Malware Analysis Report

2024-11-16 13:26

Sample ID 240812-2tatpsvfqq
Target 909efb8d813b5a626f6e75a244559f96_JaffaCakes118
SHA256 e713ff4d1b106a32823400335f762bfeac6b76a820552afef0857714a899c1f1
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e713ff4d1b106a32823400335f762bfeac6b76a820552afef0857714a899c1f1

Threat Level: Known bad

The file 909efb8d813b5a626f6e75a244559f96_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas family

Urelas

Executes dropped EXE

UPX packed file

Deletes itself

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 22:51

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 22:51

Reported

2024-08-12 22:54

Platform

win7-20240708-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kahag.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kahag.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pywii.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\kahag.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\kahag.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\kahag.exe
PID 2884 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\kahag.exe
PID 2884 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2212 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\kahag.exe C:\Users\Admin\AppData\Local\Temp\pywii.exe
PID 2212 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\kahag.exe C:\Users\Admin\AppData\Local\Temp\pywii.exe
PID 2212 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\kahag.exe C:\Users\Admin\AppData\Local\Temp\pywii.exe
PID 2212 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\kahag.exe C:\Users\Admin\AppData\Local\Temp\pywii.exe

Processes

C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\kahag.exe

"C:\Users\Admin\AppData\Local\Temp\kahag.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "

C:\Users\Admin\AppData\Local\Temp\pywii.exe

"C:\Users\Admin\AppData\Local\Temp\pywii.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11120 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.30.235:11120 tcp
JP 133.242.129.155:11120 tcp

Files

memory/2884-0-0x0000000000D20000-0x0000000000D9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kahag.exe

MD5 7a41dd6e509c7d53e51de038b0207bd8
SHA1 e84a54f370786cc61773a73e9c44a4b871435a6f
SHA256 8119ad90f2a031501b1a1367d21f0dfd2eeb10088d3e11c5c9439ca58a2368bf
SHA512 c3ea1f456aedb172a26614cada334477fda92d393191837d9dab18bf0adb7ea9d6aa44d3506860bc8a20418857ac46caf7eb75d6c65826f09b81dcecc280b49a

memory/2884-18-0x0000000000D20000-0x0000000000D9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

MD5 d9f760a677149ebcc3f4c63198b7aed1
SHA1 6ca3ea461b818fa1c13471592f677250cb40accc
SHA256 4b158bc02a79f306f336fdb458cfa0a4c10659eb6341278083d67c1b1eeae137
SHA512 50afe0617a2a98a0ccd10858d104948f362aa1e2956956220a81132469b468c79339300488fbd00f7978ffc4f8eb40ae6151e26c1c2ed1100947a07524d6df7a

memory/2212-10-0x0000000000F00000-0x0000000000F7C000-memory.dmp

memory/2884-9-0x0000000002560000-0x00000000025DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 eb0e126ef775b290b8886bf44034f34c
SHA1 943f9e006f6ac3899323e2dfaa368a27eb8a4cc4
SHA256 d0a82b0646afbc60065de8b72ad57b6cf58fa83aa0403d29e9732c9705342e80
SHA512 940a49146813bdae45bc60738a68b805c45c1bb136833f1ae43cf936bb3269cab1162d9fc44f3b051678083595fddf9742ec3818c3273f9a128166ec032b1544

\Users\Admin\AppData\Local\Temp\pywii.exe

MD5 ed797201484f10eb0a5e82eef7a7bd37
SHA1 3870f7f6175ed33a2e77415223d99319e656365d
SHA256 239fb9afaaff44f78dbcb1285ffb947c4c6600eefa08f7f88d9328ea051639a4
SHA512 3fc523483f088d26279317cd1cc620b44f5e42c3a87a8bae006cd108ed55b67029c00d6d534bdc8339bd4c11276f58b6ec5b315af806ff265e521ed3810bb6c9

memory/2212-28-0x0000000000F00000-0x0000000000F7C000-memory.dmp

memory/2212-26-0x0000000003BF0000-0x0000000003C8F000-memory.dmp

memory/2932-29-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2932-31-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2932-32-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2932-33-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2932-34-0x0000000000400000-0x000000000049F000-memory.dmp

memory/2932-35-0x0000000000400000-0x000000000049F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 22:51

Reported

2024-08-12 22:54

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sybos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sybos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sybos.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\taxeh.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\909efb8d813b5a626f6e75a244559f96_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\sybos.exe

"C:\Users\Admin\AppData\Local\Temp\sybos.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "

C:\Users\Admin\AppData\Local\Temp\taxeh.exe

"C:\Users\Admin\AppData\Local\Temp\taxeh.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 218.54.31.226:11120 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
KR 218.54.30.235:11120 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
JP 133.242.129.155:11120 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3808-0-0x0000000000950000-0x00000000009CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sybos.exe

MD5 ebc6efdf2d224acc3ccb54465175f456
SHA1 b4a4043661bbd38b424492a627288be43b1174b9
SHA256 93687507280002d5576ccb09951bcb107e22ffd82e57dfe2e9d171d78823a70a
SHA512 fdfd809880f6a62eba3bc9fd2484879ec7950ab4774dd31751c82367fd0bd5a86f84d98cc3cd41b311a67e3199e4d5bca48ca8795f01a3b47d9e89bde586c9b7

memory/3224-12-0x0000000000600000-0x000000000067C000-memory.dmp

memory/3808-14-0x0000000000950000-0x00000000009CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_sannuy.bat

MD5 d9f760a677149ebcc3f4c63198b7aed1
SHA1 6ca3ea461b818fa1c13471592f677250cb40accc
SHA256 4b158bc02a79f306f336fdb458cfa0a4c10659eb6341278083d67c1b1eeae137
SHA512 50afe0617a2a98a0ccd10858d104948f362aa1e2956956220a81132469b468c79339300488fbd00f7978ffc4f8eb40ae6151e26c1c2ed1100947a07524d6df7a

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 5f01a76574d3cde24b2e8d28ef946c20
SHA1 38192fbe5666ffcb4b5c049db3d66c5b0649aa4e
SHA256 a42fd405836452c7ae7c038da4052821fc402e02f61551b902bc31c39195b8fb
SHA512 803b7ceebdc41e60cdc95edc1b240b077ad2f0df87a620c15690cf34262fdcddb16591c4d70390fe414f4c8c4cbd21589328405f076179b3b8ce956d58c6fb99

C:\Users\Admin\AppData\Local\Temp\taxeh.exe

MD5 6818fbcb440e2fd4e1075f253d66c556
SHA1 1de73f9bc922bcf82562137613e2c9af20bc2814
SHA256 1c4f729b75a8d4f93c7d277afb1e050251231b82acbfae45d6caa763a775c0c5
SHA512 d9674554449e9e3c47708e07fb7ef58daa5f29732e5971bb4e53cd17c861710cc47805ad28a51df458701df07a1587bea434e83069ac8c223ae04a9c6552ef61

memory/3856-26-0x0000000000400000-0x000000000049F000-memory.dmp

memory/3224-24-0x0000000000600000-0x000000000067C000-memory.dmp

memory/3856-28-0x0000000000400000-0x000000000049F000-memory.dmp

memory/3856-29-0x0000000000400000-0x000000000049F000-memory.dmp

memory/3856-30-0x0000000000400000-0x000000000049F000-memory.dmp

memory/3856-31-0x0000000000400000-0x000000000049F000-memory.dmp

memory/3856-32-0x0000000000400000-0x000000000049F000-memory.dmp