Malware Analysis Report

2025-08-05 19:40

Sample ID 240316-3f2kyagg95
Target b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa
SHA256 b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa
Tags
urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa

Threat Level: Known bad

The file b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa was found to be: Known bad.

Malicious Activity Summary

urelas trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-16 23:28

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-16 23:28

Reported

2024-03-16 23:30

Platform

win7-20240221-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vebaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\acziv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Users\Admin\AppData\Local\Temp\vebaz.exe
PID 2908 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Users\Admin\AppData\Local\Temp\vebaz.exe
PID 2908 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Users\Admin\AppData\Local\Temp\vebaz.exe
PID 2908 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Users\Admin\AppData\Local\Temp\vebaz.exe
PID 2908 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\vebaz.exe C:\Users\Admin\AppData\Local\Temp\acziv.exe
PID 1304 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\vebaz.exe C:\Users\Admin\AppData\Local\Temp\acziv.exe
PID 1304 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\vebaz.exe C:\Users\Admin\AppData\Local\Temp\acziv.exe
PID 1304 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\vebaz.exe C:\Users\Admin\AppData\Local\Temp\acziv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe

"C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe"

C:\Users\Admin\AppData\Local\Temp\vebaz.exe

"C:\Users\Admin\AppData\Local\Temp\vebaz.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\acziv.exe

"C:\Users\Admin\AppData\Local\Temp\acziv.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11120 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.30.235:11120 tcp
JP 133.242.129.155:11120 tcp

Files

memory/2908-0-0x0000000000400000-0x000000000047E000-memory.dmp

\Users\Admin\AppData\Local\Temp\vebaz.exe

MD5 3d58b9d6a4ffd41235c5fc8d5f98abd1
SHA1 189038a5c58218d1ca3309f0d70c4f8a5df44851
SHA256 e801ced563ac2a074a14dc2480ef30b4b030a13446de22a4653d8b564c8420ca
SHA512 50e19884aaafd69b620cc7815872fbfef014de491895489424020b4df61a318619c0e8382e773b031e3123022c59611d43aa7e17ff2eeac4ef67cd0f55aa072c

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 1c505d0bca466dac41c60aaffcc4998a
SHA1 4e38ad56df8f28c47eb7ea8fc2bf5014a80d669a
SHA256 118208fb8df7fda363c09ec165ec6e3bcc33e1f15eaa05a5221d8b8b98b32ce2
SHA512 c2da05ccc4a3fc4f536705f29d0b733bd5f9d0268d919ca285c2ba1e04165a06e8403f2f3633b7b8b98fc56ecfd6435e3eefdf6afe75d42c627b612cb85ff522

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 282c7b52c77debc45eb5e421090b3ca4
SHA1 5f5c73a9760436f773f5adafaf59bb374b10764a
SHA256 399eb00b2ad200275d3b9aa266ff9d2a5425e01af946210ced14f2981b31a8ab
SHA512 a24fa5450ab47bb6290655e51a28d3f97e149dbbca2b8bc94f14fd3badf6321dbfbee2c75acdcc8d40ed4cd481fc1dd3383bc5758677ae112578422cd6126eb8

\Users\Admin\AppData\Local\Temp\acziv.exe

MD5 6735778949012ce94581ba1e2ef15ca2
SHA1 c584d34d2860f269df26c40dbb178781bf2fcbaf
SHA256 e783545b45189b5e2b74fec73984f4a6c7ab6c2eb682ac41734a2bc1cc11746a
SHA512 a5da9ff86035140b4f31be39208408b06d4e59817ccd1fca87ea6245da846a08fcfa636227a386be3a821afe764aa7d9c4beee93c4baef5c14a94d7236ff80ef

memory/1304-24-0x0000000002E70000-0x0000000002F24000-memory.dmp

memory/1852-26-0x0000000000E00000-0x0000000000EB4000-memory.dmp

memory/1852-28-0x0000000000E00000-0x0000000000EB4000-memory.dmp

memory/1852-29-0x0000000000E00000-0x0000000000EB4000-memory.dmp

memory/1852-30-0x0000000000E00000-0x0000000000EB4000-memory.dmp

memory/1852-31-0x0000000000E00000-0x0000000000EB4000-memory.dmp

memory/1852-32-0x0000000000E00000-0x0000000000EB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-16 23:28

