Malware Analysis Report

2024-11-16 13:24

Sample ID 241008-rjx65stgpc
Target 21f1711e0baa448b75f449c141e84a66_JaffaCakes118
SHA256 0aca5e50f4865db31ce50fab7ff93c650561f452b89626206844057065774389
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0aca5e50f4865db31ce50fab7ff93c650561f452b89626206844057065774389

Threat Level: Known bad

The file 21f1711e0baa448b75f449c141e84a66_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Urelas family

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-08 14:13

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-08 14:13

Reported

2024-10-08 19:46

Platform

win7-20240903-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuziv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nuziv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gopox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nuziv.exe
PID 1076 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nuziv.exe
PID 1076 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nuziv.exe
PID 1076 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nuziv.exe
PID 1076 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1076 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2396 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\nuziv.exe C:\Users\Admin\AppData\Local\Temp\gopox.exe
PID 2396 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\nuziv.exe C:\Users\Admin\AppData\Local\Temp\gopox.exe
PID 2396 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\nuziv.exe C:\Users\Admin\AppData\Local\Temp\gopox.exe
PID 2396 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\nuziv.exe C:\Users\Admin\AppData\Local\Temp\gopox.exe

Processes

C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nuziv.exe

"C:\Users\Admin\AppData\Local\Temp\nuziv.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\gopox.exe

"C:\Users\Admin\AppData\Local\Temp\gopox.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/1076-0-0x0000000000D00000-0x0000000000DC9000-memory.dmp

\Users\Admin\AppData\Local\Temp\nuziv.exe

MD5 32d5e7fd8bfb07f0b784bd5736a56d54
SHA1 f9d108f322396aa6ef3c306daa99e49a3fd76df7
SHA256 64c0b367570e696287df7ecc08498d4c059216481656c64397372be4efe9009d
SHA512 f3a8ecde9affe4d0a9a7d184fa7ab8b3b73fa38bc6dd08eee3525850af6a52c75651e19e560a983515568dd08d0d48447d4908fd41b340c4079905b525fd4a53

memory/2396-16-0x00000000012D0000-0x0000000001399000-memory.dmp

memory/1076-17-0x0000000000D00000-0x0000000000DC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 c12da5d78cf7ee9da4ef9d796eb4207f
SHA1 4a373fa0c6036513dc108e5e979bd1c153e79146
SHA256 ed31b47c72ff36297db4b977513fdd7236d9b8267b53116e205de16c6960aeb4
SHA512 d63a70dfc33a9fe954a0a468222b3a6143bec5e2293da8111b1a3f0add3cd41978fb0ccf5dcf5e12253673eed532c345e6420c6af2c4ae49d01c5cc48a96b45e

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 d96d3c9d6b9650bdc137c7c9dbbba1dc
SHA1 f25f911938d85250b81cf2164b8c8c7adf2e3998
SHA256 a06f2380f02aacf30a3cb57d542550a1e0d864af812ab28969ec9affd2b94b2c
SHA512 18da511ef0eb125912bda501469f3236e978607358df166b55cf6dd4d1b3aea5f8a42d745ab4a0a90c3ff08fba2b87422b64bd37ceee7bb1f1244f3b09fc98ca

memory/2396-20-0x00000000012D0000-0x0000000001399000-memory.dmp

\Users\Admin\AppData\Local\Temp\gopox.exe

MD5 b24da554b735c2b14814e08f0fd86832
SHA1 c1874b4aecc0fc7cb23f0b72b21ba776fc9c0c3f
SHA256 8e8c23efaa9e2e736d5abc1820e173d57ce08ccbbd8a1ac61596d7f802c38ed3
SHA512 33d30a349cc59752eb85f803b389e9e21e547418dab94dcd4395450e6de8fa0ffb9c4883fa91bfc24a71886fcb014ecf60e7ef4ef5dfbf72f082e8a34a35a1e0

memory/2396-25-0x0000000003650000-0x00000000036DF000-memory.dmp

memory/2396-28-0x00000000012D0000-0x0000000001399000-memory.dmp

memory/2932-29-0x0000000000400000-0x000000000048F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nuziv.exe

