Malware Analysis Report

2025-08-11 00:31

Sample ID 240310-2a2s3sdc9y
Target 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a
SHA256 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a

Threat Level: Known bad

The file 79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-10 22:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-10 22:23

Reported

2024-03-10 22:26

Platform

win7-20240221-en

Max time kernel

155s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nygei.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\quzip.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Users\Admin\AppData\Local\Temp\nygei.exe
PID 2228 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Users\Admin\AppData\Local\Temp\nygei.exe
PID 2228 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Users\Admin\AppData\Local\Temp\nygei.exe
PID 2228 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Users\Admin\AppData\Local\Temp\nygei.exe
PID 2228 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Windows\SysWOW64\cmd.exe
PID 2228 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Windows\SysWOW64\cmd.exe
PID 2288 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\nygei.exe C:\Users\Admin\AppData\Local\Temp\quzip.exe
PID 2288 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\nygei.exe C:\Users\Admin\AppData\Local\Temp\quzip.exe
PID 2288 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\nygei.exe C:\Users\Admin\AppData\Local\Temp\quzip.exe
PID 2288 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\nygei.exe C:\Users\Admin\AppData\Local\Temp\quzip.exe

Processes

C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe

"C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe"

C:\Users\Admin\AppData\Local\Temp\nygei.exe

"C:\Users\Admin\AppData\Local\Temp\nygei.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\quzip.exe

"C:\Users\Admin\AppData\Local\Temp\quzip.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2228-0-0x00000000001D0000-0x000000000029C000-memory.dmp

\Users\Admin\AppData\Local\Temp\nygei.exe

MD5 43d3e90a93c04d31fb52ee433b440fbf
SHA1 75f06bf883297c31f8e487246206d093b7497093
SHA256 cf2efedccaf37742f77209e3ffbd04f49cd14298246ee3c0cb660cfd711a96f1
SHA512 9f64d26db25d6137ce7516d422ffc3db3ff8de30bcbef7c54874282afa3d929751d74cc0cef333ae01b6714755320d4d6386b856bd578d9b5a4a28e1fc8857b8

memory/2228-9-0x0000000002630000-0x00000000026FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 b578d81e6d8a659877eec06c889f404d
SHA1 0aaa73802f52d360dab41648e193e1ae018800e6
SHA256 ceee0e409d840995b1dad0b8672930433b60c91755ae2eccc384a718e3d67acb
SHA512 24d03f93441094c6e0aa72135af914b1c7492009670679c71e0d38659fbcf048ad5a995ce0c1987d333627268cba43415cd526e8d3d3b459693949b9bf12c329

memory/2228-17-0x00000000001D0000-0x000000000029C000-memory.dmp

memory/2288-18-0x0000000000A60000-0x0000000000B2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 d8820b97004f80843d137983ddd1a598
SHA1 34caaa0f9f21b6362aab17aa95c64f06a7e9870c
SHA256 d601b0ec48a7585ab76c89cabb6512817048af8795c02d7c4c52da9f6b104309
SHA512 4492f56c2fdce91b53670307193966c003167eeaf71ac56cf019c4626d43779c23405cccf9041f1dc91173695a78c15a7834d0f0082ea4302e6017c56ac65f52

memory/2288-21-0x0000000000A60000-0x0000000000B2C000-memory.dmp

\Users\Admin\AppData\Local\Temp\quzip.exe

MD5 06324984245bdd928b5b45c50aaa235e
SHA1 a0fc9c9e65624c4e6deadd773edfef5b21cb1234
SHA256 e9c7214c2cc7e5d7ca95fa670c9ddadc4043ee7f72e69b135d66bd8d838cf7f1
SHA512 4af47427e80d3a12692f74c314df585df260495ffca619402f2eb63b1fc83f7a296de041835a9a84e7e1a870882ffc003d1a198993d653719e58fe811ea2987f

memory/2288-34-0x0000000003030000-0x00000000030C0000-memory.dmp

memory/2288-36-0x0000000000A60000-0x0000000000B2C000-memory.dmp

memory/1968-38-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1968-39-0x0000000000230000-0x0000000000232000-memory.dmp

memory/1968-41-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1968-42-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1968-43-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1968-44-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1968-45-0x0000000000400000-0x0000000000490000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-10 22:23

