Malware Analysis Report

2024-11-16 13:25

Sample ID 241010-zepyzavhnh
Target 24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N
SHA256 24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70

Threat Level: Known bad

The file 24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 20:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 20:38

Reported

2024-10-10 20:40

Platform

win7-20240708-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xigim.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xigim.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fakuu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Users\Admin\AppData\Local\Temp\xigim.exe
PID 2772 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Users\Admin\AppData\Local\Temp\xigim.exe
PID 2772 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Users\Admin\AppData\Local\Temp\xigim.exe
PID 2772 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Users\Admin\AppData\Local\Temp\xigim.exe
PID 2772 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2772 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\xigim.exe C:\Users\Admin\AppData\Local\Temp\fakuu.exe
PID 2844 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\xigim.exe C:\Users\Admin\AppData\Local\Temp\fakuu.exe
PID 2844 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\xigim.exe C:\Users\Admin\AppData\Local\Temp\fakuu.exe
PID 2844 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\xigim.exe C:\Users\Admin\AppData\Local\Temp\fakuu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe

"C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe"

C:\Users\Admin\AppData\Local\Temp\xigim.exe

"C:\Users\Admin\AppData\Local\Temp\xigim.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\fakuu.exe

"C:\Users\Admin\AppData\Local\Temp\fakuu.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2772-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2772-0-0x0000000001270000-0x00000000012F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\xigim.exe

MD5 c689ebdf41a1fffb6317c92bcb7d5c92
SHA1 c319baa46d33d69b5ca6ad78b78b7524efa90b19
SHA256 5d00410ff76ab539ef444dd61502b2933d25350a57a5290994f195e9c1560b09
SHA512 270a18ca53358ee8af5aab471fff347462a2670a7ac896e4d2d1c9996f019eabcd8d5888c084f0593cf379e0a44430482313f0564b3d734834b86b6b9c76e825

memory/2772-7-0x00000000010E0000-0x0000000001161000-memory.dmp

memory/2844-19-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2844-18-0x00000000003E0000-0x0000000000461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 a27a922692b7d4485229662ab39e7e74
SHA1 dfe150c52526d71e825f960b646b0bef0c93338d
SHA256 5a2a5afcaf74cf2788c9a60a1aa1fefe2e06f587f3648d1d3cc20e5220ceef21
SHA512 6e4cb42e3addb318af4d24743ed151e0dc2bcc01440247efdf460e9e080ae233e55b736ad8fc28d02b1078d5fb43a3d9c23a556c3aa5a8cea90fc62ad4c50637

memory/2772-21-0x0000000001270000-0x00000000012F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 9979a5edbadfafdb7b352218c116927e
SHA1 4f93f8c0683f1edb44d925a47289fe81b73c0cce
SHA256 67ea5268a8bb874579c42598cef332aa3c9527f93759d240f7e65949df63a4ac
SHA512 b8573602ff106d789ce12ca5ec51d78c27894fd958fe4d4b5121864ceb077e42668e589b0eaf3f84ccca7f927cd2fb7e1294892c6651d186f17040c50a92c2e2

memory/2844-24-0x00000000003E0000-0x0000000000461000-memory.dmp

\Users\Admin\AppData\Local\Temp\fakuu.exe

MD5 b964f4e35a7492af5c7c42ad5a71c41f
SHA1 55f5c40b6aeb65972b21370533706b4e7119d231
SHA256 8b195e850a580dbd8e20b8bfc9baf1c3cfe19575b296b5df05ad449d5198ef67
SHA512 b1d6a35214a46c1e915789eb352dfa686d4b83486082429d4b42d4f9d2ccf262489fb6123966cbc8d6b4c3f3a07e66f0f02309b613ca469a1ab3b9812f9d1b4e

memory/2844-39-0x00000000003E0000-0x0000000000461000-memory.dmp

memory/1740-45-0x00000000003D0000-0x0000000000469000-memory.dmp

memory/1740-42-0x00000000003D0000-0x0000000000469000-memory.dmp

memory/2844-40-0x0000000003320000-0x00000000033B9000-memory.dmp

memory/1740-47-0x00000000003D0000-0x0000000000469000-memory.dmp

memory/1740-48-0x00000000003D0000-0x0000000000469000-memory.dmp

memory/1740-49-0x00000000003D0000-0x0000000000469000-memory.dmp

memory/1740-50-0x00000000003D0000-0x0000000000469000-memory.dmp

memory/1740-51-0x00000000003D0000-0x0000000000469000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 20:38

