Malware Analysis Report

2025-01-22 12:25

Sample ID 240516-f5rqpsec46
Target f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688
SHA256 f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688
Tags
urelas aspackv2 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688

Threat Level: Known bad

The file f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688 was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 trojan

Urelas

Deletes itself

Checks computer location settings

ASPack v2.12-2.42

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 05:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 05:27

Reported

2024-05-16 05:30

Platform

win7-20240419-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fujum.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pojuv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2188 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Users\Admin\AppData\Local\Temp\fujum.exe
PID 2188 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Users\Admin\AppData\Local\Temp\fujum.exe
PID 2188 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Users\Admin\AppData\Local\Temp\fujum.exe
PID 2188 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Users\Admin\AppData\Local\Temp\fujum.exe
PID 2188 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Windows\SysWOW64\cmd.exe
PID 3004 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\fujum.exe C:\Users\Admin\AppData\Local\Temp\pojuv.exe
PID 3004 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\fujum.exe C:\Users\Admin\AppData\Local\Temp\pojuv.exe
PID 3004 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\fujum.exe C:\Users\Admin\AppData\Local\Temp\pojuv.exe
PID 3004 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\fujum.exe C:\Users\Admin\AppData\Local\Temp\pojuv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe

"C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe"

C:\Users\Admin\AppData\Local\Temp\fujum.exe

"C:\Users\Admin\AppData\Local\Temp\fujum.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\pojuv.exe

"C:\Users\Admin\AppData\Local\Temp\pojuv.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2188-1-0x0000000000020000-0x0000000000022000-memory.dmp

memory/2188-0-0x0000000000400000-0x0000000000468000-memory.dmp

\Users\Admin\AppData\Local\Temp\fujum.exe

MD5 4771ff8555ccffe148aac82ae76d00ea
SHA1 e9e99f5965d8ff8faf6c938e6d8f19339b6aef7f
SHA256 feb48e4d4a087c48d57432a78dbe95a5069092ef455cb73581843e0944e74e07
SHA512 edcb6e68c06fa803e9300feb37e2942531becc0831396fe058bddaaaab5344ad88a4bcff107abcb5dcc3ac82d5e379cc9bacf2abe1ffb78641e9d210f4656f1e

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 2dd4c59f8cf29c07a29920d74d85222a
SHA1 2ddf9f8dd6ec640960265884ca9876d34f7af925
SHA256 729cb2e8d2580599ab02345b6f6a9c78507356bb0ec1fbf5a15b81e0d533a7cc
SHA512 918e7d0cd049bd025ff662d9b061b7f8e416b790de09d783af9b6f9f3f0cfd94e57ea790ea0329d152b3ae97566b87d4b498c845398c4d48446c26d24e3e399e

memory/3004-24-0x0000000000020000-0x0000000000022000-memory.dmp

memory/3004-23-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2188-12-0x0000000002BC0000-0x0000000002C28000-memory.dmp

memory/2188-22-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 88e9fa0c1f043a07b7d474bea2b70e8e
SHA1 022015e39fd85876024f6c80355bf9948455196c
SHA256 0a96653ceb619e7c50876af9c8917e3f87ee8597e1dcd63c9159db14cd89780b
SHA512 d3baf163ccfd1f53a3bd417118951f44f0948ae0a3c8061d11e24b0c25342ab7e430a16ca9a422a980ac0c14782ab4152eb4bb14fe428915d386abf32acd9bd0

memory/3004-27-0x0000000000400000-0x0000000000468000-memory.dmp

\Users\Admin\AppData\Local\Temp\pojuv.exe

MD5 f8e100d8516a1f6c76d3de7a45fafc5a
SHA1 f6dbaf5e8600ec467f3011d85292c6c3378d8673
SHA256 75ea14fd95dd65b74b838ea0b0920acd8500f1d459d7ad37bc07d93d9980e3a5
SHA512 0df52df44fe07623fc76a08ffaec889305656d82c2e502f33867aa8d9ed4f886fcd9e1322d3ccec37eb11a2d1a07e506ba701f3b819de094df0f534deef84b03

memory/3004-42-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2400-44-0x00000000012E0000-0x0000000001382000-memory.dmp

memory/2400-45-0x00000000012E0000-0x0000000001382000-memory.dmp

memory/2400-47-0x00000000012E0000-0x0000000001382000-memory.dmp

memory/2400-46-0x00000000012E0000-0x0000000001382000-memory.dmp

memory/2400-49-0x00000000012E0000-0x0000000001382000-memory.dmp

memory/2400-50-0x00000000012E0000-0x0000000001382000-memory.dmp

memory/2400-51-0x00000000012E0000-0x0000000001382000-memory.dmp

memory/2400-52-0x00000000012E0000-0x0000000001382000-memory.dmp

memory/2400-53-0x00000000012E0000-0x0000000001382000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 05:27

Reported

2024-05-16 05:30

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mofua.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mofua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cakow.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4420 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Users\Admin\AppData\Local\Temp\mofua.exe
PID 4420 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Users\Admin\AppData\Local\Temp\mofua.exe
PID 4420 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Users\Admin\AppData\Local\Temp\mofua.exe
PID 4420 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe C:\Windows\SysWOW64\cmd.exe
PID 1816 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\mofua.exe C:\Users\Admin\AppData\Local\Temp\cakow.exe
PID 1816 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\mofua.exe C:\Users\Admin\AppData\Local\Temp\cakow.exe
PID 1816 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\mofua.exe C:\Users\Admin\AppData\Local\Temp\cakow.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe

"C:\Users\Admin\AppData\Local\Temp\f7b79cf6e463790eb0ce967161faa41a65d6df7c4ca311537ade3d1934d04688.exe"

C:\Users\Admin\AppData\Local\Temp\mofua.exe

"C:\Users\Admin\AppData\Local\Temp\mofua.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\cakow.exe

"C:\Users\Admin\AppData\Local\Temp\cakow.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.196.96:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 96.196.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
BE 2.17.196.96:443 www.bing.com tcp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4420-1-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/4420-0-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mofua.exe

MD5 dffb5d29b31620ca517a0b5c55b125e5
SHA1 0e84da6ecb68b0a0906542dc70d2cb4b2e22f3db
SHA256 5338702a1a0098d9f038a77f112d742d5582f039769369b95a9d12b129430495
SHA512 300b46a879f5ab9806318ae9d3bfb39b7ba1170428474498d806515d1dc818e41ec629ae1867299835c0e7be0edcec3644a489c9eb378ad780407af6e798ad46

memory/1816-15-0x00000000001D0000-0x00000000001D2000-memory.dmp

memory/1816-14-0x0000000000400000-0x0000000000468000-memory.dmp

memory/4420-17-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 2dd4c59f8cf29c07a29920d74d85222a
SHA1 2ddf9f8dd6ec640960265884ca9876d34f7af925
SHA256 729cb2e8d2580599ab02345b6f6a9c78507356bb0ec1fbf5a15b81e0d533a7cc
SHA512 918e7d0cd049bd025ff662d9b061b7f8e416b790de09d783af9b6f9f3f0cfd94e57ea790ea0329d152b3ae97566b87d4b498c845398c4d48446c26d24e3e399e

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 5baedff35430945085580c3c2899d042
SHA1 02884acc4385d474f6b3b281ef5d15ba9ebfcf22
SHA256 28112cfbf7d54344dd2724c62c2aeac7ca8566f6294c57872f13b29d4bb8fdda
SHA512 15e1b8b59bccde3ed709ff4db790c9ca54fd460d57e3e4c27cc2ca0e62c2fc5a7ec0a78d588a1f4915d33c6001dd112b9791228fbf2eddebce9952a3befb275c

memory/1816-20-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cakow.exe

MD5 56a3778286809160ebba2b7ed8544e2b
SHA1 214ee556b63c1bf8e09d3f9a4092462f00ae7bc1
SHA256 313a5dcdcd49630549be47db90998e812cb4b64f6109590149c7a7e3c5b0abb9
SHA512 d7481bfa4c59206ace94e8c1598ee0c2f8a5517a9d41e52bf1b9b9f6426b6566e4a9bc35b6c115278575b0a6b36d11ac77081c02359a90deb967cd753a61bddf

memory/1816-41-0x0000000000400000-0x0000000000468000-memory.dmp

memory/1884-40-0x00000000009C0000-0x0000000000A62000-memory.dmp

memory/1884-39-0x00000000009C0000-0x0000000000A62000-memory.dmp

memory/1884-38-0x00000000009C0000-0x0000000000A62000-memory.dmp

memory/1884-42-0x00000000009C0000-0x0000000000A62000-memory.dmp

memory/1884-44-0x00000000009C0000-0x0000000000A62000-memory.dmp

memory/1884-45-0x00000000009C0000-0x0000000000A62000-memory.dmp

memory/1884-46-0x00000000009C0000-0x0000000000A62000-memory.dmp

memory/1884-47-0x00000000009C0000-0x0000000000A62000-memory.dmp

memory/1884-48-0x00000000009C0000-0x0000000000A62000-memory.dmp