Reported

2024-03-16 23:30

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sykur.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sykur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\exajr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4784 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Users\Admin\AppData\Local\Temp\sykur.exe
PID 4784 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Users\Admin\AppData\Local\Temp\sykur.exe
PID 4784 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Users\Admin\AppData\Local\Temp\sykur.exe
PID 4784 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Windows\SysWOW64\cmd.exe
PID 4784 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\sykur.exe C:\Users\Admin\AppData\Local\Temp\exajr.exe
PID 2140 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\sykur.exe C:\Users\Admin\AppData\Local\Temp\exajr.exe
PID 2140 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\sykur.exe C:\Users\Admin\AppData\Local\Temp\exajr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe

"C:\Users\Admin\AppData\Local\Temp\b96b7992125c3e6dec3a457b57f9c1b53e867efb93932f5aa5aa31ffbbe8d5fa.exe"

C:\Users\Admin\AppData\Local\Temp\sykur.exe

"C:\Users\Admin\AppData\Local\Temp\sykur.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\exajr.exe

"C:\Users\Admin\AppData\Local\Temp\exajr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
KR 218.54.31.226:11120 tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
KR 218.54.30.235:11120 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
JP 133.242.129.155:11120 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/4784-0-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sykur.exe

MD5 5ec262871a9ac32cd663e562238dbe2f
SHA1 d99987dbdf7dedb3915abe6f3bd2b76b082d8f37
SHA256 e00406cfd02f341a912931d54cfae968d1086820b06fa1ca5e1c9c371b14c721
SHA512 263ca922d4eae31341e3e18052cb5f64a14e34afbf2d2d3353b193f00ddfa56cdea2260b0afcfc15def2648d930e055113c8733a14f6858de825e61dc87da456

memory/2140-13-0x0000000000400000-0x000000000047E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 1c505d0bca466dac41c60aaffcc4998a
SHA1 4e38ad56df8f28c47eb7ea8fc2bf5014a80d669a
SHA256 118208fb8df7fda363c09ec165ec6e3bcc33e1f15eaa05a5221d8b8b98b32ce2
SHA512 c2da05ccc4a3fc4f536705f29d0b733bd5f9d0268d919ca285c2ba1e04165a06e8403f2f3633b7b8b98fc56ecfd6435e3eefdf6afe75d42c627b612cb85ff522

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 070d3d90270ce5a3bc8f330c1f083ce5
SHA1 75ce0382285c21923f718c2cfeeeb1b8be8af833
SHA256 4197336ef812f77916546e8c4aed777a17db94097926e7d40cffab12e63be025
SHA512 1f2191f13a6e0c8e7dd94c075a3da4cebe3a20714d6f666bf4e9121722f6ba50c8e15c0951bab8c0dae08474d8475a38223679d4d7374cb49f5b9e29d45e22d3

C:\Users\Admin\AppData\Local\Temp\exajr.exe

MD5 f2d93f3789e69294fd9adcfb409d7db9
SHA1 e9b777b8868512d41f816821d767f68ccb9ff195
SHA256 b213c0eead4ff41f70be5ada1ebc3890694af49abe296d0ee56de7ce849b1bd2
SHA512 40fe52d0fbcfcdbff9f4d7c7ec167eaa6f2db2258e920818dd8849f937a1e88e695672e92665e89114e2783b162c111a5ef7f0ce141c17b14d82738b8a568e72

memory/4232-24-0x00000000004B0000-0x0000000000564000-memory.dmp

memory/4232-25-0x00000000004B0000-0x0000000000564000-memory.dmp

memory/4232-27-0x00000000004B0000-0x0000000000564000-memory.dmp

memory/4232-28-0x00000000004B0000-0x0000000000564000-memory.dmp

memory/4232-29-0x00000000004B0000-0x0000000000564000-memory.dmp

memory/4232-30-0x00000000004B0000-0x0000000000564000-memory.dmp