Malware Analysis Report

2024-11-16 13:26

Sample ID 241011-wp64fs1anm
Target 02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad
SHA256 02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad
Tags
upx urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad

Threat Level: Known bad

The file 02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad was found to be: Known bad.

Malicious Activity Summary

upx urelas discovery trojan

Urelas family

Urelas

Loads dropped DLL

Checks computer location settings

Deletes itself

Executes dropped EXE

UPX packed file

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 18:06

Signatures

Urelas family

urelas

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 18:06

Reported

2024-10-11 18:09

Platform

win7-20240903-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ynbye.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ynbye.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xeeqr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 632 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Users\Admin\AppData\Local\Temp\ynbye.exe
PID 632 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Users\Admin\AppData\Local\Temp\ynbye.exe
PID 632 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Users\Admin\AppData\Local\Temp\ynbye.exe
PID 632 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Users\Admin\AppData\Local\Temp\ynbye.exe
PID 632 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Windows\SysWOW64\cmd.exe
PID 632 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\ynbye.exe C:\Users\Admin\AppData\Local\Temp\xeeqr.exe
PID 3052 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\ynbye.exe C:\Users\Admin\AppData\Local\Temp\xeeqr.exe
PID 3052 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\ynbye.exe C:\Users\Admin\AppData\Local\Temp\xeeqr.exe
PID 3052 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\ynbye.exe C:\Users\Admin\AppData\Local\Temp\xeeqr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe

"C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe"

C:\Users\Admin\AppData\Local\Temp\ynbye.exe

"C:\Users\Admin\AppData\Local\Temp\ynbye.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\xeeqr.exe

"C:\Users\Admin\AppData\Local\Temp\xeeqr.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11120 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.30.235:11120 tcp
JP 133.242.129.155:11120 tcp

Files

memory/632-0-0x0000000000400000-0x0000000000487000-memory.dmp

\Users\Admin\AppData\Local\Temp\ynbye.exe

MD5 bf46aa5b0916ffa5c1b72ddbb0f71e9d
SHA1 ec8f17fdc50d6c99cf390320f12eef3b231f4441
SHA256 aa4c2ae19b7f0014ebb9c6aa6dfbef35819f441555ab4e718b9fcfda82ed0e12
SHA512 ff0ebc6cb85464d97ebfb6c21bffbbc6a72f6a5dd47b4aa141356c8d77928775fd47dbc35e8cb28d863e8ad603579c191ee45eb3823c82039c984a821c7e51ef

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 db91543df3787d6c7b4d9f0276b31cd6
SHA1 940181f04b7fb1808a341d7e9395f6065ac57e04
SHA256 ed4d8091d155fde31e61d50042b46c5b4fb5fafddc31edd6ecbad658fa28beda
SHA512 cd64c2459272494e18295dc339851d90313aabd1abc401a4755326d4df069591b2ba58371ad62bc8fd78411c958248a4cb0f402ad88789400eb43f69802703b2

memory/3052-10-0x0000000000400000-0x0000000000487000-memory.dmp

memory/632-17-0x0000000000400000-0x0000000000487000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 dae1d6ac9e9b897b024920b746438678
SHA1 2fb72e722fc2361f62fa2ac6b854e13bfda37faa
SHA256 23662301c4ea37b3f089a5b0211302c127fb81dcebf93591348e9577d7268d62
SHA512 e0a0501f8b7d1f895326e14c082ad9eddcfa23a1ccdf2315e269b36693a4265972ee0e6d962100b9cbd820719149ce389ef7502747395d88d2f4b01bb7208638

memory/3052-20-0x0000000000400000-0x0000000000487000-memory.dmp

\Users\Admin\AppData\Local\Temp\xeeqr.exe

MD5 5ffb0a95fa8da6b82a079be5894f2aee
SHA1 021494f3101f72c23d6e7fe3b1d8ffe1184f1602
SHA256 1e91748ad6936e3ec49913723eaef4028bb55a017e278663ba0f2fb3609fc9bc
SHA512 a01d19ad282afc701b459481bc3fcfe0da02354ff7910d90e0c79fd3bc89079c944c8a9ab30fdf04a55f72ea408949c19d313ccc90d20f1dff6d50e832d7d2b0

memory/2268-29-0x0000000000950000-0x0000000000A03000-memory.dmp

memory/3052-28-0x00000000028F0000-0x00000000029A3000-memory.dmp

memory/3052-26-0x0000000000400000-0x0000000000487000-memory.dmp

memory/2268-31-0x0000000000950000-0x0000000000A03000-memory.dmp

memory/2268-32-0x0000000000950000-0x0000000000A03000-memory.dmp

memory/2268-33-0x0000000000950000-0x0000000000A03000-memory.dmp

memory/2268-34-0x0000000000950000-0x0000000000A03000-memory.dmp

memory/2268-35-0x0000000000950000-0x0000000000A03000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 18:06

Reported

2024-10-11 18:09

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yqber.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yqber.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nypua.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1144 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Users\Admin\AppData\Local\Temp\yqber.exe
PID 1144 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Users\Admin\AppData\Local\Temp\yqber.exe
PID 1144 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Users\Admin\AppData\Local\Temp\yqber.exe
PID 1144 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Windows\SysWOW64\cmd.exe
PID 1144 wrote to memory of 3812 N/A C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe C:\Windows\SysWOW64\cmd.exe
PID 3612 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\yqber.exe C:\Users\Admin\AppData\Local\Temp\nypua.exe
PID 3612 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\yqber.exe C:\Users\Admin\AppData\Local\Temp\nypua.exe
PID 3612 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\yqber.exe C:\Users\Admin\AppData\Local\Temp\nypua.exe

Processes

C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe

"C:\Users\Admin\AppData\Local\Temp\02d8616a876a55020ac39998de21dd402630010b64a2a08b9c70a49cb2cf85ad.exe"

C:\Users\Admin\AppData\Local\Temp\yqber.exe

"C:\Users\Admin\AppData\Local\Temp\yqber.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\nypua.exe

"C:\Users\Admin\AppData\Local\Temp\nypua.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 218.54.31.226:11120 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
KR 218.54.30.235:11120 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
JP 133.242.129.155:11120 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/1144-0-0x0000000000400000-0x0000000000487000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yqber.exe

MD5 0bba567c1bd7db2452f6177a5b3e61f7
SHA1 787818f8631252a2eeafcf01ca35075385764e71
SHA256 58bf840fb2039371a1856284ad4efa512e8b1ca1b14d8661fff07e653e10885c
SHA512 8f327fb07a010ed1f1d942a9c87b066dea3fbeb380d0e76d6ce8b93ff2c5150efabe7be7c1ff44277c6683fafc56456881ac6910486a3b1d5052c108c04499f6

memory/1144-13-0x0000000000400000-0x0000000000487000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 db91543df3787d6c7b4d9f0276b31cd6
SHA1 940181f04b7fb1808a341d7e9395f6065ac57e04
SHA256 ed4d8091d155fde31e61d50042b46c5b4fb5fafddc31edd6ecbad658fa28beda
SHA512 cd64c2459272494e18295dc339851d90313aabd1abc401a4755326d4df069591b2ba58371ad62bc8fd78411c958248a4cb0f402ad88789400eb43f69802703b2

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 5acca8a0c0313d59767f7faed88c98be
SHA1 03bbeed7cf1cd29c04c5d794e2c4b474087245f1
SHA256 3b9ed81e57f1caaa3eed9b83c4600eb4d5111adf0e1e1807919fb4274ed53664
SHA512 839dbba11a9b5eb0017d37e7f8b41cb37756a165042590714130b53eb487212fdfbc90e7042ed0d50718036d71b01ef523d2a4d6c898af48141021bb5b7a8407

memory/3612-16-0x0000000000400000-0x0000000000487000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nypua.exe

MD5 8d6a08d2abb6e0b960c95a8d72cb8dcf
SHA1 937f4618933409fd2daf5ebebd2d8d8ffbe18d28
SHA256 4406a0fc63501df08a438aa6c3434511f1d155d446e963645a04ae69f7197d80
SHA512 dae3ea8ab8358118345d3fc6a5357583712e3e1061c0f8c9fe2836626651b940c3ae7b8507a42a841774cf405d2974f4326bc2e7f5833b5866e1a04e74af782d

memory/4168-25-0x0000000000FB0000-0x0000000001063000-memory.dmp

memory/4168-26-0x00000000014C0000-0x00000000014C1000-memory.dmp

memory/3612-27-0x0000000000400000-0x0000000000487000-memory.dmp

memory/4168-29-0x0000000000FB0000-0x0000000001063000-memory.dmp

memory/4168-30-0x0000000000FB0000-0x0000000001063000-memory.dmp

memory/4168-31-0x0000000000FB0000-0x0000000001063000-memory.dmp

memory/4168-32-0x0000000000FB0000-0x0000000001063000-memory.dmp

memory/4168-33-0x0000000000FB0000-0x0000000001063000-memory.dmp