Malware Analysis Report

2024-11-16 13:26

Sample ID 241013-s47fzstgje
Target 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN
SHA256 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288a
Tags
urelas aspackv2 discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288a

Threat Level: Known bad

The file 9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 discovery trojan

Urelas family

Urelas

ASPack v2.12-2.42

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 15:41

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 15:41

Reported

2024-10-13 15:44

Platform

win7-20240903-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ufjug.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ufjug.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\foecn.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\ufjug.exe
PID 2788 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\ufjug.exe
PID 2788 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\ufjug.exe
PID 2788 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\ufjug.exe
PID 2788 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 2788 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 2920 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\ufjug.exe C:\Users\Admin\AppData\Local\Temp\foecn.exe
PID 2920 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\ufjug.exe C:\Users\Admin\AppData\Local\Temp\foecn.exe
PID 2920 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\ufjug.exe C:\Users\Admin\AppData\Local\Temp\foecn.exe
PID 2920 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\ufjug.exe C:\Users\Admin\AppData\Local\Temp\foecn.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe

"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"

C:\Users\Admin\AppData\Local\Temp\ufjug.exe

"C:\Users\Admin\AppData\Local\Temp\ufjug.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\foecn.exe

"C:\Users\Admin\AppData\Local\Temp\foecn.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2788-0-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 7b005e68ba608bed0f82bca950281e7f
SHA1 d8aa71bb2248e59685668514c773d382d9c711bd
SHA256 63c7dc1e1a47cd86a2b29d1b1ffed7c12aeeb85c4c994ac5088456b335188a6c
SHA512 c0b6a6d0d5e11d44545f446588261480d8b76db73177c35b1cd335de60342a02133c990a35ccfd042fae9e4adeba3a969ba7b48f2f674a41461ef5a7d3431cd7

C:\Users\Admin\AppData\Local\Temp\ufjug.exe

MD5 108f93fa49f84a905537fdef7feda391
SHA1 514fb2959041a4e6b5fa1126cb15c95d1baebf18
SHA256 1c041ee300fa38a82b2d0d5f56edb59fdb5030962d9278aab694bb57022a8568
SHA512 2c477a5ba6a17b2da4489c486929788577e45eaefe654b5d86bf5a6abf2fffd3471b12300ad804ca745cb82237343e9eaaa2b6743b4280cf37b8f0de484fab57

memory/2788-21-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2788-20-0x0000000002570000-0x00000000025D5000-memory.dmp

memory/2788-19-0x0000000002570000-0x00000000025D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 fd67fb78384428eec4d236b880c0f3a8
SHA1 5a74d0b7a168b3eedab411794575ace60f5b3543
SHA256 e5c7f3db8b50eb03e97c1cd7a66028a2a15c5b4c7f6a4dd0c1d0c35236ff3492
SHA512 d9bd4c7c693f9caa57771e99c9df568ab15cfb3b5234ba16ae6af8920782444395646e02c027b8aae2bec26b0259acb4c766d35c8ebb4fa90840f3a85730f3f9

memory/2920-24-0x0000000000400000-0x0000000000465000-memory.dmp

\Users\Admin\AppData\Local\Temp\foecn.exe

MD5 1b2b6a08c356ffd1f95141cf00349f89
SHA1 ff22193e53493dba47169cf7530312a4d4ff89ed
SHA256 281ab5ccd101d8b9053e0cbb3f794e78a37fd863996f31d1bb2254502b8e2a5c
SHA512 fa4b78ec993131fd67e5ee41b1c34daf400c1761712f0497fcc1cf09c62723b9301bc3bb9937304164cf64ff7b5603f065bb321256848bfbb90410663b880553

memory/2920-32-0x0000000000400000-0x0000000000465000-memory.dmp

memory/352-33-0x0000000000F70000-0x0000000001004000-memory.dmp

memory/2920-30-0x0000000003380000-0x0000000003414000-memory.dmp

memory/352-35-0x0000000000F70000-0x0000000001004000-memory.dmp

memory/352-36-0x0000000000F70000-0x0000000001004000-memory.dmp

memory/352-34-0x0000000000F70000-0x0000000001004000-memory.dmp

memory/352-38-0x0000000000F70000-0x0000000001004000-memory.dmp

memory/352-39-0x0000000000F70000-0x0000000001004000-memory.dmp

memory/352-40-0x0000000000F70000-0x0000000001004000-memory.dmp

memory/352-41-0x0000000000F70000-0x0000000001004000-memory.dmp

memory/352-42-0x0000000000F70000-0x0000000001004000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-13 15:41

