Analysis
-
max time kernel
148s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28/04/2024, 03:15
Static task
static1
Behavioral task
behavioral1
Sample
6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe
Resource
win7-20240215-en
General
-
Target
6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe
-
Size
9.1MB
-
MD5
19beac0f25da3868810921f25e10bd47
-
SHA1
57a8a3df66829a38c171acce3f3d3fa6b601cf12
-
SHA256
6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f
-
SHA512
824d5eaff1fa09d1038fd33645a9ecd4541e84ba59aebbbd5d7d25e0c503bbd489ac5ed899e9b0f02e1914072ccc322e0097e63ebe895baba86512f7b32d5e83
-
SSDEEP
196608:hyEbJ8kKU1qXmuNXCf9CeBlXXuWEA1HaugJKvgabfT8z//QTDQsN99x:hbK8qWf9CeXXeWVYKoabfT6QT0sT9x
Malware Config
Signatures
-
Gh0st RAT payload 8 IoCs
resource yara_rule behavioral1/memory/844-134-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral1/memory/844-133-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral1/memory/844-132-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral1/memory/844-131-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral1/memory/2076-161-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral1/memory/2076-163-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral1/memory/988-186-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat behavioral1/memory/988-184-0x0000000010000000-0x000000001018F000-memory.dmp family_gh0strat -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00070000000161b3-13.dat acprotect -
Executes dropped EXE 64 IoCs
pid Process 2484 winos.exe 2964 kpzs.exe 2932 kpzs.exe 1248 kpzs.exe 1988 kpzs.exe 1028 EPEvenue_SB.exe 844 EPEvenue_SB.exe 2884 EPEvenue_SB.exe 2076 EPEvenue_SB.exe 1656 EPEvenue_SB.exe 988 EPEvenue_SB.exe 2120 EPEvenue_SB.exe 2180 EPEvenue_SB.exe 756 EPEvenue_SB.exe 2332 EPEvenue_SB.exe 2900 EPEvenue_SB.exe 2248 EPEvenue_SB.exe 1936 EPEvenue_SB.exe 880 EPEvenue_SB.exe 2296 EPEvenue_SB.exe 2204 EPEvenue_SB.exe 2580 EPEvenue_SB.exe 2648 EPEvenue_SB.exe 2708 EPEvenue_SB.exe 2720 EPEvenue_SB.exe 2588 EPEvenue_SB.exe 2800 EPEvenue_SB.exe 1984 EPEvenue_SB.exe 2448 EPEvenue_SB.exe 1940 EPEvenue_SB.exe 2748 EPEvenue_SB.exe 1924 EPEvenue_SB.exe 2212 EPEvenue_SB.exe 2396 EPEvenue_SB.exe 2888 EPEvenue_SB.exe 584 EPEvenue_SB.exe 1056 EPEvenue_SB.exe 1972 EPEvenue_SB.exe 1752 EPEvenue_SB.exe 1876 EPEvenue_SB.exe 2052 EPEvenue_SB.exe 1048 EPEvenue_SB.exe 912 EPEvenue_SB.exe 1628 EPEvenue_SB.exe 1700 EPEvenue_SB.exe 1584 EPEvenue_SB.exe 2164 EPEvenue_SB.exe 1756 EPEvenue_SB.exe 2056 EPEvenue_SB.exe 2608 EPEvenue_SB.exe 2576 EPEvenue_SB.exe 2480 EPEvenue_SB.exe 2684 EPEvenue_SB.exe 2624 EPEvenue_SB.exe 2768 EPEvenue_SB.exe 1740 EPEvenue_SB.exe 1956 EPEvenue_SB.exe 768 EPEvenue_SB.exe 3000 EPEvenue_SB.exe 2992 EPEvenue_SB.exe 2000 EPEvenue_SB.exe 2436 EPEvenue_SB.exe 2316 EPEvenue_SB.exe 640 EPEvenue_SB.exe -
Loads dropped DLL 64 IoCs
pid Process 2416 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 2416 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 2416 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 2416 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 2416 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 2416 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 2416 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 2416 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2964 kpzs.exe 2964 kpzs.exe 2932 kpzs.exe 2932 kpzs.exe 1248 kpzs.exe 1248 kpzs.exe 1988 kpzs.exe 1988 kpzs.exe 2484 winos.exe 2484 winos.exe 1028 EPEvenue_SB.exe 