Malware Analysis Report

2025-08-11 00:31

Sample ID 240311-bs2b6aha4s
Target bf7a5db5b56489321d405dccc39b0f58
SHA256 2360ff4b08c781ca8bad30e528d943ad791611cc26a9df276043423b0566ad5e
Tags
urelas trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2360ff4b08c781ca8bad30e528d943ad791611cc26a9df276043423b0566ad5e

Threat Level: Known bad

The file bf7a5db5b56489321d405dccc39b0f58 was found to be: Known bad.

Malicious Activity Summary

urelas trojan upx

Urelas

Urelas family

Loads dropped DLL

UPX packed file

Checks computer location settings

Deletes itself

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 01:25

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 01:25

Reported

2024-03-11 01:27

Platform

win7-20231129-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bekii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bekii.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\teqyi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe C:\Users\Admin\AppData\Local\Temp\bekii.exe
PID 2548 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe C:\Users\Admin\AppData\Local\Temp\bekii.exe
PID 2548 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe C:\Users\Admin\AppData\Local\Temp\bekii.exe
PID 2548 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe C:\Users\Admin\AppData\Local\Temp\bekii.exe
PID 2548 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe C:\Windows\SysWOW64\cmd.exe
PID 2976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\bekii.exe C:\Users\Admin\AppData\Local\Temp\teqyi.exe
PID 2976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\bekii.exe C:\Users\Admin\AppData\Local\Temp\teqyi.exe
PID 2976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\bekii.exe C:\Users\Admin\AppData\Local\Temp\teqyi.exe
PID 2976 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\bekii.exe C:\Users\Admin\AppData\Local\Temp\teqyi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe

"C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe"

C:\Users\Admin\AppData\Local\Temp\bekii.exe

"C:\Users\Admin\AppData\Local\Temp\bekii.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "

C:\Users\Admin\AppData\Local\Temp\teqyi.exe

"C:\Users\Admin\AppData\Local\Temp\teqyi.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11120 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.30.235:11120 tcp
JP 133.242.129.155:11120 tcp

Files

memory/2548-0-0x0000000000A30000-0x0000000000AAC000-memory.dmp

\Users\Admin\AppData\Local\Temp\bekii.exe

MD5 72bdd977088251f8edf5387ba8235ed3
SHA1 fd7ddd74f7128a227122e995f0e000c6c9807461
SHA256 72b2fa4a3478f49f84cef51e65a98f91a42dce89780dc68df791a8698dbb944f
SHA512 4bb26c3c4fa2989508d47e678851d2f6e161f5e091d8f2b44f85e35d56b62cf4d3b0be9026565cc84e94ce990b14659a6dc139b3edf4b32247dca604bd93addc

memory/2548-8-0x0000000002DF0000-0x0000000002E6C000-memory.dmp

memory/2976-18-0x0000000000AE0000-0x0000000000B5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

MD5 1e0d50a82fc10397abbb7ec39a3b9f44
SHA1 16253bb940e51d513f8b6605bfb58c1f10bc8e9a
SHA256 e8ca7f9eafcf0ac65bc881697efb9310becf7f810c0589d9baf5c798b088ce9e
SHA512 980aca66c367ca6e227c28a3e95cd06f3c91a1f237cdff37f0909af2f4bb3a3e74dac72420c4947e1a3c4c383d79d8ba132161510406216b6a1967afc1db8088

memory/2548-17-0x0000000000A30000-0x0000000000AAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 da1f514f060eafa56c086982b4caeb98
SHA1 fcacce7545fd1198496dad498d8a613d4e30b7d0
SHA256 d92c7974b6ce6d3426a7a8b5b5baff885ab9e94f8b6e494abe1a3821fadb6c03
SHA512 4678df3b43fff60f2f23ef385036ee3b3d557aefba120f543a7e0fe7cad58984f8c3e34cce45adf0159834bc53a2e5f5d10d76ce318e10dd284efd94f4041b35

memory/2976-27-0x0000000000AE0000-0x0000000000B5C000-memory.dmp

memory/2736-28-0x0000000000400000-0x000000000049F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\teqyi.exe

MD5 f6198fd5546226b2d9010ed9ca67ae1f
SHA1 68fd4133035a2e06c9663f3edc306b0b53be16bb
SHA256 853347edf57123ea2bf27589e581c6ee37bb4785d350a8d770fa19b7a0eeb042
SHA512 bc70424d1de11e38f904a634d1efb0782819b461cb067e8ba244ab50ea482dfecf3920fa7effd960469558e85331e743bdb90569fded1e31ac4c59cf52ec595c

