Malware Analysis Report

2024-11-16 13:26

Sample ID 241011-kbz77stgpb
Target 340e7a400b655de787b990d2a9665524_JaffaCakes118
SHA256 ec8a947059fc22e6cf39eb70c83a734d3fdb9dccea70b9dd73e67a3f4b5f7c6d
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec8a947059fc22e6cf39eb70c83a734d3fdb9dccea70b9dd73e67a3f4b5f7c6d

Threat Level: Known bad

The file 340e7a400b655de787b990d2a9665524_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas family

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 08:26

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 08:26

Reported

2024-10-11 08:28

Platform

win7-20240903-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dygym.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dygym.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ipbex.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dygym.exe
PID 2084 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dygym.exe
PID 2084 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dygym.exe
PID 2084 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\dygym.exe
PID 2084 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\dygym.exe C:\Users\Admin\AppData\Local\Temp\ipbex.exe
PID 2460 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\dygym.exe C:\Users\Admin\AppData\Local\Temp\ipbex.exe
PID 2460 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\dygym.exe C:\Users\Admin\AppData\Local\Temp\ipbex.exe
PID 2460 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\dygym.exe C:\Users\Admin\AppData\Local\Temp\ipbex.exe

Processes

C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\dygym.exe

"C:\Users\Admin\AppData\Local\Temp\dygym.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\ipbex.exe

"C:\Users\Admin\AppData\Local\Temp\ipbex.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2084-0-0x0000000001250000-0x0000000001289000-memory.dmp

memory/2084-1-0x0000000000020000-0x0000000000022000-memory.dmp

\Users\Admin\AppData\Local\Temp\dygym.exe

MD5 33e4603b0529a3aba7808f961f1a3581
SHA1 93b94a0cd9ecdc77cf7d3a59bc5a045ad52866d3
SHA256 be8fdfe37d1cd50df1727cb6168cf2547469f1acf733c57f7137c1484eae3d10
SHA512 cf99501053b774be5c4e65a491f2f4495ff7094b32f6211e0180c486d0b77da338156b27726244023eb997ba378b1b8f10158b4fdd6cd93dfe65f8256b968611

memory/2084-7-0x00000000005A0000-0x00000000005D9000-memory.dmp

memory/2460-12-0x0000000000020000-0x0000000000022000-memory.dmp

memory/2460-11-0x0000000000F60000-0x0000000000F99000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 0f684c8a85499790df9bcb9319a9bb01
SHA1 f312fc4c0e1c62201c27215d01f300b37511367f
SHA256 bcb3fd44ce04f1c97d0c9b21639b7cad7cda0944884170f19e59cc4e169df24f
SHA512 659c9fa21ba4a29af6f302eeb813853783fae1b85f8e207eea5ddd48608c4e7ea1c6ae378069e2ca4b6f2039c154f9f89ace26044c28069814d74c29deca360b

memory/2084-21-0x0000000001250000-0x0000000001289000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 361135e0d0ac3cb6f7c852ad99c78e2a
SHA1 53552ebb824337e7ad53fa5e64270c67083237c2
SHA256 2c3c4797b603a264de9d41a9f5b72f44dbd3f257208872ee1655d328fe1db2f2
SHA512 d4e73b07111a21f3af8e579fafba3f5e559bfa9382a0e45798d0051a4a55fa8ffa51a9ac679f15a6adaf5cb4084e9bf67688f85d72947ec85c9d70a0de7695d0

memory/2460-24-0x0000000000F60000-0x0000000000F99000-memory.dmp

memory/2460-25-0x0000000000020000-0x0000000000022000-memory.dmp

\Users\Admin\AppData\Local\Temp\ipbex.exe

MD5 4af3a88e289fed1af7baddc830bd5910
SHA1 f58890a420211f17f54cf4e3f777d68f959009a3
SHA256 adbf6363c40db11ba20750b10baf6933f6799f9a1771853e591e349997d540f6
SHA512 03b1512d2e462b8558fbac12a4270b5b374c0dc6e20479a3cbeb3b8193e7b1bc46c4c007df89a4b7b120d02e1f32fa80f0eecef79ee78e4464c6022130a094e7

memory/2360-44-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2460-42-0x0000000003FF0000-0x00000000040AF000-memory.dmp

memory/2460-41-0x0000000000F60000-0x0000000000F99000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dygym.exe