Reported

2024-10-13 15:44

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cygeb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cygeb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cygeb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\umukb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\cygeb.exe
PID 4440 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\cygeb.exe
PID 4440 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Users\Admin\AppData\Local\Temp\cygeb.exe
PID 4440 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe C:\Windows\SysWOW64\cmd.exe
PID 3436 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\cygeb.exe C:\Users\Admin\AppData\Local\Temp\umukb.exe
PID 3436 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\cygeb.exe C:\Users\Admin\AppData\Local\Temp\umukb.exe
PID 3436 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\cygeb.exe C:\Users\Admin\AppData\Local\Temp\umukb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe

"C:\Users\Admin\AppData\Local\Temp\9abf4aee9f7da279b8dab80eaad1c96948fbfe9747442555af4e9ad0d2d1288aN.exe"

C:\Users\Admin\AppData\Local\Temp\cygeb.exe

"C:\Users\Admin\AppData\Local\Temp\cygeb.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\umukb.exe

"C:\Users\Admin\AppData\Local\Temp\umukb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4440-0-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cygeb.exe

MD5 95729ea0e069ba75c9faa229cf172b52
SHA1 cbccaa68e453b642b93abbb0c38b45d923219478
SHA256 d3bf41398857f63b794a2924ca19722d40c1d371b539fbc107d09f2530461eee
SHA512 6d69083ea98127db139ecc4d4602d089b398fc1c8d9b2ce2f57d09f53a1d0f8de560ff4060b7ac6e5c2c1140b8d9ceca77144763ea8bfa5ff4751c26e84d59b6

memory/3436-11-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4440-14-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 7b005e68ba608bed0f82bca950281e7f
SHA1 d8aa71bb2248e59685668514c773d382d9c711bd
SHA256 63c7dc1e1a47cd86a2b29d1b1ffed7c12aeeb85c4c994ac5088456b335188a6c
SHA512 c0b6a6d0d5e11d44545f446588261480d8b76db73177c35b1cd335de60342a02133c990a35ccfd042fae9e4adeba3a969ba7b48f2f674a41461ef5a7d3431cd7

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 c5ab2e02955a356cdd2a4240daac5f1e
SHA1 ce0a97d642c790866e67e6337f1628718c943982
SHA256 63ed0e95e0ffa902edc470ce39c13d38bb577aef3570c36bbec99ad0014a3391
SHA512 745572098bcac4b50dc9ad2078f6e3e7b387d9d38aca72339a82c7e983f5657c14ad0c9fd4be48a76e4e7b72cdc13ce2a1e329daf1d5237dc505040b71a29e42

memory/3436-17-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\umukb.exe

MD5 48aaefa00d62dbefa7cea941de6875a6
SHA1 126c15b4b946239e1d279b92458df54d138bc464
SHA256 ff98b6aeeb2271d98979b9ea0c5b09ee5440a4e6ddabc0dfb706f4989bbcbf5f
SHA512 cec380518cb3b559db0f0f7e35aeace83eb4552492757aa023d83f1ce33e3ee4b039ecec3ad353a488266fae1c400e4661fa699ec5f3114a4c08063b1722dd31

memory/4584-27-0x0000000000BD0000-0x0000000000C64000-memory.dmp

memory/3436-26-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4584-30-0x0000000000BD0000-0x0000000000C64000-memory.dmp

memory/4584-29-0x0000000000BD0000-0x0000000000C64000-memory.dmp

memory/4584-28-0x0000000000BD0000-0x0000000000C64000-memory.dmp

memory/4584-32-0x0000000000BD0000-0x0000000000C64000-memory.dmp

memory/4584-33-0x0000000000BD0000-0x0000000000C64000-memory.dmp

memory/4584-34-0x0000000000BD0000-0x0000000000C64000-memory.dmp

memory/4584-35-0x0000000000BD0000-0x0000000000C64000-memory.dmp

memory/4584-36-0x0000000000BD0000-0x0000000000C64000-memory.dmp