Malware Analysis Report

2025-08-11 00:31

Sample ID 240311-mq1tdsab4z
Target c063c49b9aadc37b4bd6a746f157378c
SHA256 f26c344c3e1ad437eee71c72dd28160e3a99b24af0d28c75a1aeb83bb4f94718
Tags
urelas trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f26c344c3e1ad437eee71c72dd28160e3a99b24af0d28c75a1aeb83bb4f94718

Threat Level: Known bad

The file c063c49b9aadc37b4bd6a746f157378c was found to be: Known bad.

Malicious Activity Summary

urelas trojan upx

Urelas

Urelas family

Deletes itself

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 10:40

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 10:40

Reported

2024-03-11 10:43

Platform

win7-20240221-en

Max time kernel

149s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifqoe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ifqoe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wuywi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe C:\Users\Admin\AppData\Local\Temp\ifqoe.exe
PID 2184 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe C:\Users\Admin\AppData\Local\Temp\ifqoe.exe
PID 2184 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe C:\Users\Admin\AppData\Local\Temp\ifqoe.exe
PID 2184 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe C:\Users\Admin\AppData\Local\Temp\ifqoe.exe
PID 2184 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe C:\Windows\SysWOW64\cmd.exe
PID 2184 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe C:\Windows\SysWOW64\cmd.exe
PID 2892 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\ifqoe.exe C:\Users\Admin\AppData\Local\Temp\wuywi.exe
PID 2892 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\ifqoe.exe C:\Users\Admin\AppData\Local\Temp\wuywi.exe
PID 2892 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\ifqoe.exe C:\Users\Admin\AppData\Local\Temp\wuywi.exe
PID 2892 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\ifqoe.exe C:\Users\Admin\AppData\Local\Temp\wuywi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe

"C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe"

C:\Users\Admin\AppData\Local\Temp\ifqoe.exe

"C:\Users\Admin\AppData\Local\Temp\ifqoe.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "

C:\Users\Admin\AppData\Local\Temp\wuywi.exe

"C:\Users\Admin\AppData\Local\Temp\wuywi.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11120 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.30.235:11120 tcp
JP 133.242.129.155:11120 tcp

Files

memory/2184-0-0x0000000000ED0000-0x0000000000F4C000-memory.dmp

\Users\Admin\AppData\Local\Temp\ifqoe.exe

MD5 8a3a1f7e8b917b3429bdf27585d505c2
SHA1 9a6b260efae1fd22b69eb364003bae5bc7bc90b9
SHA256 7f4ee8bd2f5686d50284aca10bf7a52d322cb44fd0715f712de896aab51fcbe6
SHA512 18598c9aa68ca97c7367369b3861985cffc92aa997dd86e35300703b02870c220e189ccc82721ba7abbb80e20f3a911783d1498a385ec32806abe42c512e03bc

C:\Users\Admin\AppData\Local\Temp\ifqoe.exe

MD5 a75004df14f003d9df0c7aa9a7bfc3e8
SHA1 e2aaf88f6c826fff26982c8c0e12a5aae2809a4e
SHA256 067efe4f2629ad6aec3fad39c87961bcea3233558a3d2c723ebe1ffe7990ee24
SHA512 fcbbd0e3cc90cf72cf6c99272173ee92590ebfd848433704a238b552dd9413dc03e44b2f8f807035204ae655794e80cc871993e70d8cc9eea0c8738687102537

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

MD5 36499ebff821457861dd5ccb52113066
SHA1 a521b160afab8e1e31647148b4b7f27d176c3c1b
SHA256 21409e7d7366616b2675d50a11f206e26f71f1f36cec705da4d665b46c022790
SHA512 dda3b4e0faa469e8b93187ee6ad3edfeb8af727515341b63895c46e80ff1f358216faa1f31aae7a8898883654f70f105e46a19fc926dbb1b88ed9440a01227ea

memory/2892-17-0x0000000000300000-0x000000000037C000-memory.dmp

memory/2184-9-0x0000000000B20000-0x0000000000B9C000-memory.dmp

memory/2184-18-0x0000000000ED0000-0x0000000000F4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 01c8f4ba58785635aefc669f15079ec3
SHA1 08b85fb6f271466865c6fb9480653d4179eda396
SHA256 8d9a3423bfc2ccc1f4e85c56efec27b120395c3a2e73cd287e1a40822473b5ff
SHA512 7a04efef9ff5b845af3546c7c7d52ae51db086ac05b3b37a79e63acdfc500d2045186145a7f4b4754c2e0cda8404c51a35befe379696f12be827c20125820104

