eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d

Analysis

max time kernel
21s
max time network
144s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
18/09/2023, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d.exe
Size

405KB
MD5

38f15ba372a681bfcb86502e36fefe70
SHA1

d62595e8a236b2b4e230c300788eb6e19cd6b4f7
SHA256

eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d
SHA512

92ce89637a99e41d4989a3bd528f88e056a0431bae50d2637aacc46640e492c70b8795d4d5d78951badb3e68631eea82a36369b895b9e4f212172c158649b182
SSDEEP

12288:aFXUgFN66FUgFN66yalwa6QAoR6FFFFF/FFFFFFFFFFFfFFFFFxOD5nM2cBFTFFK:XxzaUoR6FFFFF/FFFFFFFFFFFfFFFFFY

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
944	pro.exe
944	pro.exe

Loads dropped DLL 2 IoCs

pid	Process
2196	eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d.exe
2196	eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2904	WMIC.exe
Token: SeSecurityPrivilege	2904	WMIC.exe
Token: SeTakeOwnershipPrivilege	2904	WMIC.exe
Token: SeLoadDriverPrivilege	2904	WMIC.exe
Token: SeSystemProfilePrivilege	2904	WMIC.exe
Token: SeSystemtimePrivilege	2904	WMIC.exe
Token: SeProfSingleProcessPrivilege	2904	WMIC.exe
Token: SeIncBasePriorityPrivilege	2904	WMIC.exe
Token: SeCreatePagefilePrivilege	2904	WMIC.exe
Token: SeBackupPrivilege	2904	WMIC.exe
Token: SeRestorePrivilege	2904	WMIC.exe
Token: SeShutdownPrivilege	2904	WMIC.exe
Token: SeDebugPrivilege	2904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2904	WMIC.exe
Token: SeRemoteShutdownPrivilege	2904	WMIC.exe
Token: SeUndockPrivilege	2904	WMIC.exe
Token: SeManageVolumePrivilege	2904	WMIC.exe
Token: 33	2904	WMIC.exe
Token: 34	2904	WMIC.exe
Token: 35	2904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2904	WMIC.exe
Token: SeSecurityPrivilege	2904	WMIC.exe
Token: SeTakeOwnershipPrivilege	2904	WMIC.exe
Token: SeLoadDriverPrivilege	2904	WMIC.exe
Token: SeSystemProfilePrivilege	2904	WMIC.exe
Token: SeSystemtimePrivilege	2904	WMIC.exe
Token: SeProfSingleProcessPrivilege	2904	WMIC.exe
Token: SeIncBasePriorityPrivilege	2904	WMIC.exe
Token: SeCreatePagefilePrivilege	2904	WMIC.exe
Token: SeBackupPrivilege	2904	WMIC.exe
Token: SeRestorePrivilege	2904	WMIC.exe
Token: SeShutdownPrivilege	2904	WMIC.exe
Token: SeDebugPrivilege	2904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2904	WMIC.exe
Token: SeRemoteShutdownPrivilege	2904	WMIC.exe
Token: SeUndockPrivilege	2904	WMIC.exe
Token: SeManageVolumePrivilege	2904	WMIC.exe
Token: 33	2904	WMIC.exe
Token: 34	2904	WMIC.exe
Token: 35	2904	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2660	WMIC.exe
Token: SeSecurityPrivilege	2660	WMIC.exe
Token: SeTakeOwnershipPrivilege	2660	WMIC.exe
Token: SeLoadDriverPrivilege	2660	WMIC.exe
Token: SeSystemProfilePrivilege	2660	WMIC.exe
Token: SeSystemtimePrivilege	2660	WMIC.exe
Token: SeProfSingleProcessPrivilege	2660	WMIC.exe
Token: SeIncBasePriorityPrivilege	2660	WMIC.exe
Token: SeCreatePagefilePrivilege	2660	WMIC.exe
Token: SeBackupPrivilege	2660	WMIC.exe
Token: SeRestorePrivilege	2660	WMIC.exe
Token: SeShutdownPrivilege	2660	WMIC.exe
Token: SeDebugPrivilege	2660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2660	WMIC.exe
Token: SeRemoteShutdownPrivilege	2660	WMIC.exe
Token: SeUndockPrivilege	2660	WMIC.exe
Token: SeManageVolumePrivilege	2660	WMIC.exe
Token: 33	2660	WMIC.exe
Token: 34	2660	WMIC.exe
Token: 35	2660	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2660	WMIC.exe