1028 EPEvenue_SB.exe 1028 EPEvenue_SB.exe 2484 winos.exe 2884 EPEvenue_SB.exe 2884 EPEvenue_SB.exe 2884 EPEvenue_SB.exe 2484 winos.exe 1656 EPEvenue_SB.exe 1656 EPEvenue_SB.exe 1656 EPEvenue_SB.exe 2484 winos.exe 2120 EPEvenue_SB.exe 2120 EPEvenue_SB.exe 2120 EPEvenue_SB.exe 2484 winos.exe 756 EPEvenue_SB.exe 756 EPEvenue_SB.exe 756 EPEvenue_SB.exe 2484 winos.exe 2900 EPEvenue_SB.exe 2900 EPEvenue_SB.exe 2900 EPEvenue_SB.exe 2484 winos.exe 1936 EPEvenue_SB.exe 1936 EPEvenue_SB.exe 1936 EPEvenue_SB.exe 2484 winos.exe 2296 EPEvenue_SB.exe 2296 EPEvenue_SB.exe 2296 EPEvenue_SB.exe 2484 winos.exe 2580 EPEvenue_SB.exe 2580 EPEvenue_SB.exe 2580 EPEvenue_SB.exe 2484 winos.exe 2708 EPEvenue_SB.exe 2708 EPEvenue_SB.exe 2708 EPEvenue_SB.exe 2484 winos.exe 2588 EPEvenue_SB.exe 2588 EPEvenue_SB.exe -
resource yara_rule behavioral1/files/0x00070000000161b3-13.dat upx behavioral1/memory/2416-14-0x0000000074DC0000-0x0000000074E7C000-memory.dmp upx behavioral1/memory/844-129-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral1/memory/844-134-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral1/memory/844-133-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral1/memory/844-132-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral1/memory/844-131-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral1/memory/2076-161-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral1/memory/2076-163-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral1/memory/988-186-0x0000000010000000-0x000000001018F000-memory.dmp upx behavioral1/memory/988-184-0x0000000010000000-0x000000001018F000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: EPEvenue_SB.exe File opened (read-only) \??\L: EPEvenue_SB.exe File opened (read-only) \??\P: EPEvenue_SB.exe File opened (read-only) \??\Q: EPEvenue_SB.exe File opened (read-only) \??\S: EPEvenue_SB.exe File opened (read-only) \??\U: EPEvenue_SB.exe File opened (read-only) \??\T: EPEvenue_SB.exe File opened (read-only) \??\X: EPEvenue_SB.exe File opened (read-only) \??\B: EPEvenue_SB.exe File opened (read-only) \??\E: EPEvenue_SB.exe File opened (read-only) \??\G: EPEvenue_SB.exe File opened (read-only) \??\H: EPEvenue_SB.exe File opened (read-only) \??\M: EPEvenue_SB.exe File opened (read-only) \??\R: EPEvenue_SB.exe File opened (read-only) \??\Y: EPEvenue_SB.exe File opened (read-only) \??\Z: EPEvenue_SB.exe File opened (read-only) \??\K: EPEvenue_SB.exe File opened (read-only) \??\N: EPEvenue_SB.exe File opened (read-only) \??\W: EPEvenue_SB.exe File opened (read-only) \??\J: EPEvenue_SB.exe File opened (read-only) \??\O: EPEvenue_SB.exe File opened (read-only) \??\V: EPEvenue_SB.exe -
Suspicious use of SetThreadContext 62 IoCs
description pid Process procid_target PID 1028 set thread context of 844 1028 EPEvenue_SB.exe 34 PID 2884 set thread context of 2076 2884 EPEvenue_SB.exe 36 PID 1656 set thread context of 988 1656 EPEvenue_SB.exe 38 PID 2120 set thread context of 2180 2120 EPEvenue_SB.exe 40 PID 756 set thread context of 2332 756 EPEvenue_SB.exe 42 PID 2900 set thread context of 2248 2900 EPEvenue_SB.exe 44 PID 1936 set thread context of 880 1936 EPEvenue_SB.exe 46 PID 2296 set thread context of 2204 2296 EPEvenue_SB.exe 48 PID 2580 set thread context of 2648 2580 EPEvenue_SB.exe 50 PID 2708 set thread context of 2720 2708 EPEvenue_SB.exe 52 PID 2588 set thread context of 2800 2588 EPEvenue_SB.exe 54 PID 1984 set thread context of 2448 1984 EPEvenue_SB.exe 56 PID 1940 set thread context of 2748 1940 EPEvenue_SB.exe 