Reported

2024-03-10 22:26

Platform

win10v2004-20240226-en

Max time kernel

165s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ezgux.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ezgux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruwoe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1164 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Users\Admin\AppData\Local\Temp\ezgux.exe
PID 1164 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Users\Admin\AppData\Local\Temp\ezgux.exe
PID 1164 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Users\Admin\AppData\Local\Temp\ezgux.exe
PID 1164 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ezgux.exe C:\Users\Admin\AppData\Local\Temp\ruwoe.exe
PID 2156 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ezgux.exe C:\Users\Admin\AppData\Local\Temp\ruwoe.exe
PID 2156 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ezgux.exe C:\Users\Admin\AppData\Local\Temp\ruwoe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe

"C:\Users\Admin\AppData\Local\Temp\79f4333415a77820c9d6790233212db30f5cc309430c4c420fe165cfedf38a9a.exe"

C:\Users\Admin\AppData\Local\Temp\ezgux.exe

"C:\Users\Admin\AppData\Local\Temp\ezgux.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\ruwoe.exe

"C:\Users\Admin\AppData\Local\Temp\ruwoe.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp

Files

memory/1164-0-0x0000000000090000-0x000000000015C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ezgux.exe

MD5 eccc7864bf3ca12987dd3723925b2017
SHA1 8877b0d99a4652c746b0568d7a41acb297d04f16
SHA256 e9b4dbe232e520b3a5848e051c1841bd6a182a3baac81943f0a0555783a2d8ea
SHA512 a5beaef1c0ebbddb43d50862dbfc9c91cf06b9784c6b9cfa62df1970d02b38fb345db7c82fc7582554f6ad237731ea5b525492b416c3f0c0fe72e8d39f9c4aa6

memory/1164-14-0x0000000000090000-0x000000000015C000-memory.dmp

memory/2156-13-0x0000000000200000-0x00000000002CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 b578d81e6d8a659877eec06c889f404d
SHA1 0aaa73802f52d360dab41648e193e1ae018800e6
SHA256 ceee0e409d840995b1dad0b8672930433b60c91755ae2eccc384a718e3d67acb
SHA512 24d03f93441094c6e0aa72135af914b1c7492009670679c71e0d38659fbcf048ad5a995ce0c1987d333627268cba43415cd526e8d3d3b459693949b9bf12c329

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 35543edf7f2cdc358b57b97d1e84c109
SHA1 3566c31d2958540fb8bffdc2b636413617c2effa
SHA256 485fbfa83e26780f64a270aadf8b677f09f9d3f03198a30a31dc23851faaf74e
SHA512 018c7df44fabc30e3da6cd0e1fce6c02bf945705fe5b21f92c4cf2e81243196af96eaa577072383b48b2db500117a80dec82e1b440432a300c13566febe82eb7

memory/2156-17-0x0000000000200000-0x00000000002CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ruwoe.exe

MD5 1fd1ef41e89a0138d87ffaafc676f785
SHA1 75856eb0a7adde21667133d74357ef6a6f20fc5f
SHA256 04e35c01977d3aab40b720ed96c5472f8546e8f2c7c01d90954854a92a25b102
SHA512 b1a63f9a14782d225a68a8358ec3eda824751c3cadfdea15575e8f130514ae2dcdbad429278fd1609e7cc6b003cf8da4b5817b50a6ab3bc1adf2b4b9c9607e92

memory/4556-35-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2156-33-0x0000000000200000-0x00000000002CC000-memory.dmp

memory/4556-36-0x0000000000570000-0x0000000000572000-memory.dmp

memory/4556-38-0x0000000000400000-0x0000000000490000-memory.dmp

memory/4556-39-0x0000000000400000-0x0000000000490000-memory.dmp

memory/4556-40-0x0000000000400000-0x0000000000490000-memory.dmp

memory/4556-41-0x0000000000400000-0x0000000000490000-memory.dmp

memory/4556-42-0x0000000000400000-0x0000000000490000-memory.dmp