Malware Analysis Report

2025-08-11 00:31

Sample ID 240310-19k4yadc71
Target 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8
SHA256 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8

Threat Level: Known bad

The file 7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Deletes itself

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-10 22:20

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 22:20

Reported

2024-03-10 22:23

Platform

win7-20240221-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\duodt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zuzem.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Users\Admin\AppData\Local\Temp\duodt.exe
PID 2196 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Users\Admin\AppData\Local\Temp\duodt.exe
PID 2196 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Users\Admin\AppData\Local\Temp\duodt.exe
PID 2196 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Users\Admin\AppData\Local\Temp\duodt.exe
PID 2196 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\duodt.exe C:\Users\Admin\AppData\Local\Temp\zuzem.exe
PID 2508 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\duodt.exe C:\Users\Admin\AppData\Local\Temp\zuzem.exe
PID 2508 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\duodt.exe C:\Users\Admin\AppData\Local\Temp\zuzem.exe
PID 2508 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\duodt.exe C:\Users\Admin\AppData\Local\Temp\zuzem.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe

"C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe"

C:\Users\Admin\AppData\Local\Temp\duodt.exe

"C:\Users\Admin\AppData\Local\Temp\duodt.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\zuzem.exe

"C:\Users\Admin\AppData\Local\Temp\zuzem.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2196-0-0x00000000003E0000-0x000000000044C000-memory.dmp

\Users\Admin\AppData\Local\Temp\duodt.exe

MD5 72c768068f99bdf8e842fef6a69d6177
SHA1 86a5236161a29739a22f0a9e1235704d012b7d6f
SHA256 90955741a3d20bbf2855f56854bbf9214657822e9ee3ca814cdeede05c6cf0a6
SHA512 3589973f70eb65a4b07b54a0dfdb2f190c8e19a7f16606fb3d068b6cca8879f1632229dc09704ca4ee1843f2a8c9dfa259b1a5cfac290d3ae51d6dcfca843295

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 ac3bd8d778a3d9b13118e5436129ec4e
SHA1 f3f56fc870cfc346232a18e9002bb39195a8d205
SHA256 86e389c79054b75bd858cd6af1d29986b4f1c16ddad6115530e661c25ba75ec2
SHA512 145e3d20fd17e56f7e079339df760d76b163c2da5978c5b6967536cd998fa4fde5e53149462c4802125b7d0001532dc8f510ee552c4896d89f301a8f1a15567b

memory/2508-11-0x0000000000E20000-0x0000000000E8C000-memory.dmp

memory/2196-9-0x0000000001FA0000-0x000000000200C000-memory.dmp

memory/2196-18-0x00000000003E0000-0x000000000044C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 035ca531a4e0a839c67e7900a6af7b8e
SHA1 d6c6348ca3156fcc6cabeec771199eec95d988a7
SHA256 e48ce32dc15ef2ca696e8db23db7b0179476d58ed109131bc01ea3d8f72cb54b
SHA512 5d762e537583d29e926f07006fcc446364e4fe742fc3891c63e8fa9c7351ecd8d88412e1e510f642bff12db1f3e31f68d245abd0c1bf0049b6e5643ed478f2e7

\Users\Admin\AppData\Local\Temp\zuzem.exe

MD5 a2cbb3b7d44451e2e34255e983330839
SHA1 6c2954a0671a8b12e5afa8d55cd16952ea0635d2
SHA256 c5205c71cc8177c14caa47ee659c0133d09ce746bc9b7db06766cf90a3bfe690
SHA512 9f999f83e0248657c1d775b79942c36593a65536e453cb6bac036b093f21855d14c063add41933be369f671eca8bf7e1ad173098c1fb8fba5a10068d0c583341

memory/2508-28-0x0000000000C20000-0x0000000000CBE000-memory.dmp

memory/1668-29-0x0000000000B00000-0x0000000000B9E000-memory.dmp

memory/2508-27-0x0000000000E20000-0x0000000000E8C000-memory.dmp

memory/1668-30-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1668-32-0x0000000000B00000-0x0000000000B9E000-memory.dmp

memory/1668-33-0x0000000000B00000-0x0000000000B9E000-memory.dmp

memory/1668-34-0x0000000000B00000-0x0000000000B9E000-memory.dmp

memory/1668-35-0x0000000000B00000-0x0000000000B9E000-memory.dmp

memory/1668-36-0x0000000000B00000-0x0000000000B9E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-10 22:20

