Malware Analysis Report

2025-08-05 21:21

Sample ID 240305-cs4mysbh4s
Target ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb
SHA256 ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb
Tags
urelas aspackv2 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb

Threat Level: Known bad

The file ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 trojan

Urelas family

Urelas

Checks computer location settings

Deletes itself

Executes dropped EXE

ASPack v2.12-2.42

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-05 02:21

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-05 02:21

Reported

2024-03-05 02:23

Platform

win7-20240221-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qigiu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unkul.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Users\Admin\AppData\Local\Temp\qigiu.exe
PID 2036 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Users\Admin\AppData\Local\Temp\qigiu.exe
PID 2036 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Users\Admin\AppData\Local\Temp\qigiu.exe
PID 2036 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Users\Admin\AppData\Local\Temp\qigiu.exe
PID 2036 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\qigiu.exe C:\Users\Admin\AppData\Local\Temp\unkul.exe
PID 2992 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\qigiu.exe C:\Users\Admin\AppData\Local\Temp\unkul.exe
PID 2992 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\qigiu.exe C:\Users\Admin\AppData\Local\Temp\unkul.exe
PID 2992 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\qigiu.exe C:\Users\Admin\AppData\Local\Temp\unkul.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe

"C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe"

C:\Users\Admin\AppData\Local\Temp\qigiu.exe

"C:\Users\Admin\AppData\Local\Temp\qigiu.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\unkul.exe

"C:\Users\Admin\AppData\Local\Temp\unkul.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2036-0-0x0000000000400000-0x0000000000465000-memory.dmp

\Users\Admin\AppData\Local\Temp\qigiu.exe

MD5 e47a42f1dcab0a85d467e53f0307ba82
SHA1 f78548710301caeadc70da3c994e8028b3e5fb50
SHA256 b5ac6b7336547481d2e7067c403b8768550128c956adcb5a85ea0a2fdacd8698
SHA512 589bfb529c5ff9e3f61abe80d855d11a9b5e89453c8cef5f3d08340d1cee66770138464c4382ef371f8551d7dcc4f15cdba95472eef332d9570f984bd8a70ccd

memory/2036-11-0x0000000002BC0000-0x0000000002C25000-memory.dmp

memory/2992-21-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 f0d4c528db1a5a3deab717cc3f4844a9
SHA1 3b46c4d928e3dce0afff3ea5ed8425af472b4995
SHA256 7a51e5f482fbe5350a629f76b31bdf3114f38fdce4f049920467feec74a12389
SHA512 68e238d9b7166e321cb722416b82121d9c0d3e3dbc8619b01f6a5b8edba52a058d33fe4cf649be4e22766259f7543806fd17049dc4753b7c08b2a2e07ef89b05

memory/2036-19-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 83b14cd481bad09a555912cfc128a031
SHA1 acd195b2fde79865810790f8979860c4c478ee1c
SHA256 42251923a6cffdde6d26dc66a4f3dc3f0d3de401fe74322927579dc67c42f28a
SHA512 af2053842f2c8dcf3f9f6f4da2c80a1346b0d4dbc00fdcca68067fb6dc6e7e62beaffb9c34a1789ecb5007ff152007cc019d32c4a919dda7b61003d06b05f9fb

\Users\Admin\AppData\Local\Temp\unkul.exe

MD5 d75ad696fd114a013a2caa8f75596329
SHA1 eda724c207f338f062b1ee7866974462c3168744
SHA256 bbaa393592596c1ecba268a7c0589797710495829e63b7c5f5c0d6a62a2e3337
SHA512 9a6363a2d78989482ecdae0f63c3084b21c63d878ae6545af4226156c5953c74812af889d491865d68bb6a332f8921d2c8608abeb61f4e2ed46dc669fed0a32b

memory/2992-30-0x0000000000400000-0x0000000000465000-memory.dmp

memory/832-31-0x0000000000240000-0x00000000002D4000-memory.dmp

memory/2992-32-0x00000000037C0000-0x0000000003854000-memory.dmp

memory/832-34-0x0000000000240000-0x00000000002D4000-memory.dmp

memory/832-35-0x0000000000240000-0x00000000002D4000-memory.dmp

memory/832-37-0x0000000000240000-0x00000000002D4000-memory.dmp

memory/832-38-0x0000000000240000-0x00000000002D4000-memory.dmp

memory/832-39-0x0000000000240000-0x00000000002D4000-memory.dmp

memory/832-40-0x0000000000240000-0x00000000002D4000-memory.dmp

memory/832-41-0x0000000000240000-0x00000000002D4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-05 02:21

