Malware Analysis Report

2025-08-05 19:40

Sample ID 240316-1gz3dsch3t
Target 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793
SHA256 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793

Threat Level: Known bad

The file 8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793 was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Detects executables built or packed with MPress PE compressor

Detects executables built or packed with MPress PE compressor

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 21:37

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 21:37

Reported

2024-03-16 21:40

Platform

win7-20240221-en

Max time kernel

149s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe"

Signatures

Urelas

trojan urelas

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xupon.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xyqef.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Users\Admin\AppData\Local\Temp\xupon.exe
PID 2464 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Users\Admin\AppData\Local\Temp\xupon.exe
PID 2464 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Users\Admin\AppData\Local\Temp\xupon.exe
PID 2464 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Users\Admin\AppData\Local\Temp\xupon.exe
PID 2464 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Windows\SysWOW64\cmd.exe
PID 2348 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\xupon.exe C:\Users\Admin\AppData\Local\Temp\xyqef.exe
PID 2348 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\xupon.exe C:\Users\Admin\AppData\Local\Temp\xyqef.exe
PID 2348 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\xupon.exe C:\Users\Admin\AppData\Local\Temp\xyqef.exe
PID 2348 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\xupon.exe C:\Users\Admin\AppData\Local\Temp\xyqef.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe

"C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe"

C:\Users\Admin\AppData\Local\Temp\xupon.exe

"C:\Users\Admin\AppData\Local\Temp\xupon.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\xyqef.exe

"C:\Users\Admin\AppData\Local\Temp\xyqef.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11120 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.30.235:11120 tcp
JP 133.242.129.155:11120 tcp

Files

memory/2464-0-0x0000000000400000-0x0000000000474000-memory.dmp

\Users\Admin\AppData\Local\Temp\xupon.exe

MD5 836ee57caf418ce58985cee1e87dcb5c
SHA1 8d92fe4fbe781f123c0ac3dbdfc314e052b1552f
SHA256 669d614126b56a67d9ac7ba015f2555fd52e78ae3595b6402efc67bf683f1092
SHA512 b369c9bc4ef8050577b77c0e36b3b4fae8655cb9b1e774bb2dec57fbd0b177827f9cdfd269f847b0fd51705d6a1a1dc74526c40d6701eed7b23f1e4229415c7c

memory/2348-9-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 2ed49363141b3a651ae2f19a7ce5004e
SHA1 0e602feeff46414a51675b0d0989c7bb5ea06a1f
SHA256 b91b3d683ec592cae7c070a6ce8138d45bfbaa5b532fa4cebeee94cb2ad520e1
SHA512 6685704ab2257d970b3ab298ced5fa46ca9840eadc7cae5ff1ad55d6529ceb9d5a91412f581c6f9c9ef794049e193ab03c83c7534bd78cec35d122f22a5e30c2

memory/2464-17-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 74e7082c044588dbce68ae476cabe877
SHA1 8b499a599712e58f4750218be2b06fc1cb930be1
SHA256 af32c6ff201d313e2cf3487c23c01b030d906273d59632840208dce4e610b408
SHA512 ea05c11a5c6f0ad41199660c4e51f96f76bb7e0953dc4130753422bc28457068341f94c291387bbbbd5c9bf65f98f0858ae88f7ff0572c27d557e02562bbe7ed

memory/2348-20-0x0000000000400000-0x0000000000474000-memory.dmp

\Users\Admin\AppData\Local\Temp\xyqef.exe

MD5 ca613c2c27a4e66f6037d145bc27d394
SHA1 c0cfc500d6e74a81cc24c1923b409343066512bf
SHA256 91b16ff9ec83efb96c5ccd5ad508be2b137dda34d09f0cc43624c6b5bcd73692
SHA512 72530a492fadfd7e25057f925281fc9a9aacadbb6e34bffd321d423814de821aceb9e2e4f32e517e101148236f885610e8476f5498cbe6518022e8b36cfd6a62

memory/2348-27-0x0000000000400000-0x0000000000474000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 21:37

Reported

2024-03-16 21:40

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe"

Signatures

Urelas

trojan urelas

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\qecez.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qecez.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qukai.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Users\Admin\AppData\Local\Temp\qecez.exe
PID 1988 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Users\Admin\AppData\Local\Temp\qecez.exe
PID 1988 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Users\Admin\AppData\Local\Temp\qecez.exe
PID 1988 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\qecez.exe C:\Users\Admin\AppData\Local\Temp\qukai.exe
PID 2016 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\qecez.exe C:\Users\Admin\AppData\Local\Temp\qukai.exe
PID 2016 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\qecez.exe C:\Users\Admin\AppData\Local\Temp\qukai.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe

"C:\Users\Admin\AppData\Local\Temp\8093923e01c99fa25321b44e1de4ffe2d07503913acd7ea24276273ae92bd793.exe"

C:\Users\Admin\AppData\Local\Temp\qecez.exe

"C:\Users\Admin\AppData\Local\Temp\qecez.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\qukai.exe

"C:\Users\Admin\AppData\Local\Temp\qukai.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
KR 218.54.31.226:11120 tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
KR 218.54.30.235:11120 tcp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
JP 133.242.129.155:11120 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

memory/1988-0-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qecez.exe

MD5 90d3bd60a314754fa3f6ed64e0f54130
SHA1 f714204819e95791c36bbb6536bc33d1e857d634
SHA256 43cfff80f8c39b0c0b0f0f417aaa595a5a5fbfc32b314dbea62967ba18d1bf4c
SHA512 d67db70ea1362d1aa02287060945ab5ea63fc866401f00267e32a643e000eb64a4c912c5ea33b4e341467e4dc1fb01d7baa7d1e0dfb4ec4efd5e45ceb586f81f

memory/2016-12-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1988-14-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 2ed49363141b3a651ae2f19a7ce5004e
SHA1 0e602feeff46414a51675b0d0989c7bb5ea06a1f
SHA256 b91b3d683ec592cae7c070a6ce8138d45bfbaa5b532fa4cebeee94cb2ad520e1
SHA512 6685704ab2257d970b3ab298ced5fa46ca9840eadc7cae5ff1ad55d6529ceb9d5a91412f581c6f9c9ef794049e193ab03c83c7534bd78cec35d122f22a5e30c2

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 04220b628690481880d00212a5ec576c
SHA1 6bb9aee2bf8eb2af45d1afb5e709b802d641644e
SHA256 0b04d52ad167b8824998ca3372c293a611f08a465b06000e77cd4a5707d351a6
SHA512 7a8bd119b42c7f6e846a8904fabe46f1d66e4f568527ed13e276979a8c6f6a9522448b7a099863cc40529331739439308eccec9bf9ac70b6055183b88e428449

memory/2016-17-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qukai.exe

MD5 cec2aea1f829b748ea2bc067db445e13
SHA1 c28b0f81a5103de9f3af467de2d96816148ac3f2
SHA256 9d57d240f2a1ce9f2fe207a03f4a46ab810459d4eb91d104eec23f22d79214b5
SHA512 87d3e988e3c2ce42ec6a20d5435396b759449f8cd9cbc8488d6916ac4a16cc2f09be9d83f309c828e32d9949804cb15f780c923a268b2b79ebbb8212284ead98

memory/2016-26-0x0000000000400000-0x0000000000474000-memory.dmp