C:\Users\Admin\AppData\Local\Temp\wuywi.exe

MD5 f048734e315e4abc223a161f9f8c4cbb
SHA1 c7092715d394ecfebde70ce4b704fea70240ac62
SHA256 1476d1fe03ebefb8e8b860d10fe7a86d505e31033a0a851362c42a8a7cc30852
SHA512 052bf9bc42c8e183cfbc42b745d1f8c82ebe69fc1a30f9ae41d9677949b65e19b436a645294c35d335c0920d24de0d708b092f49c50ea421e3fcb9f70cf811ce

memory/1456-28-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2892-26-0x0000000000300000-0x000000000037C000-memory.dmp

memory/1456-30-0x0000000000400000-0x000000000049F000-memory.dmp

memory/1456-31-0x0000000000400000-0x000000000049F000-memory.dmp

memory/1456-32-0x0000000000400000-0x000000000049F000-memory.dmp

memory/1456-33-0x0000000000400000-0x000000000049F000-memory.dmp

memory/1456-34-0x0000000000400000-0x000000000049F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 10:40

Reported

2024-03-11 10:43

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nibar.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nibar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hynaa.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe

"C:\Users\Admin\AppData\Local\Temp\c063c49b9aadc37b4bd6a746f157378c.exe"

C:\Users\Admin\AppData\Local\Temp\nibar.exe

"C:\Users\Admin\AppData\Local\Temp\nibar.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "

C:\Users\Admin\AppData\Local\Temp\hynaa.exe

"C:\Users\Admin\AppData\Local\Temp\hynaa.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
KR 218.54.31.226:11120 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
KR 218.54.30.235:11120 tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
JP 133.242.129.155:11120 tcp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 235.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 170.253.116.51.in-addr.arpa udp

Files

memory/4488-0-0x0000000001000000-0x000000000107C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nibar.exe

MD5 56b7f9f93a209b0f9edd6ff270ad8c44
SHA1 f97b63ae5240b15239003c791e138750f897ac6d
SHA256 530d8bedcd4dc30bf9f8448115d39ad178cef55f9f8a2a084a4cef91d02da58f
SHA512 8f88a47ac0acc9404b21ea35327a480e76ac087f4077037d70ad813ab4ad8218f59143c00cbd911bccfafe3d22541530bfe00676b12b4ff4727749fa7eaad156

memory/2612-12-0x0000000000450000-0x00000000004CC000-memory.dmp

memory/4488-14-0x0000000001000000-0x000000000107C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

MD5 36499ebff821457861dd5ccb52113066
SHA1 a521b160afab8e1e31647148b4b7f27d176c3c1b
SHA256 21409e7d7366616b2675d50a11f206e26f71f1f36cec705da4d665b46c022790
SHA512 dda3b4e0faa469e8b93187ee6ad3edfeb8af727515341b63895c46e80ff1f358216faa1f31aae7a8898883654f70f105e46a19fc926dbb1b88ed9440a01227ea

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 794e4fbe78989c75aaf04c8bf656545d
SHA1 400647a7a8de040ff20610d34d369373e570d044
SHA256 3121ecb126b80763d20ff854b1608a174533018e2706c3c096000298dfb39589
SHA512 ae11d0b5a2881daed1ea5b9759806a2e881b5f6cf143d974333e64b264b6bb5576550551ede8e6cc78d47900dec7914de2f737bc250daf584afa7b76f96474e7

C:\Users\Admin\AppData\Local\Temp\hynaa.exe

MD5 3d95357fba8561c0cbbf14f714fc4490
SHA1 6655a2f82e6e44edc744667b547ba6b28f51a6ef
SHA256 9bf632fcfa3d0c7589b2d9e215384f521dfb7e7357efe0083e357829d4889b1f
SHA512 2d8abc51877ccfc61444412d23a3ca3073410ba2fea22094618c7c5ad43bda53ec10080d8465aae6a5dc80bfc40ec148d222cade8cc6f57a0c503d56d6213ce4

memory/2612-24-0x0000000000450000-0x00000000004CC000-memory.dmp

memory/4156-26-0x0000000000400000-0x000000000049F000-memory.dmp

memory/4156-28-0x0000000000400000-0x000000000049F000-memory.dmp

memory/4156-29-0x0000000000400000-0x000000000049F000-memory.dmp

memory/4156-30-0x0000000000400000-0x000000000049F000-memory.dmp

memory/4156-31-0x0000000000400000-0x000000000049F000-memory.dmp

memory/4156-32-0x0000000000400000-0x000000000049F000-memory.dmp