Token: SeSecurityPrivilege	2660	WMIC.exe
Token: SeTakeOwnershipPrivilege	2660	WMIC.exe
Token: SeLoadDriverPrivilege	2660	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 944	2196	eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d.exe	28
PID 2196 wrote to memory of 944	2196	eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d.exe	28
PID 2196 wrote to memory of 944	2196	eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d.exe	28
PID 2196 wrote to memory of 944	2196	eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d.exe	28
PID 944 wrote to memory of 2676	944	pro.exe	29
PID 944 wrote to memory of 2676	944	pro.exe	29
PID 944 wrote to memory of 2676	944	pro.exe	29
PID 944 wrote to memory of 2676	944	pro.exe	29
PID 2676 wrote to memory of 2904	2676	cmd.exe	31
PID 2676 wrote to memory of 2904	2676	cmd.exe	31
PID 2676 wrote to memory of 2904	2676	cmd.exe	31
PID 2676 wrote to memory of 2904	2676	cmd.exe	31
PID 944 wrote to memory of 2836	944	pro.exe	33
PID 944 wrote to memory of 2836	944	pro.exe	33
PID 944 wrote to memory of 2836	944	pro.exe	33
PID 944 wrote to memory of 2836	944	pro.exe	33
PID 2836 wrote to memory of 2660	2836	cmd.exe	35
PID 2836 wrote to memory of 2660	2836	cmd.exe	35
PID 2836 wrote to memory of 2660	2836	cmd.exe	35
PID 2836 wrote to memory of 2660	2836	cmd.exe	35
PID 944 wrote to memory of 2636	944	pro.exe	36
PID 944 wrote to memory of 2636	944	pro.exe	36
PID 944 wrote to memory of 2636	944	pro.exe	36
PID 944 wrote to memory of 2636	944	pro.exe	36
PID 2636 wrote to memory of 2536	2636	cmd.exe	38
PID 2636 wrote to memory of 2536	2636	cmd.exe	38
PID 2636 wrote to memory of 2536	2636	cmd.exe	38
PID 2636 wrote to memory of 2536	2636	cmd.exe	38
PID 944 wrote to memory of 2600	944	pro.exe	39
PID 944 wrote to memory of 2600	944	pro.exe	39
PID 944 wrote to memory of 2600	944	pro.exe	39
PID 944 wrote to memory of 2600	944	pro.exe	39
PID 2600 wrote to memory of 2976	2600	cmd.exe	41
PID 2600 wrote to memory of 2976	2600	cmd.exe	41
PID 2600 wrote to memory of 2976	2600	cmd.exe	41
PID 2600 wrote to memory of 2976	2600	cmd.exe	41
PID 944 wrote to memory of 2996	944	pro.exe	42
PID 944 wrote to memory of 2996	944	pro.exe	42
PID 944 wrote to memory of 2996	944	pro.exe	42
PID 944 wrote to memory of 2996	944	pro.exe	42
PID 2996 wrote to memory of 1656	2996	cmd.exe	44
PID 2996 wrote to memory of 1656	2996	cmd.exe	44
PID 2996 wrote to memory of 1656	2996	cmd.exe	44
PID 2996 wrote to memory of 1656	2996	cmd.exe	44
PID 944 wrote to memory of 2776	944	pro.exe	45
PID 944 wrote to memory of 2776	944	pro.exe	45
PID 944 wrote to memory of 2776	944	pro.exe	45
PID 944 wrote to memory of 2776	944	pro.exe	45
PID 2776 wrote to memory of 2884	2776	cmd.exe	47
PID 2776 wrote to memory of 2884	2776	cmd.exe	47
PID 2776 wrote to memory of 2884	2776	cmd.exe	47
PID 2776 wrote to memory of 2884	2776	cmd.exe	47
PID 944 wrote to memory of 2380	944	pro.exe	48
PID 944 wrote to memory of 2380	944	pro.exe	48
PID 944 wrote to memory of 2380	944	pro.exe	48
PID 944 wrote to memory of 2380	944	pro.exe	48
PID 2380 wrote to memory of 1956	2380	cmd.exe	50
PID 2380 wrote to memory of 1956	2380	cmd.exe	50
PID 2380 wrote to memory of 1956	2380	cmd.exe	50
PID 2380 wrote to memory of 1956	2380	cmd.exe	50
PID 944 wrote to memory of 2168	944	pro.exe	51
PID 944 wrote to memory of 2168	944	pro.exe	51
PID 944 wrote to memory of 2168	944	pro.exe	51
PID 944 wrote to memory of 2168	944	pro.exe	51