\Users\Admin\AppData\Local\Temp\teqyi.exe

MD5 19f3cb8899a6f01da4b9ead509b758b3
SHA1 011eb917e7b98db1c008436ac3f45002005c01d6
SHA256 c6c06f215b48b9406481ff073ab4fdacaf95b477b50437f611c01c9edd6ee3b9
SHA512 f55adfe6337ac24f3772c9768522333e31ccbe4f87e57afa012e04643f6434172eeb4a6fbdc2a3745108d2cd849d6b24abad44ac746601765c3e09296a2b9a1e

memory/2736-30-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2736-31-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2736-32-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2736-33-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2736-34-0x0000000000400000-0x000000000049F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 01:25

Reported

2024-03-11 01:27

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\juafk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\juafk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\devel.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe

"C:\Users\Admin\AppData\Local\Temp\bf7a5db5b56489321d405dccc39b0f58.exe"

C:\Users\Admin\AppData\Local\Temp\juafk.exe

"C:\Users\Admin\AppData\Local\Temp\juafk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "

C:\Users\Admin\AppData\Local\Temp\devel.exe

"C:\Users\Admin\AppData\Local\Temp\devel.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 20.231.121.79:80 tcp
KR 218.54.31.226:11120 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
KR 218.54.30.235:11120 tcp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
JP 133.242.129.155:11120 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/2576-0-0x00000000002B0000-0x000000000032C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\juafk.exe

MD5 899ec373e977e110441f1bb378e34215
SHA1 be504b3ca7ec4419275930a752a0007d59a49032
SHA256 45033c2e39a999b6b8bc3a516ed62327c6a6e6058267ced8c77acacf38918484
SHA512 69803b4ee6276ad84d60eb604bab95a0d1a2df781cb309b0ba855103361fa538804c659dd7a7e86df28285dd830c890bb44e291dd14e9495a2d6882c3e27a45c

memory/2576-14-0x00000000002B0000-0x000000000032C000-memory.dmp

memory/3112-12-0x0000000000140000-0x00000000001BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

MD5 1e0d50a82fc10397abbb7ec39a3b9f44
SHA1 16253bb940e51d513f8b6605bfb58c1f10bc8e9a
SHA256 e8ca7f9eafcf0ac65bc881697efb9310becf7f810c0589d9baf5c798b088ce9e
SHA512 980aca66c367ca6e227c28a3e95cd06f3c91a1f237cdff37f0909af2f4bb3a3e74dac72420c4947e1a3c4c383d79d8ba132161510406216b6a1967afc1db8088

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 50b0d9db19bf0013425997997232524a
SHA1 6eef77052529f31179724f7696a5fb61e5713dcc
SHA256 b4650df961e91e1e72d155ec53606658f2cc60e304f94f7df762113c9c369a71
SHA512 9551a52a636dcad29943ddc81704a62bfd989ec0bcc5149a1eec06c070e377eab5398e9b6fdbb2c722aee168099d75f3dbf17ebefb1e00e46a86ec365f445600

C:\Users\Admin\AppData\Local\Temp\devel.exe

MD5 b457a05034a9f75de5f24b75ea42c882
SHA1 2e9c3efbd76c41c8d505a3ecea5244916771245b
SHA256 cf1f8c0aab715fa116212d211de27193c79d17e811e4379d01a9d6195394d589
SHA512 9709cb923e4c631f41b908cee8c3fd74c66a47439a22c220287cf095f14b6136c6cc6c991434a6a14f497f72c491c61cf5a7c25185829d97a6f584cecffc0670

memory/3112-25-0x0000000000140000-0x00000000001BC000-memory.dmp

memory/4336-26-0x0000000000400000-0x000000000049F000-memory.dmp

memory/4336-28-0x0000000000400000-0x000000000049F000-memory.dmp

memory/4336-29-0x0000000000400000-0x000000000049F000-memory.dmp

memory/4336-30-0x0000000000400000-0x000000000049F000-memory.dmp

memory/4336-31-0x0000000000400000-0x000000000049F000-memory.dmp

memory/4336-32-0x0000000000400000-0x000000000049F000-memory.dmp