Reported

2024-03-05 02:23

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ibhop.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ibhop.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cypuh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4016 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Users\Admin\AppData\Local\Temp\ibhop.exe
PID 4016 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Users\Admin\AppData\Local\Temp\ibhop.exe
PID 4016 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Users\Admin\AppData\Local\Temp\ibhop.exe
PID 4016 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\ibhop.exe C:\Users\Admin\AppData\Local\Temp\cypuh.exe
PID 1688 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\ibhop.exe C:\Users\Admin\AppData\Local\Temp\cypuh.exe
PID 1688 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\ibhop.exe C:\Users\Admin\AppData\Local\Temp\cypuh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe

"C:\Users\Admin\AppData\Local\Temp\ed4a3ac063fdf8824e5380a61344367a6966a3acf5d9f903cd1cf0ddb332a2fb.exe"

C:\Users\Admin\AppData\Local\Temp\ibhop.exe

"C:\Users\Admin\AppData\Local\Temp\ibhop.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\cypuh.exe

"C:\Users\Admin\AppData\Local\Temp\cypuh.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp

Files

memory/4016-0-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ibhop.exe

MD5 f4535a61af99f166e08f80cd9323aecd
SHA1 bec15e9d468f804c6085b2d69fe9c9fbf7c0f8a1
SHA256 244c4020b858272d8e141240306923518afe85aaa672342b14b5c32148635a3a
SHA512 c0d8f2d935e1542ac7fa9aad76cf1587022dd23aadebee82c746c5f0b5e0dc1946957e56bb97fddeb9e9dcb8260e79fc615fbcc813f06778b5bb0fd6760becc6

memory/1688-12-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4016-14-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 f0d4c528db1a5a3deab717cc3f4844a9
SHA1 3b46c4d928e3dce0afff3ea5ed8425af472b4995
SHA256 7a51e5f482fbe5350a629f76b31bdf3114f38fdce4f049920467feec74a12389
SHA512 68e238d9b7166e321cb722416b82121d9c0d3e3dbc8619b01f6a5b8edba52a058d33fe4cf649be4e22766259f7543806fd17049dc4753b7c08b2a2e07ef89b05

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 4a5a906094a1838e0448c5be6d4c376b
SHA1 228d9464f2bc418b66fc397cda340fe6316375f6
SHA256 cf5298f94621fd6c03864fd022eacfd50bf6e79ad3a4a152cc82b0d20e8c0ff9
SHA512 497e0d838f474764efdf2f94a15f46d586d3d1274595f20f5dba944502cedb2bf739ff16953c2c674e39ce07d3431cdce1706f099f2379d69385fd713fc08bb5

C:\Users\Admin\AppData\Local\Temp\cypuh.exe

MD5 4fa79894f90b494e3ad3b79ef9970b08
SHA1 ab37328cd01c5c6f725ea392ca4f3d6903359e6c
SHA256 3ab8c0b7acbc610ce09077ce4a571d33aca5416c6133f43b5640ffad3020d6e9
SHA512 b6e94e90e364cf9a4c53379990b0da2b173ed7af7c515784d2e934191ef6f94120721b7dc161a2a7a9943c90a59f394cdd251d287ff88e307e03a934a639d57e

memory/1688-26-0x0000000000400000-0x0000000000465000-memory.dmp

memory/4232-28-0x00000000003A0000-0x0000000000434000-memory.dmp

memory/4232-29-0x00000000003A0000-0x0000000000434000-memory.dmp

memory/4232-27-0x00000000003A0000-0x0000000000434000-memory.dmp

memory/4232-31-0x00000000003A0000-0x0000000000434000-memory.dmp

memory/4232-32-0x00000000003A0000-0x0000000000434000-memory.dmp

memory/4232-33-0x00000000003A0000-0x0000000000434000-memory.dmp

memory/4232-34-0x00000000003A0000-0x0000000000434000-memory.dmp

memory/4232-35-0x00000000003A0000-0x0000000000434000-memory.dmp