60 PID 1924 set thread context of 2212 1924 EPEvenue_SB.exe 62 PID 2396 set thread context of 2888 2396 EPEvenue_SB.exe 64 PID 584 set thread context of 1056 584 EPEvenue_SB.exe 66 PID 1972 set thread context of 1752 1972 EPEvenue_SB.exe 68 PID 1876 set thread context of 2052 1876 EPEvenue_SB.exe 70 PID 1048 set thread context of 912 1048 EPEvenue_SB.exe 72 PID 1628 set thread context of 1700 1628 EPEvenue_SB.exe 74 PID 1584 set thread context of 2164 1584 EPEvenue_SB.exe 76 PID 1756 set thread context of 2056 1756 EPEvenue_SB.exe 78 PID 2608 set thread context of 2576 2608 EPEvenue_SB.exe 80 PID 2480 set thread context of 2684 2480 EPEvenue_SB.exe 82 PID 2624 set thread context of 2768 2624 EPEvenue_SB.exe 84 PID 1740 set thread context of 1956 1740 EPEvenue_SB.exe 86 PID 768 set thread context of 3000 768 EPEvenue_SB.exe 88 PID 2992 set thread context of 2000 2992 EPEvenue_SB.exe 90 PID 2436 set thread context of 2316 2436 EPEvenue_SB.exe 92 PID 640 set thread context of 1132 640 EPEvenue_SB.exe 94 PID 676 set thread context of 356 676 EPEvenue_SB.exe 96 PID 1000 set thread context of 756 1000 EPEvenue_SB.exe 98 PID 2032 set thread context of 1748 2032 EPEvenue_SB.exe 100 PID 2320 set thread context of 2532 2320 EPEvenue_SB.exe 102 PID 2296 set thread context of 3044 2296 EPEvenue_SB.exe 104 PID 2672 set thread context of 2652 2672 EPEvenue_SB.exe 106 PID 2584 set thread context of 2492 2584 EPEvenue_SB.exe 108 PID 240 set thread context of 2824 240 EPEvenue_SB.exe 110 PID 2844 set thread context of 2932 2844 EPEvenue_SB.exe 112 PID 3004 set thread context of 3020 3004 EPEvenue_SB.exe 114 PID 1368 set thread context of 1920 1368 EPEvenue_SB.exe 116 PID 2072 set thread context of 672 2072 EPEvenue_SB.exe 118 PID 1500 set thread context of 772 1500 EPEvenue_SB.exe 120 PID 2128 set thread context of 640 2128 EPEvenue_SB.exe 122 PID 960 set thread context of 784 960 EPEvenue_SB.exe 124 PID 2336 set thread context of 1432 2336 EPEvenue_SB.exe 126 PID 1320 set thread context of 1744 1320 EPEvenue_SB.exe 128 PID 2108 set thread context of 764 2108 EPEvenue_SB.exe 130 PID 1664 set thread context of 1856 1664 EPEvenue_SB.exe 132 PID 2328 set thread context of 2260 2328 EPEvenue_SB.exe 134 PID 320 set thread context of 2676 320 EPEvenue_SB.exe 136 PID 2452 set thread context of 2704 2452 EPEvenue_SB.exe 138 PID 1948 set thread context of 2136 1948 EPEvenue_SB.exe 140 PID 1264 set thread context of 1572 1264 EPEvenue_SB.exe 142 PID 2276 set thread context of 2140 2276 EPEvenue_SB.exe 144 PID 588 set thread context of 2880 588 EPEvenue_SB.exe 146 PID 812 set thread context of 2512 812 EPEvenue_SB.exe 148 PID 1592 set thread context of 1096 1592 EPEvenue_SB.exe 150 PID 2084 set thread context of 1112 2084 EPEvenue_SB.exe 152 PID 1048 set thread context of 1648 1048 EPEvenue_SB.exe 154 PID 2228 set thread context of 908 2228 EPEvenue_SB.exe 156 PID 1436 set thread context of 1604 1436 EPEvenue_SB.exe 158 -
Drops file in Program Files directory 12 IoCs