MD5 edd16ee470b6fb3e385c7414277afd5e
SHA1 febbbdc87676b5262ba0aa4b933f6fba00e3c2f9
SHA256 083d51e48806c605e3bdae7e7e78e44928e3b57bfb42e76446a37ce148f9e58b
SHA512 929e9543391f64e1602c073a889f1978ac8a9d121f97d67006939593db8153084574df58f302604a1dedc82f733917244d00e1779386d8fb4f6133ad33306af0

memory/2932-32-0x0000000000400000-0x000000000048F000-memory.dmp

memory/2932-33-0x0000000000400000-0x000000000048F000-memory.dmp

memory/2932-34-0x0000000000400000-0x000000000048F000-memory.dmp

memory/2932-35-0x0000000000400000-0x000000000048F000-memory.dmp

memory/2932-36-0x0000000000400000-0x000000000048F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-08 14:13

Reported

2024-10-08 19:43

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pibus.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pibus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pibus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kuotk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\21f1711e0baa448b75f449c141e84a66_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\pibus.exe

"C:\Users\Admin\AppData\Local\Temp\pibus.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\kuotk.exe

"C:\Users\Admin\AppData\Local\Temp\kuotk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 161.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/1184-0-0x0000000000D90000-0x0000000000E59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pibus.exe

MD5 ccf934ce5cbe0671e03c00f92daedc18
SHA1 5f262d7f2aac23ee337b6704ae7c39c8334a6706
SHA256 258c303e9b0f621a961dec11cd15a317fafaea093d36373472cccaa3f92c184a
SHA512 6168b0c9c0a0ca58ad6344152abf52f18fcf878e8767b6fecc3c8c9033498e9b89f87dc6eafc3d9684d298a982e2e52407417f2e28991514854a9bdb7bc5676a

memory/5036-11-0x0000000000B70000-0x0000000000C39000-memory.dmp

memory/1184-14-0x0000000000D90000-0x0000000000E59000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 c12da5d78cf7ee9da4ef9d796eb4207f
SHA1 4a373fa0c6036513dc108e5e979bd1c153e79146
SHA256 ed31b47c72ff36297db4b977513fdd7236d9b8267b53116e205de16c6960aeb4
SHA512 d63a70dfc33a9fe954a0a468222b3a6143bec5e2293da8111b1a3f0add3cd41978fb0ccf5dcf5e12253673eed532c345e6420c6af2c4ae49d01c5cc48a96b45e

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 c5c9d52f5142d7f10444267fedeb9b3c
SHA1 06af4b4c1ccd79c9abedcb894114a6864f2cc0bf
SHA256 a5e2be9fe168d3180c74785e955a226a945f5bb6ef5cb02ea0311eee5c0c9ebc
SHA512 2ae579443567af8d201efea779fcd2e92184c64ef18f7cf8f27414fe6881d6198a98a5707fb6ecff56e0400940bdfcd5575e89a40168791f6c9c396ceb5305e2

memory/5036-17-0x0000000000B70000-0x0000000000C39000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kuotk.exe

MD5 854eb2084c5a13e81caaa618085fe716
SHA1 22ca3c627f505eec45d5a85f5ec3bc76709c44ef
SHA256 883b4b2ad48c1163f18628e692bc3c931ee70d8ab1491a54793a85568140fe44
SHA512 5218034f6c163cc1bacb0befe5ef3b2c04d97e759cd27adac5987b1a3815c724bfee6917ef533561b9882fdae40b1fbd31a9b23af8855225f9186b7f954fc8ac

memory/3504-26-0x0000000000400000-0x000000000048F000-memory.dmp

memory/5036-27-0x0000000000B70000-0x0000000000C39000-memory.dmp

memory/3504-28-0x00000000020A0000-0x00000000020A2000-memory.dmp

memory/3504-31-0x00000000020A0000-0x00000000020A2000-memory.dmp

memory/3504-30-0x0000000000400000-0x000000000048F000-memory.dmp

memory/3504-32-0x0000000000400000-0x000000000048F000-memory.dmp

memory/3504-33-0x0000000000400000-0x000000000048F000-memory.dmp

memory/3504-34-0x0000000000400000-0x000000000048F000-memory.dmp

memory/3504-35-0x0000000000400000-0x000000000048F000-memory.dmp