Malware Analysis Report

2025-03-15 05:42

Sample ID 240510-et4epadf69
Target 697e6c37318a960d3ee858311962c010_NeikiAnalytics
SHA256 1ccb9551382b0b17cf14cc9795a2b8c2b960431ed355d9ae6c9ca6d9127b5804
Tags
urelas aspackv2 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ccb9551382b0b17cf14cc9795a2b8c2b960431ed355d9ae6c9ca6d9127b5804

Threat Level: Known bad

The file 697e6c37318a960d3ee858311962c010_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 trojan

Urelas

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Deletes itself

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 04:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 04:14

Reported

2024-05-10 04:17

Platform

win7-20240221-en

Max time kernel

150s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lewyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lewyl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\olton.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\lewyl.exe
PID 2144 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\lewyl.exe
PID 2144 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\lewyl.exe
PID 2144 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\lewyl.exe
PID 2144 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\lewyl.exe C:\Users\Admin\AppData\Local\Temp\olton.exe
PID 2600 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\lewyl.exe C:\Users\Admin\AppData\Local\Temp\olton.exe
PID 2600 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\lewyl.exe C:\Users\Admin\AppData\Local\Temp\olton.exe
PID 2600 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\lewyl.exe C:\Users\Admin\AppData\Local\Temp\olton.exe

Processes

C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\lewyl.exe

"C:\Users\Admin\AppData\Local\Temp\lewyl.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\olton.exe

"C:\Users\Admin\AppData\Local\Temp\olton.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2144-0-0x0000000000EB0000-0x0000000001A14000-memory.dmp

memory/2144-10-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2144-38-0x0000000000EB0000-0x0000000001A14000-memory.dmp

memory/2144-36-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2144-34-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2144-31-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2144-29-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2144-26-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2144-24-0x0000000000F30000-0x0000000001308000-memory.dmp

memory/2144-23-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2144-20-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2144-18-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2144-15-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2144-13-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2144-41-0x0000000000EB0000-0x0000000001A14000-memory.dmp

memory/2144-11-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2144-8-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2144-6-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2144-5-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2144-3-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2144-1-0x0000000000140000-0x0000000000141000-memory.dmp

\Users\Admin\AppData\Local\Temp\lewyl.exe

MD5 5e40148cfd5dec1c552d070b3a823cf8
SHA1 c086efc0cf30d436dfebe99ddff650e61dc717b9
SHA256 e318eafaabfb7218d9614a2744d97253e72ec650732e01c23a710bc763f7df19
SHA512 362912559ff3afa5a09a19039a1bf0570d4d1491e9d7fecc3f3fe4996ea1e3a7542d184d9c8b2b7213552cafaf127a67d504e53bc8ffa62896040c068ad801d2

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 3f2267b8601e67f4f35e1af45cf42736
SHA1 051322bdac359402985504687ba8a04a5a22215a
SHA256 9de381977a34efa286daef39033c659a690409e8b9e18eb0e8bf55a4b4db8f05
SHA512 4e3b15b4c06694b9101206e883f0543f3d2f1947b8d9769fb9c4cddcae2ea5750d57bc39a3c6ff0d37a70a17870c3622f47ec8e67bf5cebb86ab17565a585d49

memory/2144-50-0x0000000004130000-0x0000000004C94000-memory.dmp

memory/2600-58-0x00000000009F0000-0x0000000001554000-memory.dmp

memory/2144-60-0x0000000000EB0000-0x0000000001A14000-memory.dmp

memory/2144-61-0x0000000000F30000-0x0000000001308000-memory.dmp

memory/2600-82-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2600-87-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2600-85-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2600-102-0x00000000009F0000-0x0000000001554000-memory.dmp

memory/2600-80-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2600-103-0x00000000009F0000-0x0000000001554000-memory.dmp

memory/2600-77-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2600-75-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2600-72-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2600-70-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2600-67-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2600-65-0x0000000000100000-0x0000000000101000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 35a50122b90be71a7895d8ea1e0accd5
SHA1 d2d2f4be6b2372e2de1a6e4dcb57954faf9bbe46
SHA256 4562c35573ea1dce7793cd4e9bdd549dabd28b82f2efe9ffb020cab1c88d983c
SHA512 d9c30e51ec775ef91e3998e23f9b61d58652d0d16fbed8c873074163cc67450010c1de96352441687c2a0eb5b35f231ae04151c305939be11ce10bf53a0bb443

memory/2600-105-0x00000000009F0000-0x0000000001554000-memory.dmp

\Users\Admin\AppData\Local\Temp\olton.exe

MD5 cff433c129f815fb41c3c5ef1777ef1c
SHA1 dd90c26630ef97d1e3155bbfcef8c271e6a4d0fe
SHA256 4795102fec4e6a90f9af41057fb124fd7a3dcb4b6253ac6f9ab4e29c7caf259f
SHA512 325e9188b6fd0f42734c530607927a78bf2a7a0762d963a0ce1adbe4aa626a4fd3ec6d29c515956c661120d83047f39a6cfb27c433b35ec68bdf1216f03735ab

memory/2248-113-0x0000000000A00000-0x0000000000A9E000-memory.dmp

memory/2600-111-0x0000000003E30000-0x0000000003ECE000-memory.dmp

memory/2600-117-0x00000000009F0000-0x0000000001554000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lewyl.exe