Reported

2024-03-10 22:23

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\migyk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\migyk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzpou.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4200 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Users\Admin\AppData\Local\Temp\migyk.exe
PID 4200 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Users\Admin\AppData\Local\Temp\migyk.exe
PID 4200 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Users\Admin\AppData\Local\Temp\migyk.exe
PID 4200 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4200 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4200 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\migyk.exe C:\Users\Admin\AppData\Local\Temp\uzpou.exe
PID 4920 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\migyk.exe C:\Users\Admin\AppData\Local\Temp\uzpou.exe
PID 4920 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\migyk.exe C:\Users\Admin\AppData\Local\Temp\uzpou.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe

"C:\Users\Admin\AppData\Local\Temp\7876db46d954e177be9d1820c6e9563f8af3fe6a588875f3c6652b90ae5c08a8.exe"

C:\Users\Admin\AppData\Local\Temp\migyk.exe

"C:\Users\Admin\AppData\Local\Temp\migyk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\uzpou.exe

"C:\Users\Admin\AppData\Local\Temp\uzpou.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/4200-0-0x00000000003B0000-0x000000000041C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\migyk.exe

MD5 c5c46065eec6bd7cad585a2c4022b7e7
SHA1 3b994d212946c400aa03744ae1fef58e3d121a40
SHA256 bb2ee2febe6cbd3c037e01bfab4b191f61653d42d45dcb5ca57a281cd9bc7b47
SHA512 3a6485d87b5c1985d390789951854e4fc7de4813aed0f1eda393219e86b5a926edc2b6a10184ec2df1f5f640cded49aa1d8ac762a04da8b2ef0765e4ccf4a191

memory/4920-12-0x00000000004D0000-0x000000000053C000-memory.dmp

memory/4200-14-0x00000000003B0000-0x000000000041C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 ac3bd8d778a3d9b13118e5436129ec4e
SHA1 f3f56fc870cfc346232a18e9002bb39195a8d205
SHA256 86e389c79054b75bd858cd6af1d29986b4f1c16ddad6115530e661c25ba75ec2
SHA512 145e3d20fd17e56f7e079339df760d76b163c2da5978c5b6967536cd998fa4fde5e53149462c4802125b7d0001532dc8f510ee552c4896d89f301a8f1a15567b

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 9acf2ce558deb780030ee92771bd4524
SHA1 b2072cc6d80944fe84318ab6158f46b8dc9cfdfc
SHA256 e5fff7cd0376001ddfc83d5591af57e9ed93f044a146c2265d3bbf46d2156005
SHA512 327e0c61d2d5aef2c2f35adecffdb575c7a87f7f695a3d017ad09d1600e93500874a9fac67e376e56f848514624075e992aeb4b572bcc962730e30adafbf7f19

C:\Users\Admin\AppData\Local\Temp\uzpou.exe

MD5 849ea3fd5a01bae37e2350b8187fe89a
SHA1 efb90a15b393b770acf2428a71d4a77e51b81934
SHA256 07cbb54aab2d9af99d9da07b8073ce513eb4165219736ba07b2c0b36233de309
SHA512 a226721d345eafe0d0446a8753c7e1958662ae67e749fd3306d84958f40d8720843e0869c5715ec722909d7708d80a73ff9906c5c0d375095c8a3b59ce71dfbc

memory/4920-25-0x00000000004D0000-0x000000000053C000-memory.dmp

memory/2392-27-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/2392-26-0x00000000006B0000-0x000000000074E000-memory.dmp

memory/2392-29-0x00000000006B0000-0x000000000074E000-memory.dmp

memory/2392-30-0x00000000006B0000-0x000000000074E000-memory.dmp

memory/2392-31-0x00000000006B0000-0x000000000074E000-memory.dmp

memory/2392-32-0x00000000006B0000-0x000000000074E000-memory.dmp

memory/2392-33-0x00000000006B0000-0x000000000074E000-memory.dmp