C:\Users\Admin\AppData\Local\Temp\eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d.exe
"C:\Users\Admin\AppData\Local\Temp\eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Public\pro.exe
  "C:\Users\Public\pro.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:944
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='360safe.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='360safe.exe'" get ExecutablePath
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='360tray.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='360tray.exe'" get ExecutablePath
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='HipsTray.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='HipsTray.exe'" get ExecutablePath
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='HipsDaemon.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='HipsDaemon.exe'" get ExecutablePath
      4⤵
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kislive.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kislive.exe'" get ExecutablePath
      4⤵
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kwsprotect64.exe'" get ExecutablePath
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kwsprotect64.exe'" get ExecutablePath
      4⤵
      PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxecenter.exe'" get ExecutablePath
    3⤵
    PID:2168
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxecenter.exe'" get ExecutablePath
      4⤵
      PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxescore.exe'" get ExecutablePath
    3⤵
    PID:2440
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxescore.exe'" get ExecutablePath
      4⤵
      PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxetray.exe'" get ExecutablePath
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxetray.exe'" get ExecutablePath
      4⤵
      PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='SecurityHealthSystray.exe'" get ExecutablePath
    3⤵
    PID:2700
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='SecurityHealthSystray.exe'" get ExecutablePath
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='360safe.exe'" get ExecutablePath
    3⤵
    PID:2128
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='360safe.exe'" get ExecutablePath
      4⤵
      PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='360tray.exe'" get ExecutablePath
    3⤵
    PID:844
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='360tray.exe'" get ExecutablePath
      4⤵
      PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
    3⤵
    PID:912
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
      4⤵
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='HipsTray.exe'" get ExecutablePath
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='HipsTray.exe'" get ExecutablePath
      4⤵
      PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='HipsDaemon.exe'" get ExecutablePath
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='HipsDaemon.exe'" get ExecutablePath
      4⤵
      PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kislive.exe'" get ExecutablePath
    3⤵
    PID:992
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kislive.exe'" get ExecutablePath
      4⤵
      PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kwsprotect64.exe'" get ExecutablePath
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kwsprotect64.exe'" get ExecutablePath
      4⤵
      PID:900
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxecenter.exe'" get ExecutablePath
    3⤵
    PID:2404
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxecenter.exe'" get ExecutablePath
      4⤵
      PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxescore.exe'" get ExecutablePath
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxescore.exe'" get ExecutablePath
      4⤵
      PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxetray.exe'" get ExecutablePath
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxetray.exe'" get ExecutablePath
      4⤵
      PID:884
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='SecurityHealthSystray.exe'" get ExecutablePath
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='SecurityHealthSystray.exe'" get ExecutablePath
      4⤵
      PID:1700

