Malware Analysis Report

2024-11-16 13:25

Sample ID 241011-cbemhavbmj
Target 32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118
SHA256 5c933f953f22be853de3a792afed1fc65eaa3ce8dba347c442a21a52e9a29135
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c933f953f22be853de3a792afed1fc65eaa3ce8dba347c442a21a52e9a29135

Threat Level: Known bad

The file 32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas

Loads dropped DLL

Deletes itself

Checks computer location settings

Executes dropped EXE

UPX packed file

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 01:53

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 01:53

Reported

2024-10-11 01:56

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\puibe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\puibe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\puibe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dytuz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\puibe.exe

"C:\Users\Admin\AppData\Local\Temp\puibe.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\dytuz.exe

"C:\Users\Admin\AppData\Local\Temp\dytuz.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4260-0-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\puibe.exe

MD5 ad59d3d9e5d97b15a5d22ac1e9e24d72
SHA1 42ddb1968bcf10bbfb0876b29cc28e8dd0c75b3d
SHA256 3a5b5b0705448337714042bef57283eb7c7e7b5995e5b6b29e29a8c1dfdeb2f2
SHA512 fc3f5cb4a5c9e2294a91815768ad66b6ea4af8987f22845bdc0e32ec39477876c7a264306043ffd75d3b8a851266cd15116a0440b41aabee1eaee608478d36c7

memory/4260-14-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 aacb2d05b6a63b73425c0a456d6c9515
SHA1 9d4dff3004bea0f6b21e63015fed3fbaa9c08019
SHA256 a228b5de5dd08f682c60fb8ab5236e438f83439dca904848a792b0f601eea1c4
SHA512 6a72f9e733e4e41d0fa37b9defdbf3d2750d673a19753c7115b086e1526c2b4d5411247214ab0140f252840f73830dd526a6ae13252db1787eb769f0deee6d3d

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 50109fca6b027fd21239e9880f1d4b38
SHA1 172b185589ece57be600700494a73e303c6b0977
SHA256 20778732fe648695c953597c326edbb90b1b11a36130ab66c1ccdbaca460cad5
SHA512 1c0488d24c90ae75b23b552488534075aed92ca0e74e37a9513e85592da89d6dfb0a2b6401a4c1a737f94a2d17125f952c9ceca7f5126ceddd5bd30304a34d63

memory/3484-17-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dytuz.exe

MD5 55e8d8e1c8d128db6fa7cf3bec1d8117
SHA1 8828432aa2187472a5b6872cc17f84f289b19896
SHA256 d2318c934445f63f8f5282b6bde86fec236486dd9632427dda6f2f38b5660ffc
SHA512 e951a86d98c6b4a3c2ad72bdc7c1f976ed5913caa1b2541802bfe5cce08a1697c20cf00b0a59a15f9a0e6acfea4ad5ee3a12261f372b8bf805218418cec6241d

memory/3484-37-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3644-35-0x0000000000D90000-0x0000000000D91000-memory.dmp

memory/3644-34-0x0000000000E80000-0x0000000000F36000-memory.dmp

memory/3644-39-0x0000000000E80000-0x0000000000F36000-memory.dmp

memory/3644-40-0x0000000000E80000-0x0000000000F36000-memory.dmp

memory/3644-41-0x0000000000E80000-0x0000000000F36000-memory.dmp

memory/3644-42-0x0000000000E80000-0x0000000000F36000-memory.dmp

memory/3644-43-0x0000000000E80000-0x0000000000F36000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 01:53

Reported

2024-10-11 01:56

Platform

win7-20241010-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zepyh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zepyh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyneg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\zepyh.exe
PID 1488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\zepyh.exe
PID 1488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\zepyh.exe
PID 1488 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\zepyh.exe
PID 1488 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1488 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\zepyh.exe C:\Users\Admin\AppData\Local\Temp\jyneg.exe
PID 2544 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\zepyh.exe C:\Users\Admin\AppData\Local\Temp\jyneg.exe
PID 2544 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\zepyh.exe C:\Users\Admin\AppData\Local\Temp\jyneg.exe
PID 2544 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\zepyh.exe C:\Users\Admin\AppData\Local\Temp\jyneg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\32ca1b7aa8ce30caf896b5517a40c912_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\zepyh.exe

"C:\Users\Admin\AppData\Local\Temp\zepyh.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\jyneg.exe

"C:\Users\Admin\AppData\Local\Temp\jyneg.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/1488-0-0x0000000000400000-0x0000000000489000-memory.dmp

\Users\Admin\AppData\Local\Temp\zepyh.exe

MD5 0f6ee442c9c6353e3bb8850b41a8d79b
SHA1 7d583933b7388762b6b824d22f3a9e8c37f5fadc
SHA256 5513affdde0b56b6563350538d29107c303a389383f3fe44b64be670193c2440
SHA512 513efffb708e0ace60220e2d0645da2f00651b77af0396bcc571d500b4611cfbd5cdf50020d2aedd3660b6e85c6a9498632de00dfed4e54564d6d84e9491e301

memory/2544-16-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 aacb2d05b6a63b73425c0a456d6c9515
SHA1 9d4dff3004bea0f6b21e63015fed3fbaa9c08019
SHA256 a228b5de5dd08f682c60fb8ab5236e438f83439dca904848a792b0f601eea1c4
SHA512 6a72f9e733e4e41d0fa37b9defdbf3d2750d673a19753c7115b086e1526c2b4d5411247214ab0140f252840f73830dd526a6ae13252db1787eb769f0deee6d3d

memory/1488-8-0x0000000002650000-0x00000000026D9000-memory.dmp

memory/1488-19-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 31f11933d98d74a23de7aea4824de3dc
SHA1 c14c3cd34f9c62fda007048211ab1f5c1cfae4af
SHA256 fa0ad499f5d403a69539b933f4d9962b6d5206deb3c4c723fd29a22bebbca81a
SHA512 d5ef6cc65f2a871b24ac4ec53fc31f97a9bebb8afd84517030fb153ee5435075796f26ff57074124b6e3a989101f82a673f3201d39e866292760f6a8f094b96e

memory/2544-23-0x0000000000400000-0x0000000000489000-memory.dmp

memory/3060-41-0x0000000000130000-0x00000000001E6000-memory.dmp

memory/2544-40-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jyneg.exe

MD5 4482cd3e1a432cb0380c1343c6e86207
SHA1 7d2cf5e76015a48b3c63aa8b23b3bc03209e81a8
SHA256 aefa7bbdb88461fa9dcd7180661b4a704aa090103667517d2714ca9a22fdfca1
SHA512 b2a189ba59a33ad7a997dc6d0537578204163da1a9f98db9834631bf2a5d0b0e7d55e66f6085f1a4766bf337dc9d3a48404821a588f869e165d16e2ab123374c

memory/2544-38-0x0000000003C60000-0x0000000003D16000-memory.dmp

memory/3060-43-0x0000000000130000-0x00000000001E6000-memory.dmp

memory/3060-44-0x0000000000130000-0x00000000001E6000-memory.dmp

memory/3060-45-0x0000000000130000-0x00000000001E6000-memory.dmp

memory/3060-46-0x0000000000130000-0x00000000001E6000-memory.dmp

memory/3060-47-0x0000000000130000-0x00000000001E6000-memory.dmp