description ioc Process File created C:\Program Files (x86)\12\12345678.exe 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\EPEvenue_SB.exe 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\kpzs.exe 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\msvcr100.dll 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\vcl70.bpl 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\winos.exe 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\XPFarmer.bpl 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\CefControl.dll 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\DuiLib.dll 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\libcef.dll 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\msvcp100.dll 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe File created C:\Program Files (x86)\12\rtl70.bpl 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EPEvenue_SB.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 EPEvenue_SB.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2416 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 2416 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 2416 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 2416 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe 2484 winos.exe 2484 winos.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 844 EPEvenue_SB.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe 2484 winos.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 844 EPEvenue_SB.exe Token: SeDebugPrivilege 2076 EPEvenue_SB.exe Token: SeDebugPrivilege 988 EPEvenue_SB.exe Token: SeDebugPrivilege 2180 EPEvenue_SB.exe Token: SeDebugPrivilege 2332 EPEvenue_SB.exe Token: SeDebugPrivilege 2248 EPEvenue_SB.exe Token: SeDebugPrivilege 880 EPEvenue_SB.exe Token: SeDebugPrivilege 2204 EPEvenue_SB.exe Token: SeDebugPrivilege 2648 EPEvenue_SB.exe Token: SeDebugPrivilege 2720 EPEvenue_SB.exe Token: SeDebugPrivilege 2800 EPEvenue_SB.exe Token: SeDebugPrivilege 2448 EPEvenue_SB.exe Token: SeDebugPrivilege 2748 EPEvenue_SB.exe Token: SeDebugPrivilege 2212 EPEvenue_SB.exe Token: SeDebugPrivilege 2888 EPEvenue_SB.exe Token: SeDebugPrivilege 1056 EPEvenue_SB.exe Token: SeDebugPrivilege 1752 EPEvenue_SB.exe Token: SeDebugPrivilege 2052 EPEvenue_SB.exe Token: SeDebugPrivilege 912 EPEvenue_SB.exe Token: SeDebugPrivilege 1700 EPEvenue_SB.exe Token: SeDebugPrivilege 2056 EPEvenue_SB.exe Token: SeDebugPrivilege 2576 EPEvenue_SB.exe Token: SeDebugPrivilege 2684 EPEvenue_SB.exe Token: SeDebugPrivilege 2768 EPEvenue_SB.exe Token: SeDebugPrivilege 1956 EPEvenue_SB.exe Token: SeDebugPrivilege 3000 EPEvenue_SB.exe Token: SeDebugPrivilege 2000 EPEvenue_SB.exe Token: SeDebugPrivilege 2316 EPEvenue_SB.exe Token: SeDebugPrivilege 1132 EPEvenue_SB.exe Token: 33 844 EPEvenue_SB.exe Token: SeIncBasePriorityPrivilege 844 EPEvenue_SB.exe Token: SeDebugPrivilege 356 EPEvenue_SB.exe Token: SeDebugPrivilege 756 EPEvenue_SB.exe Token: SeDebugPrivilege 1748 EPEvenue_SB.exe Token: SeDebugPrivilege 2532 EPEvenue_SB.exe Token: SeDebugPrivilege 3044 EPEvenue_SB.exe Token: SeDebugPrivilege 2652 EPEvenue_SB.exe Token: SeDebugPrivilege 2492 EPEvenue_SB.exe Token: SeDebugPrivilege 2824 EPEvenue_SB.exe Token: SeDebugPrivilege 2932 EPEvenue_SB.exe Token: SeDebugPrivilege 3020 EPEvenue_SB.exe Token: SeDebugPrivilege 1920 EPEvenue_SB.exe Token: SeDebugPrivilege 672 EPEvenue_SB.exe Token: SeDebugPrivilege 772 EPEvenue_SB.exe Token: SeDebugPrivilege 640 EPEvenue_SB.exe Token: SeDebugPrivilege 784 EPEvenue_SB.exe Token: SeDebugPrivilege 1432 EPEvenue_SB.exe Token: SeDebugPrivilege 1744 EPEvenue_SB.exe Token: SeDebugPrivilege 764 EPEvenue_SB.exe Token: SeDebugPrivilege 1856 EPEvenue_SB.exe Token: SeDebugPrivilege 2260 EPEvenue_SB.exe Token: SeDebugPrivilege 2676 EPEvenue_SB.exe Token: SeDebugPrivilege 2704 EPEvenue_SB.exe Token: SeDebugPrivilege 2136 EPEvenue_SB.exe Token: SeDebugPrivilege 1572 EPEvenue_SB.exe Token: SeDebugPrivilege 2140 EPEvenue_SB.exe Token: SeDebugPrivilege 2880 EPEvenue_SB.exe Token: SeDebugPrivilege 2512 EPEvenue_SB.exe Token: SeDebugPrivilege 1096 EPEvenue_SB.exe Token: SeDebugPrivilege 1112 EPEvenue_SB.exe Token: SeDebugPrivilege 1648 EPEvenue_SB.exe Token: 33 844 EPEvenue_SB.exe Token: SeIncBasePriorityPrivilege 844 EPEvenue_SB.exe Token: SeDebugPrivilege 908 EPEvenue_SB.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2964 2484 winos.exe 29 PID 2484 wrote to memory of 2964 2484 winos.exe 29 PID 2484 wrote to memory of 2964 2484 winos.exe 29 PID 2484 wrote to memory of 2964 2484 winos.exe 29 PID 2484 wrote to memory of 1248 2484 winos.exe 31 PID 2484 wrote to memory of 1248 2484 winos.exe 31 PID 2484 wrote to memory of 1248 2484 winos.exe 31 PID 2484 wrote to memory of 1248 2484 winos.exe 31 PID 2484 wrote to memory of 1028 2484 winos.exe 33 PID 2484 wrote to memory of 1028 2484 winos.exe 33 PID 2484 wrote to memory of 1028 2484 winos.exe 33 PID 2484 wrote to memory of 1028 2484 winos.exe 33 PID 1028 wrote to memory of 844 1028 EPEvenue_SB.exe 34 PID 1028 wrote to memory of 844 1028 EPEvenue_SB.exe 34 PID 1028 wrote to memory of 844 1028 EPEvenue_SB.exe 34 PID 1028 wrote to memory of 844 1028 EPEvenue_SB.exe 34 PID 1028 wrote to memory of 844 1028 EPEvenue_SB.exe 34 PID 1028 wrote to memory of 844 1028 EPEvenue_SB.exe 34 PID 2484 wrote to memory of 2884 2484 winos.exe 35 PID 2484 wrote to memory of 2884 2484 winos.exe 35 PID 2484 wrote to memory of 2884 2484 winos.exe 35 PID 2484 wrote to memory of 2884 2484 winos.exe 35 PID 2884 wrote to memory of 2076 2884 EPEvenue_SB.exe 36 PID 2884 wrote to memory of 2076 2884 EPEvenue_SB.exe 36 PID 2884 wrote to memory of 2076 2884 EPEvenue_SB.exe 36 PID 2884 wrote to memory of 2076 2884 EPEvenue_SB.exe 36 PID 2884 wrote to memory of 2076 2884 EPEvenue_SB.exe 36 PID 2884 wrote to memory of 2076 2884 EPEvenue_SB.exe 36 PID 2484 wrote to memory of 1656 2484 winos.exe 37 PID 2484 wrote to memory of 1656 2484 winos.exe 37 PID 2484 wrote to memory of 1656 2484 winos.exe 37 PID 2484 wrote to memory of 1656 2484 winos.exe 37 PID 1656 wrote to memory of 988 1656 EPEvenue_SB.exe 38 PID 1656 wrote to memory of 988 1656 EPEvenue_SB.exe 38 PID 1656 wrote to memory of 988 1656 EPEvenue_SB.exe 38 PID 1656 wrote to memory of 988 1656 EPEvenue_SB.exe 38 PID 1656 wrote to memory of 988 1656 EPEvenue_SB.exe 38 PID 1656 wrote to memory of 988 1656 EPEvenue_SB.exe 38 PID 2484 wrote to memory of 2120 2484 winos.exe 39 PID 2484 wrote to memory of 2120 2484 winos.exe 39 PID 2484 wrote to memory of 2120 2484 winos.exe 39 PID 2484 wrote to memory of 2120 2484 winos.exe 39 PID 2120 wrote to memory of 2180 2120 EPEvenue_SB.exe 40 PID 2120 wrote to memory of 2180 2120 EPEvenue_SB.exe 40 PID 2120 wrote to memory of 2180 2120 EPEvenue_SB.exe 40 PID 2120 wrote to memory of 2180 2120 EPEvenue_SB.exe 40 PID 2120 wrote to memory of 2180 2120 EPEvenue_SB.exe 40 PID 2120 wrote to memory of 2180 2120 EPEvenue_SB.exe 40 PID 2484 wrote to memory of 756 2484 winos.exe 41 PID 2484 wrote to memory of 756 2484 winos.exe 41 PID 2484 wrote to memory of 756 2484 winos.exe 41 PID 2484 wrote to memory of 756 2484 winos.exe 41 PID 756 wrote to memory of 2332 756 EPEvenue_SB.exe 42 PID 756 wrote to memory of 2332 756 EPEvenue_SB.exe 42 PID 756 wrote to memory of 2332 756 EPEvenue_SB.exe 42 PID 756 wrote to memory of 2332 756 EPEvenue_SB.exe 42 PID 756 wrote to memory of 2332 756 EPEvenue_SB.exe 42 PID 756 wrote to memory of 2332 756 EPEvenue_SB.exe 42 PID 2484 wrote to memory of 2900 2484 winos.exe 43 PID 2484 wrote to memory of 2900 2484 winos.exe 43 PID 2484 wrote to memory of 2900 2484 winos.exe 43 PID 2484 wrote to memory of 2900 2484 winos.exe 43 PID 2900 wrote to memory of 2248 2900 EPEvenue_SB.exe 44 PID 2900 wrote to memory of 2248 2900 EPEvenue_SB.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe"C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2416
-
C:\Program Files (x86)\12\winos.exe"C:\Program Files (x86)\12\winos.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Program Files (x86)\12\kpzs.exe"C:\Program Files (x86)\12\kpzs.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964
-
-
C:\Program Files (x86)\12\kpzs.exe"C:\Program Files (x86)\12\kpzs.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:988
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2180
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1936 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2296 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2580 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2708 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2588 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1984 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1940 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1924 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2396 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:584 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1972 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1876 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2052
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1048 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1628 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1584 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
PID:2164
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1756 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2608 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2480 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2684
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2624 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1740 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:768 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2992 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2000
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2436 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:640 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1132
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:676 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:356
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:1000 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:756
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2032 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2320 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2296 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3044
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2672 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2584 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2492
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:240 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2844 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2932
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:3004 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3020
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:1368 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2072 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:672
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:1500 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2128 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:640
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:960 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2336 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1432
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:1320 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1744
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2108 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:1664 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2328 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:320 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2452 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:1948 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:1264 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2276 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:588 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:812 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:1592 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1096
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2084 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:1048 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:2228 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:908
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵
- Suspicious use of SetThreadContext
PID:1436 -
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵PID:1604
-
-
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"2⤵PID:3060
-
C:\Program Files (x86)\12\EPEvenue_SB.exe"C:\Program Files (x86)\12\EPEvenue_SB.exe"3⤵PID:1168
-
-
-
C:\Program Files (x86)\12\kpzs.exe"C:\Program Files (x86)\12\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\CB89295E841A410291D7EC.lnk"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932
-
C:\Program Files (x86)\12\kpzs.exe"C:\Program Files (x86)\12\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\E2FA73F6F70C48248280D3.lnk"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
302KB
MD5e027843c3e66ddd0b8cebbaf027497b1
SHA151671beb478ffcbb99fee5d34cb030efb44fe1b7
SHA25609fea0e5f7b57b9ce700d52bc1ed58d3336eb7a9e04ceefd1b5246e4a3bc4c24
SHA512fff8b36c2b5a1d4dadc0995d91b70317ce83de9c7f36613d64d9dbee1fe1293b8e8469b2f4239584e005675049f6eb67b4a04edc03247731b9b0f3fe45097e85
-
Filesize
590KB
MD5037d4ae83b30c3ba8f7f23e54a168bb2
SHA105a291f0397928c30d5b8fd4980c9ffb0472a4e7
SHA2562422e71145ae364a4992cf37eba2938e541253bec467419ea6d1f037822c77f4
SHA512fe2119eb042044049e0916086a815b19af8873133ea85edb8657533abeea95d2608aae3a6a0519132a7d064726121ae792ba9a22d6393f43ec1f28e1f857dac4
-
Filesize
2.2MB
MD5cbfc4a8bc75a556dd97981531fadd751
SHA125e8eccb28e804db23d1d5123f3766d29b99294f
SHA2564640ad02300c1311697c5592acdcfa59dba923eae1f2f2cb215a4a09d5055676
SHA5123b02ea196b431e44a242ddafb0392420f1221b95e4a987a453bf3b1f72cc9ff707df7d5ff27f421edac0b6138cfa0205a98abf1dd92c7c5defcfdae2db34988c
-
Filesize
1.1MB
MD54ddce14e5c6c09bbe5154167a74d271e
SHA13985cd3c8b49fcaa9c9dd244ef53d9e86889a3ad
SHA25637865f209c91b291282c51515a868e6993070d3d7594cf931b42f5a6a8f09a3a
SHA512f49cf8709fbc1a507416cc61c0678cf153d8fab38527d8e9eece7619196e4c194be437e57de635bea511cdcde7bc62469380f97005b7202c625ae6ceb70b610b
-
Filesize
72KB
MD53ffb2d1b619bd7841df50aaf619922fd
SHA16973d1b9f33ceb741569db9d0d1fa06712a2565e