Reported

2024-10-10 20:40

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cyfyx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cyfyx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cyfyx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\igobj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4420 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Users\Admin\AppData\Local\Temp\cyfyx.exe
PID 4420 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Users\Admin\AppData\Local\Temp\cyfyx.exe
PID 4420 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Users\Admin\AppData\Local\Temp\cyfyx.exe
PID 4420 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe C:\Windows\SysWOW64\cmd.exe
PID 2424 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\cyfyx.exe C:\Users\Admin\AppData\Local\Temp\igobj.exe
PID 2424 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\cyfyx.exe C:\Users\Admin\AppData\Local\Temp\igobj.exe
PID 2424 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\cyfyx.exe C:\Users\Admin\AppData\Local\Temp\igobj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe

"C:\Users\Admin\AppData\Local\Temp\24e1be5bea5132f67f3db944308f2b5b3106755882ff13d7e7da3b92c389dc70N.exe"

C:\Users\Admin\AppData\Local\Temp\cyfyx.exe

"C:\Users\Admin\AppData\Local\Temp\cyfyx.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\igobj.exe

"C:\Users\Admin\AppData\Local\Temp\igobj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 70.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/4420-0-0x00000000001F0000-0x0000000000271000-memory.dmp

memory/4420-1-0x00000000003D0000-0x00000000003D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cyfyx.exe

MD5 0cdfa64579de4d57343646d6d9fccce9
SHA1 9f18796cfb5fde912158adcbdbd296ed97bd5039
SHA256 7ba8e062a1b5f4b0647e5ce44d423c592e47d5edc6c70160d435bc2849a3146b
SHA512 6e8d23fc11eff28f72d86357cb9e93cefc425d8138c68d74be114004a13f0b1f1a431d82f8050747d9eb4aaca0f1aea727420622338849af06acde25aa6fe92b

memory/2424-14-0x0000000000D60000-0x0000000000D61000-memory.dmp

memory/2424-11-0x0000000000560000-0x00000000005E1000-memory.dmp

memory/4420-17-0x00000000001F0000-0x0000000000271000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 a27a922692b7d4485229662ab39e7e74
SHA1 dfe150c52526d71e825f960b646b0bef0c93338d
SHA256 5a2a5afcaf74cf2788c9a60a1aa1fefe2e06f587f3648d1d3cc20e5220ceef21
SHA512 6e4cb42e3addb318af4d24743ed151e0dc2bcc01440247efdf460e9e080ae233e55b736ad8fc28d02b1078d5fb43a3d9c23a556c3aa5a8cea90fc62ad4c50637

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 399a70637a7ea42a3b5a7f83247fccb8
SHA1 e820369397f6c79322c0999a46530ce710dbd2f6
SHA256 26eaeac30045ed1c2f6ec789c8b15948c06331757fb913b39a0e161d8c03a08a
SHA512 a43851948537ac5422b240fcc53967f58c593e7beddde99b4668b49630168e912b62fa521249f565a7f7f9a716740ce995fb90d10e6f133ec4f1c2dfd8b72979

memory/2424-20-0x0000000000560000-0x00000000005E1000-memory.dmp

memory/2424-21-0x0000000000D60000-0x0000000000D61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\igobj.exe

MD5 51cdb47157c7dabaf7394d5ef7e452c4
SHA1 f663ad84d9dee3534b1f62cfaef100369fbc982f
SHA256 41599b936ff263dc2e707638cb310b341f36db8cbffcd2810430f7445627964d
SHA512 61c3114ba9f1a3bd4009fd4e007fad2ba15d38de2a3de77fdc92c5baab3f1f6d4e0a44eae082616e084c75d3fc5bfb6fec10695660b96af56ba121faa032ef78

memory/436-39-0x0000000001000000-0x0000000001002000-memory.dmp

memory/2424-41-0x0000000000560000-0x00000000005E1000-memory.dmp

memory/436-38-0x00000000007F0000-0x0000000000889000-memory.dmp

memory/436-42-0x00000000007F0000-0x0000000000889000-memory.dmp

memory/436-47-0x0000000001000000-0x0000000001002000-memory.dmp

memory/436-46-0x00000000007F0000-0x0000000000889000-memory.dmp

memory/436-48-0x00000000007F0000-0x0000000000889000-memory.dmp

memory/436-49-0x00000000007F0000-0x0000000000889000-memory.dmp

memory/436-50-0x00000000007F0000-0x0000000000889000-memory.dmp

memory/436-51-0x00000000007F0000-0x0000000000889000-memory.dmp