C:\Users\Admin\AppData\Local\Temp\eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d.exe
"C:\Users\Admin\AppData\Local\Temp\eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d.exe"
1⤵
- Loads dropped DLL
PID:2196
- C:\Users\Public\pro.exe
  "C:\Users\Public\pro.exe"
  2⤵
  - Executes dropped EXE
  PID:944
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='360safe.exe'" get ExecutablePath
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='360safe.exe'" get ExecutablePath
      4⤵
      PID:2904
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='360tray.exe'" get ExecutablePath
    3⤵
    PID:2836
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='360tray.exe'" get ExecutablePath
      4⤵
      PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
    3⤵
    PID:2636
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='HipsTray.exe'" get ExecutablePath
    3⤵
    PID:2600
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='HipsTray.exe'" get ExecutablePath
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='HipsDaemon.exe'" get ExecutablePath
    3⤵
    PID:2996
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='HipsDaemon.exe'" get ExecutablePath
      4⤵
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kislive.exe'" get ExecutablePath
    3⤵
    PID:2776
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kislive.exe'" get ExecutablePath
      4⤵
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kwsprotect64.exe'" get ExecutablePath
    3⤵
    PID:2380
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kwsprotect64.exe'" get ExecutablePath
      4⤵
      PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxecenter.exe'" get ExecutablePath
    3⤵
    PID:2168
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxecenter.exe'" get ExecutablePath
      4⤵
      PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxescore.exe'" get ExecutablePath
    3⤵
    PID:2440
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxescore.exe'" get ExecutablePath
      4⤵
      PID:1416
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxetray.exe'" get ExecutablePath
    3⤵
    PID:1804
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxetray.exe'" get ExecutablePath
      4⤵
      PID:1504
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='SecurityHealthSystray.exe'" get ExecutablePath
    3⤵
    PID:2700
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='SecurityHealthSystray.exe'" get ExecutablePath
      4⤵
      PID:2588
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='360safe.exe'" get ExecutablePath
    3⤵
    PID:2128
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='360safe.exe'" get ExecutablePath
      4⤵
      PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='360tray.exe'" get ExecutablePath
    3⤵
    PID:844
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='360tray.exe'" get ExecutablePath
      4⤵
      PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
    3⤵
    PID:912
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='zhudongfangyu.exe'" get ExecutablePath
      4⤵
      PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='HipsTray.exe'" get ExecutablePath
    3⤵
    PID:1928
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='HipsTray.exe'" get ExecutablePath
      4⤵
      PID:1548
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='HipsDaemon.exe'" get ExecutablePath
    3⤵
    PID:1560
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='HipsDaemon.exe'" get ExecutablePath
      4⤵
      PID:1644
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kislive.exe'" get ExecutablePath
    3⤵
    PID:992
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kislive.exe'" get ExecutablePath
      4⤵
      PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kwsprotect64.exe'" get ExecutablePath
    3⤵
    PID:2000
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kwsprotect64.exe'" get ExecutablePath
      4⤵
      PID:900
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxecenter.exe'" get ExecutablePath
    3⤵
    PID:2404
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxecenter.exe'" get ExecutablePath
      4⤵
      PID:2184
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxescore.exe'" get ExecutablePath
    3⤵
    PID:1692
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxescore.exe'" get ExecutablePath
      4⤵
      PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='kxetray.exe'" get ExecutablePath
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='kxetray.exe'" get ExecutablePath
      4⤵
      PID:884
- - C:\Windows\SysWOW64\cmd.exe
    /c wmic process where "name='SecurityHealthSystray.exe'" get ExecutablePath
    3⤵
    PID:2176
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic process where "name='SecurityHealthSystray.exe'" get ExecutablePath
      4⤵
      PID:1700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\1.dat

Filesize
58KB

MD5
b98bb09252f2d4b26e09cdc21b5b890e

SHA1
6b345b5574e0e054138282f415fb2407461e26c5

SHA256
0467348f41a01fc9cd29dfbb8009fe136c4a5c3953ba71eda4aef5cad231657e

SHA512
a029686a6588fa5355c327c05eb044010c5dd3a7f9b2ff8a4959ec91f54d39bd6b0c69a052768d55f2edd888d754cb686eb876840a1ab7ef2aac2d2ba84f359a