SHA2568ce68528e25b86977f18d42c8c5dddbd6e6f24f34a340d447f4b4db0cb96bfbe
SHA5127855b96335088bb718215eeea63d6d36c871f3f946de3de48fcc0bb7666cc61c7922f7c84d886d19c5454d283971a5e704c2cc97795c629fc20183c29040d4da
-
Filesize
3.1MB
MD5e7a550ef58c53720969017f4b739c967
SHA182cbe82ca632c2fcb3cd2f280593462ddb9fc708
SHA2565fb627f9bd0621f097fc51be7d22373ead7afafbeacbed584fea07d0cf38a000
SHA512d583ad302fc6f9db08ec08dfeca8c4d48619903e41e8024178a2195dfc508d9a057cdd25dcc6cf2d0fd688916ec7fc1c276ae1978e0b81293907801633508704
-
Filesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
Filesize
12KB
MD5e38d8ff9f749ee1b141a122fec7280e0
SHA1fbc8e410ef716fdb36977e5c16d3373a6100189a
SHA25600f7604d4f36a728c7759f4d9cf3e30c9728c503557aac49bbcd55cfc3e4fcb4
SHA5122b1dccf42d435445331291db94f869c4e8f6dcdfe4371969e76ee275d4e845e1d2e947c216f80484a7dd4b8e85158298e6ec7ed9add6d4259c07fdf87c316a8f
-
Filesize
288KB
MD51e88afb7fe5b58d09d8a1b631e442538
SHA19ddb655cb32d002f68bdee962ce917002faa3614
SHA25621a9a74fd631030981cdca42ab580f5aa030068ab80c183b73e99bea2d4f7708
SHA512a7723bd73f55a716ea450f075d7a4fc7cd2080992c56ad67b6d46fdf4e30cef386068e1f4c2c788764cb092b529589cc1119ea2d62d07e32ea6d201e3afaf876
-
Filesize
344KB
MD5bf53c6eaf4dfb9ecc11afba92e0a3c9a
SHA1cacbaa3c4dc7a0d0cc365f746e468a3013473063
SHA256727877e75ee79f940288f0c086e78ff3beae1c6c04894eb7350bdd02d7983139
SHA512affb46fefbcea4278e82e34206aaa7afbf1b394d9e7c2708ce8cd67a68c122a9978496c24dd1d1b5db175096ddb6aecf151df7c04be41a6847708ba70fbc611e
-
Filesize
1.5MB
MD5b6b5969b658b647fa0c6ec11de139c96
SHA187b0e1176b5d5cae31bee708c8daa383da4adf02
SHA256a2b6b2c4e1a49809936780149416e8cbb793a0631f81f746350c3c06fcd2bc8e
SHA51228b4ef210ac75e5d93ed7f99ed39e7bc1d918852a5f34ff0a95d0f4c742f190a969e5be30dd1845457d0880e1ce1975fb9d5e614de5b5b5e66e362ec3bde3842
-
Filesize
411KB
MD5e3c817f7fe44cc870ecdbcbc3ea36132
SHA12ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA5124fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe
-
Filesize
755KB
MD5bf38660a9125935658cfa3e53fdc7d65
SHA10b51fb415ec89848f339f8989d323bea722bfd70
SHA25660c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA51225f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1
-
Filesize
1.4MB
MD599b6a3a2b79d83857bd5129124592f8c
SHA1e627d960ab29f7003ac0ea15e098bf5ada37ed3d
SHA256d4876325de6084019f844d69b34079716746a5e52585b74bbb366d0152f0313d
SHA5127e02a0eacf25cbfa3b685821b8cf697a6b2b125b6067337a7def18b58e7da6c216d396aefee1928c667900915ee0ee3a616e80985b77632c47f964899d835e1c
-
Filesize
1.3MB
MD516a1c27ed415d1816f8888ea2cefb3f6
SHA180db800b805d548f6df4eb2cb37ba2064dc37c05
SHA256a7a26cbf6968063c51d4d70f4599f295e4a88e352f19bdd475f3416e6411c390
SHA51268a3e563dd9745210eb7295cde692af68cd5fc430a95856f4823dc10e42d067f332ae1d2445e8810e0c15c3c779e195735bd311c45e9690cb05dbedcd7354306
-
Filesize
5.2MB
MD5dfff7fdeb342305504b35b2261eab611
SHA1000f37471c5cf6d245848368d3eec4c1a21b624e
SHA2562df0837884c042ec6c889702bed52df643722e9f949b4f2d7b9834ae42c6f246
SHA512588b6f3fdf64c695c0b4465f78ae6eaf36a9b350b9ccd2fd5e891ae1b4e36329403184a2e0f60dc45d7ca33f43a0546ae24c909f3b82e5f402b03bf46fdb01d8
-
Filesize
2KB
MD533ec04738007e665059cf40bc0f0c22b
SHA14196759a922e333d9b17bda5369f14c33cd5e3bc
SHA25650f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be
SHA5122318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef
-
Filesize
4KB
MD588d3e48d1c1a051c702d47046ade7b4c
SHA18fc805a8b7900b6ba895d1b809a9f3ad4c730d23
SHA25651da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257
SHA51283299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7