MD5 01fdc21caccb35a410f7876bb17559e9
SHA1 eda547e06226f76140df48e2d14b52d905ab7731
SHA256 0e7c6f8ed28815cfda7893594967bc0567411ab3eb1342fc2adef5fcf5fcb0b8
SHA512 56e3a70215df4670c7c840fd951d52d4777859450c3f15d3deb1e77800d41561bfb2c1b27e8592ca0f8f3b793abd65b081a97bd4e1ae38ac4ccf76c3a5fe07ba

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 04:14

Reported

2024-05-10 04:17

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\liuqe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\liuqe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liuqe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\liuqe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zewox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\liuqe.exe

"C:\Users\Admin\AppData\Local\Temp\liuqe.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\zewox.exe

"C:\Users\Admin\AppData\Local\Temp\zewox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/5036-0-0x0000000000DB0000-0x0000000001914000-memory.dmp

memory/5036-7-0x0000000000D90000-0x0000000000D91000-memory.dmp

memory/5036-6-0x0000000000D80000-0x0000000000D81000-memory.dmp

memory/5036-8-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/5036-5-0x0000000000D70000-0x0000000000D71000-memory.dmp

memory/5036-4-0x0000000000E30000-0x0000000001208000-memory.dmp

memory/5036-3-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/5036-13-0x0000000000DB0000-0x0000000001914000-memory.dmp

memory/5036-2-0x0000000000660000-0x0000000000661000-memory.dmp

memory/5036-1-0x0000000000650000-0x0000000000651000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\liuqe.exe

MD5 3c52aaaeeea422c9eea7877699751560
SHA1 5486c1969dd858263c98f2733511a351d9f9d0bb
SHA256 5dd1114f1e64f0249feaa379bc6a958b9d98202191ad432fa6d065a3460dcad1
SHA512 7ffb75e94f37a388e2606e680e4e88463d24aff22c735d08cb43ebaed28fa9e4ac0862662045918be303357926b224d89181dea15e457ab1ab99b78b360bf547

memory/5096-26-0x0000000000F30000-0x0000000001A94000-memory.dmp

memory/5036-27-0x0000000000DB0000-0x0000000001914000-memory.dmp

memory/5036-28-0x0000000000E30000-0x0000000001208000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 3f2267b8601e67f4f35e1af45cf42736
SHA1 051322bdac359402985504687ba8a04a5a22215a
SHA256 9de381977a34efa286daef39033c659a690409e8b9e18eb0e8bf55a4b4db8f05
SHA512 4e3b15b4c06694b9101206e883f0543f3d2f1947b8d9769fb9c4cddcae2ea5750d57bc39a3c6ff0d37a70a17870c3622f47ec8e67bf5cebb86ab17565a585d49

memory/5096-37-0x0000000003150000-0x0000000003151000-memory.dmp

memory/5096-36-0x0000000003140000-0x0000000003141000-memory.dmp

memory/5096-38-0x0000000000F30000-0x0000000001A94000-memory.dmp

memory/5096-35-0x0000000000F10000-0x0000000000F11000-memory.dmp

memory/5096-34-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/5096-33-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/5096-32-0x0000000000FB0000-0x0000000001388000-memory.dmp

memory/5096-31-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/5096-30-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/5096-42-0x0000000000F30000-0x0000000001A94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ab755e6022413e3d64763ef8d3641edc
SHA1 5eec093e87f4efc8e67b1d4c7b57b19f3a3c4e6b
SHA256 8dfc3e9957a5e4dacb7bc78ae234a2d13387eef3ffffbed06e903f29806b9882
SHA512 f1b1562db6a63dbdce340e3b4574a0eabb7d7c18dfce141d29d57e0e700b8fab13e9bc5ac5f855fa7606f4a90c1b2f65611220a0ddb8bdde6c4fe455dd3616aa

memory/5096-45-0x0000000000FB0000-0x0000000001388000-memory.dmp

memory/5096-44-0x0000000000F30000-0x0000000001A94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zewox.exe

MD5 f6dee7f65298d831b4d4974c1817e643
SHA1 f967782b4b31925a8f505f5fc4bea916aecc4430
SHA256 61063e0b0f8e1480a7254b7ad5495ac43f5912bf9888ae8cacfce12ca256d899
SHA512 dbb22fd8b57c49855988f9a2854492fe2515909aba24dd34d94dd32675fb32ff9096ef3e3596b50929b44769364ecb134d7eb08e01780ce3eeb268b18a98cc23

memory/5096-58-0x0000000000F30000-0x0000000001A94000-memory.dmp

memory/4660-56-0x0000000000990000-0x0000000000A2E000-memory.dmp

memory/4660-55-0x0000000000990000-0x0000000000A2E000-memory.dmp

memory/4660-54-0x0000000000990000-0x0000000000A2E000-memory.dmp

memory/5096-59-0x0000000000FB0000-0x0000000001388000-memory.dmp

memory/4660-57-0x0000000000990000-0x0000000000A2E000-memory.dmp

memory/4660-61-0x0000000000990000-0x0000000000A2E000-memory.dmp

memory/4660-62-0x0000000000990000-0x0000000000A2E000-memory.dmp

memory/4660-63-0x0000000000990000-0x0000000000A2E000-memory.dmp

memory/4660-64-0x0000000000990000-0x0000000000A2E000-memory.dmp

memory/4660-65-0x0000000000990000-0x0000000000A2E000-memory.dmp