MD5 5f73b8081edee6ff3b32ac25efe8f533
SHA1 9745d2bcf94e25bab6543b5d448a622403db3cd5
SHA256 40804f4cb1213e3daaa67709b03ebdef818f98fb24f73117d56705cf57115269
SHA512 e10914a3f33aa2bd6bfdedc66057b94313c259ae031a78c746bec53e3868ebb5161e49db3c5e21f47b0e5132b013f91ce34856ccca5d28820ad3ed84ac358053

memory/2360-46-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2360-47-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2360-48-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2360-49-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2360-50-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/2360-51-0x0000000000400000-0x00000000004BF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 08:26

Reported

2024-10-11 08:28

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\issed.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\issed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\issed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\komes.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\komes.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\340e7a400b655de787b990d2a9665524_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\issed.exe

"C:\Users\Admin\AppData\Local\Temp\issed.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\komes.exe

"C:\Users\Admin\AppData\Local\Temp\komes.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/1956-0-0x0000000000260000-0x0000000000299000-memory.dmp

memory/1956-1-0x0000000000820000-0x0000000000822000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\issed.exe

MD5 f9071f583bb24b9ea14bc5da27ae23d7
SHA1 5b479dab7838dffacee9f04d5e420e2796b50bff
SHA256 38514f240c4491b7de6ffa77358fdcd4482bc9a64658fbd5c6c156a383524eb8
SHA512 ab24469de4e662eac6e16dbc8e0cef7bcf14f79f6a93fe651642ef4f9174dc48f6be4be6e4cbaa837e0c8d3d7412004d6956a6415bf91404286df19b2ed67971

memory/2212-13-0x0000000000030000-0x0000000000069000-memory.dmp

memory/1956-17-0x0000000000260000-0x0000000000299000-memory.dmp

memory/2212-14-0x0000000000C80000-0x0000000000C82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 0f684c8a85499790df9bcb9319a9bb01
SHA1 f312fc4c0e1c62201c27215d01f300b37511367f
SHA256 bcb3fd44ce04f1c97d0c9b21639b7cad7cda0944884170f19e59cc4e169df24f
SHA512 659c9fa21ba4a29af6f302eeb813853783fae1b85f8e207eea5ddd48608c4e7ea1c6ae378069e2ca4b6f2039c154f9f89ace26044c28069814d74c29deca360b

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 e0cc19d4e1c793aad2bfbcd11dee9c1d
SHA1 ff7215917afee3f9808a2940c5635577cdf54087
SHA256 2319f91febc8196ce96df481572fca81364195a0fd7884ac502f28eb66192a45
SHA512 ba62f1bf5d1ae9fcd238d0e59e12ce5798c96b65c71396af1eb3ab30aca5aacb6278d252ad1e48763f18c575790ad380373e7251e7a6021a8ebbf516cb6acc87

memory/2212-20-0x0000000000C80000-0x0000000000C82000-memory.dmp

memory/2212-21-0x0000000000030000-0x0000000000069000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\komes.exe

MD5 e367d980fd0991db362877727626f29f
SHA1 73b2ee5cfad099f1387c007579a0ced70950e1c6
SHA256 9909e562ca1a9cde3435fa64221806487bbd5a49cb4c3277081161ec10cfc753
SHA512 efc37e20957cd5df849039668cd473d5ee437ce9f7b6fec00499416b502af0b8a81bcb7b9ac0e36452c4b3e0b517754639dcbbe9c1bf79006f0a74531957a6c9

memory/2212-40-0x0000000000030000-0x0000000000069000-memory.dmp

memory/1552-38-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1552-42-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1552-43-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1552-44-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1552-45-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1552-46-0x0000000000400000-0x00000000004BF000-memory.dmp

memory/1552-47-0x0000000000400000-0x00000000004BF000-memory.dmp