memory/2932-24-0x0000000000AA0000-0x0000000000B21000-memory.dmp

\Users\Admin\AppData\Local\Temp\qityx.exe

MD5 6ec3892c7a5ccca1fbacfba469080410
SHA1 fdd3748cbfa4e3475cb38fad989194cd69de73be
SHA256 dc7b15947d7a079e527fb9ba31356d6ead3223b52a0bb69f410535efcf5a3202
SHA512 97d11564ab3fe3ce7bb707741515c76f93f17aa0a915a20768977467c00193a21b5f33c10ab0e9f3459c8e2c3f701947c9307e324ead5fdb9c0e4851f6cab950

memory/2932-38-0x0000000003370000-0x0000000003409000-memory.dmp

memory/3020-45-0x0000000000840000-0x00000000008D9000-memory.dmp

memory/3020-42-0x0000000000840000-0x00000000008D9000-memory.dmp

memory/2932-41-0x0000000000AA0000-0x0000000000B21000-memory.dmp

memory/3020-47-0x0000000000840000-0x00000000008D9000-memory.dmp

memory/3020-48-0x0000000000840000-0x00000000008D9000-memory.dmp

memory/3020-49-0x0000000000840000-0x00000000008D9000-memory.dmp

memory/3020-50-0x0000000000840000-0x00000000008D9000-memory.dmp

memory/3020-51-0x0000000000840000-0x00000000008D9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 19:28

Reported

2024-10-10 19:30

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yfobt.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yfobt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yfobt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuard.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4560 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\yfobt.exe
PID 4560 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\yfobt.exe
PID 4560 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Users\Admin\AppData\Local\Temp\yfobt.exe
PID 4560 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 4560 wrote to memory of 4408 N/A C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\yfobt.exe C:\Users\Admin\AppData\Local\Temp\vuard.exe
PID 2384 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\yfobt.exe C:\Users\Admin\AppData\Local\Temp\vuard.exe
PID 2384 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\yfobt.exe C:\Users\Admin\AppData\Local\Temp\vuard.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe

"C:\Users\Admin\AppData\Local\Temp\7c3aeca84aa7ba30fe343100cd4ec938fe1a4c027ac5160d4c8cc70fd670b3c1N.exe"

C:\Users\Admin\AppData\Local\Temp\yfobt.exe

"C:\Users\Admin\AppData\Local\Temp\yfobt.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\vuard.exe

"C:\Users\Admin\AppData\Local\Temp\vuard.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 udp

Files

memory/4560-0-0x00000000002B0000-0x0000000000331000-memory.dmp

memory/4560-1-0x00000000009F0000-0x00000000009F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yfobt.exe

MD5 fc545c4bbdceb8b1fdf2c954c5ab0f33
SHA1 9f754f91f1e1f026f8a6f2f979119c8bfcd5d5aa
SHA256 12acbbf841633e22f0ab74aaa980ee1eba6c1fef8d8a8f106709be746fe3a3e5
SHA512 ad2bdb45e5bf1f9a448100967864779c5d0f122a6059cf8bbaa7f9095b189ecbd61afe12afdbbae50465f079795b45a4c194db9692ab34ee828a4ae7f4a5485e

memory/2384-13-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

memory/2384-11-0x0000000000720000-0x00000000007A1000-memory.dmp

memory/4560-17-0x00000000002B0000-0x0000000000331000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 27218cda5675ca52eb82d36f8f60a7df
SHA1 8f22e3c007d9d7b444b6ccb39cb0f15822693609
SHA256 b48effa75c2c365bd1440a63de608c75e0f4cf3640f7d543b4bbf99f3e32560d
SHA512 803e0cba1e7a0452cac368872c70424def2002fa22caae7281223680c963de71a3d03f208742abe29490537621060afac9cac3f1f3aeed57db5a89f748507930

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 83a5a6f165c504b15dda73edf2f0526d
SHA1 6d624c018ff4787c8bf28f334527cd34eea023e6
SHA256 b514bad960d5b6401a849f5eac43169b533847eff59a6881253bd42674ca8d99
SHA512 c7dbb5d2c72d374e2d4372eae07e2d28565cf948093781f9f59bef0fb43a87cf982d9e9c77c66d8a3cb63c9d98b4d31001818e5f8d640beb3ce1a1be488ee72b

memory/2384-21-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

memory/2384-20-0x0000000000720000-0x00000000007A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vuard.exe

MD5 420dad9b7fc869d68fbcf186d7ed1254
SHA1 ca7aba952ed41c97bd292f5c2fd5a3d74fc75a9c
SHA256 59cd54d7d8936398111aa31ca2931d5e94781a5be407a3f8fc66913843f74e4e
SHA512 6fc027c54fc336d4a08c6b717dd77031275f3a5f008ea5992e06f184c973b7c67e852dde08d51db4d8efe8e20b30220450de4450f1eb7c32e5f9788189cc6a07

memory/4652-39-0x00000000009E0000-0x00000000009E2000-memory.dmp

memory/4652-37-0x0000000000F50000-0x0000000000FE9000-memory.dmp

memory/4652-40-0x0000000000F50000-0x0000000000FE9000-memory.dmp

memory/2384-44-0x0000000000720000-0x00000000007A1000-memory.dmp

memory/4652-47-0x00000000009E0000-0x00000000009E2000-memory.dmp

memory/4652-46-0x0000000000F50000-0x0000000000FE9000-memory.dmp

memory/4652-48-0x0000000000F50000-0x0000000000FE9000-memory.dmp

memory/4652-49-0x0000000000F50000-0x0000000000FE9000-memory.dmp

memory/4652-50-0x0000000000F50000-0x0000000000FE9000-memory.dmp

memory/4652-51-0x0000000000F50000-0x0000000000FE9000-memory.dmp