Download Submit
C:\Users\Public\1.dat

Filesize
58KB

MD5
b98bb09252f2d4b26e09cdc21b5b890e

SHA1
6b345b5574e0e054138282f415fb2407461e26c5

SHA256
0467348f41a01fc9cd29dfbb8009fe136c4a5c3953ba71eda4aef5cad231657e

SHA512
a029686a6588fa5355c327c05eb044010c5dd3a7f9b2ff8a4959ec91f54d39bd6b0c69a052768d55f2edd888d754cb686eb876840a1ab7ef2aac2d2ba84f359a

Download Submit
C:\Users\Public\pro.exe

Filesize
405KB

MD5
38f15ba372a681bfcb86502e36fefe70

SHA1
d62595e8a236b2b4e230c300788eb6e19cd6b4f7

SHA256
eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d

SHA512
92ce89637a99e41d4989a3bd528f88e056a0431bae50d2637aacc46640e492c70b8795d4d5d78951badb3e68631eea82a36369b895b9e4f212172c158649b182

Download Submit
C:\Users\Public\pro.exe

Filesize
405KB

MD5
38f15ba372a681bfcb86502e36fefe70

SHA1
d62595e8a236b2b4e230c300788eb6e19cd6b4f7

SHA256
eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d

SHA512
92ce89637a99e41d4989a3bd528f88e056a0431bae50d2637aacc46640e492c70b8795d4d5d78951badb3e68631eea82a36369b895b9e4f212172c158649b182

Download Submit
C:\Users\Public\pro.exe

Filesize
405KB

MD5
38f15ba372a681bfcb86502e36fefe70

SHA1
d62595e8a236b2b4e230c300788eb6e19cd6b4f7

SHA256
eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d

SHA512
92ce89637a99e41d4989a3bd528f88e056a0431bae50d2637aacc46640e492c70b8795d4d5d78951badb3e68631eea82a36369b895b9e4f212172c158649b182

Download Submit
C:\Users\Public\pro.exe

Filesize
405KB

MD5
38f15ba372a681bfcb86502e36fefe70

SHA1
d62595e8a236b2b4e230c300788eb6e19cd6b4f7

SHA256
eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d

SHA512
92ce89637a99e41d4989a3bd528f88e056a0431bae50d2637aacc46640e492c70b8795d4d5d78951badb3e68631eea82a36369b895b9e4f212172c158649b182

Download Submit
\Users\Public\pro.exe

Filesize
405KB

MD5
38f15ba372a681bfcb86502e36fefe70

SHA1
d62595e8a236b2b4e230c300788eb6e19cd6b4f7

SHA256
eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d

SHA512
92ce89637a99e41d4989a3bd528f88e056a0431bae50d2637aacc46640e492c70b8795d4d5d78951badb3e68631eea82a36369b895b9e4f212172c158649b182

Download Submit
\Users\Public\pro.exe

Filesize
405KB

MD5
38f15ba372a681bfcb86502e36fefe70

SHA1
d62595e8a236b2b4e230c300788eb6e19cd6b4f7

SHA256
eaeeacb51c0634ee2f7fd76cb9c27a8d2742e58b7e8325a5c264ea7a4fc0c94d

SHA512
92ce89637a99e41d4989a3bd528f88e056a0431bae50d2637aacc46640e492c70b8795d4d5d78951badb3e68631eea82a36369b895b9e4f212172c158649b182

Download Submit
memory/944-41-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/944-13-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/944-18-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/944-42-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/944-41-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/944-42-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/944-18-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/944-13-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/1700-51-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/1700-51-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/2196-10-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2196-12-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/2196-6-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/2196-0-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/2196-0-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/2196-12-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download
memory/2196-10-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2196-6-0x0000000010000000-0x000000001014C000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads