Malware Analysis Report

2024-11-16 13:26

Sample ID 240813-a4dvkazfqk
Target d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3
SHA256 d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3
Tags
urelas aspackv2 discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3

Threat Level: Known bad

The file d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3 was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 discovery trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 00:45

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 00:45

Reported

2024-08-13 00:48

Platform

win7-20240705-en

Max time kernel

149s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\luzoa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\luzoa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxgez.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1732 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Users\Admin\AppData\Local\Temp\luzoa.exe
PID 1732 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Users\Admin\AppData\Local\Temp\luzoa.exe
PID 1732 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Users\Admin\AppData\Local\Temp\luzoa.exe
PID 1732 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Users\Admin\AppData\Local\Temp\luzoa.exe
PID 1732 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1732 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1472 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\luzoa.exe C:\Users\Admin\AppData\Local\Temp\uxgez.exe
PID 1472 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\luzoa.exe C:\Users\Admin\AppData\Local\Temp\uxgez.exe
PID 1472 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\luzoa.exe C:\Users\Admin\AppData\Local\Temp\uxgez.exe
PID 1472 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\luzoa.exe C:\Users\Admin\AppData\Local\Temp\uxgez.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe

"C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe"

C:\Users\Admin\AppData\Local\Temp\luzoa.exe

"C:\Users\Admin\AppData\Local\Temp\luzoa.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\uxgez.exe

"C:\Users\Admin\AppData\Local\Temp\uxgez.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/1732-0-0x0000000000400000-0x0000000000871000-memory.dmp

memory/1732-19-0x00000000037B0000-0x0000000003C21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\luzoa.exe

MD5 219561f8babdd0284bc6ec27b3bc9712
SHA1 1c58b8ff892e0e1e50d922fd9a19760dde44d5a5
SHA256 0f73ef9d1f2a7406976f8634303ea862548336fe87bb543a16f0aa65f00b6dc9
SHA512 e77a5c6f93b4f6e92abc9c5642a91e5b0822bc126dcfd1a279f18359f5b007969c46f30dc8a1d34c28feb54128a9fdf66653e4e104fe5cdaa86cc7c2bb46f7fe

memory/1732-20-0x0000000000400000-0x0000000000871000-memory.dmp

memory/1472-21-0x0000000000400000-0x0000000000871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 f72138ac944e25405a5c3fce516954df
SHA1 7b20c737da2be77b2f8c066eaec809f010cdca37
SHA256 d9daa46406e636728a00f5e6b93d9a9eeb83497da7b43a752b95534483413172
SHA512 1d7ecdb19778d8716e8c680fa17cbf44715f8035bb80f53e8446b5b6d5584be33f42f895429142c9bbff4441bd64201942191da8bbb8eedd1537fbc4d9129804

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 3d8adf987ce5ef73912802d359d13438
SHA1 cd014ed3f5bab15717c2b1ef4866fe0bb1ccfbb9
SHA256 aa4cc5e5955ae177e808215302897e2febe6954e4a27f234f738ac27300ad7f9
SHA512 408621c0b28f56911c362cf6ffe4220ab3587f6568c04fd74ffef0e3bf0fdebb58134743efcc475ccfbf2f49a88c6a3f4a132b27319bfa2d49291390fde0d481

\Users\Admin\AppData\Local\Temp\uxgez.exe

MD5 f284751884158e16ab664fedbdb6c584
SHA1 fa8727013fb3a4bbc6082c9ca7624f7d86b3ba42
SHA256 d45f7f978d8810453cf36e76c309b11f330d7a6364e44208da3efdc8e26a018a
SHA512 419f350255b2d8119aa8986ad80ba69809c03afdd17f30b4c686756b7bde8696fb94a310050527fa2ddc4a8df58570e0de2e5d568b5fab642d118a26e83091f6

memory/892-34-0x0000000000820000-0x00000000008B4000-memory.dmp

memory/892-32-0x0000000000820000-0x00000000008B4000-memory.dmp

memory/892-33-0x0000000000820000-0x00000000008B4000-memory.dmp

memory/892-31-0x0000000000820000-0x00000000008B4000-memory.dmp

memory/1472-30-0x0000000004090000-0x0000000004124000-memory.dmp

memory/1472-35-0x0000000000400000-0x0000000000871000-memory.dmp

memory/892-37-0x0000000000820000-0x00000000008B4000-memory.dmp

memory/892-38-0x0000000000820000-0x00000000008B4000-memory.dmp

memory/892-39-0x0000000000820000-0x00000000008B4000-memory.dmp

memory/892-40-0x0000000000820000-0x00000000008B4000-memory.dmp

memory/892-41-0x0000000000820000-0x00000000008B4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 00:45

Reported

2024-08-13 00:48

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\roluj.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\roluj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\roluj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jugiv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Users\Admin\AppData\Local\Temp\roluj.exe
PID 1748 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Users\Admin\AppData\Local\Temp\roluj.exe
PID 1748 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Users\Admin\AppData\Local\Temp\roluj.exe
PID 1748 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe C:\Windows\SysWOW64\cmd.exe
PID 3840 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\roluj.exe C:\Users\Admin\AppData\Local\Temp\jugiv.exe
PID 3840 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\roluj.exe C:\Users\Admin\AppData\Local\Temp\jugiv.exe
PID 3840 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\roluj.exe C:\Users\Admin\AppData\Local\Temp\jugiv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe

"C:\Users\Admin\AppData\Local\Temp\d1e62a12b6afd032d9ca420a5544e96bb8ad8b7222f3063fa875af399b0d01c3.exe"

C:\Users\Admin\AppData\Local\Temp\roluj.exe

"C:\Users\Admin\AppData\Local\Temp\roluj.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\jugiv.exe

"C:\Users\Admin\AppData\Local\Temp\jugiv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1748-0-0x0000000000400000-0x0000000000871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\roluj.exe

MD5 ecb9bb8e1c790b927806771c7611c242
SHA1 443db5115fae316fdfe8e7740d2e14f94316a39c
SHA256 d7f77c88a9e49fd7f54c90c2be834fdc81d03c44b09f53c4ebd69cc11f43275f
SHA512 e1fab7ece17e15ef84fb51149a5965a80fb0721ce7c69fb0cac1461c1fd607a570577df97e6fc78574e8c3d4d68a5a5604d96076c5e1d2049d4bdb7abe4d92f2

memory/3840-13-0x0000000000400000-0x0000000000871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 f72138ac944e25405a5c3fce516954df
SHA1 7b20c737da2be77b2f8c066eaec809f010cdca37
SHA256 d9daa46406e636728a00f5e6b93d9a9eeb83497da7b43a752b95534483413172
SHA512 1d7ecdb19778d8716e8c680fa17cbf44715f8035bb80f53e8446b5b6d5584be33f42f895429142c9bbff4441bd64201942191da8bbb8eedd1537fbc4d9129804

memory/1748-15-0x0000000000400000-0x0000000000871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a3a5bf93a02910c8490f05d33a53fc8a
SHA1 f70aa3ebc56cee335e3c24fac2ba4686d3a036c8
SHA256 1eb409d116efa1fb58435c6bb62d9ce961ee198a2fe6fe2e67aae7042b87e595
SHA512 cdebc20e8e7d36cf66a9340a3fabb5d04da30a3cdfe7a9c267da3a16e86be111db6c09c35343f1665d81b3e3ccde659eafb881500920fcc238a2b299213a9e81

C:\Users\Admin\AppData\Local\Temp\jugiv.exe

MD5 447f6ae78992c83e6817857d44aee2f7
SHA1 a71fec7d6c7d9db3216e2331e4caa9f12e5defe0
SHA256 1e9ef44248d907b1f78bc3a726486b93172a8e33c2bf88afbb02998e5d03d8a2
SHA512 7f93ebd4fa6ca039a878d504cb9f22aa8d9f8990d0357b6ab0649e2b91ac6df3ccaa2645ae0751dcb97272f9eda72a67a150cbe8628f3ac77484e7839223fb6c

memory/3640-29-0x0000000000360000-0x00000000003F4000-memory.dmp

memory/3640-28-0x0000000000360000-0x00000000003F4000-memory.dmp

memory/3640-27-0x0000000000360000-0x00000000003F4000-memory.dmp

memory/3640-26-0x0000000000360000-0x00000000003F4000-memory.dmp

memory/3840-25-0x0000000000400000-0x0000000000871000-memory.dmp

memory/3640-31-0x0000000000360000-0x00000000003F4000-memory.dmp

memory/3640-32-0x0000000000360000-0x00000000003F4000-memory.dmp

memory/3640-33-0x0000000000360000-0x00000000003F4000-memory.dmp

memory/3640-34-0x0000000000360000-0x00000000003F4000-memory.dmp

memory/3640-35-0x0000000000360000-0x00000000003F4000-memory.dmp