Malware Analysis Report

2025-08-05 21:58

Sample ID 240428-dr43rsfb9y
Target 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f
SHA256 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f
Tags
gh0strat discovery rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f

Threat Level: Known bad

The file 6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f was found to be: Known bad.

Malicious Activity Summary

gh0strat discovery rat upx

Gh0st RAT payload

Gh0strat

Loads dropped DLL

UPX packed file

Executes dropped EXE

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

Enumerates connected drives

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-28 03:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-28 03:15

Reported

2024-04-28 03:18

Platform

win7-20240215-en

Max time kernel

148s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\O: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\12\EPEvenue_SB.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1028 set thread context of 844 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2884 set thread context of 2076 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1656 set thread context of 988 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2120 set thread context of 2180 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 756 set thread context of 2332 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2900 set thread context of 2248 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1936 set thread context of 880 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2296 set thread context of 2204 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2580 set thread context of 2648 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2708 set thread context of 2720 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2588 set thread context of 2800 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1984 set thread context of 2448 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1940 set thread context of 2748 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1924 set thread context of 2212 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2396 set thread context of 2888 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 584 set thread context of 1056 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1972 set thread context of 1752 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1876 set thread context of 2052 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1048 set thread context of 912 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1628 set thread context of 1700 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1584 set thread context of 2164 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1756 set thread context of 2056 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2608 set thread context of 2576 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2480 set thread context of 2684 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2624 set thread context of 2768 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1740 set thread context of 1956 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 768 set thread context of 3000 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2992 set thread context of 2000 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2436 set thread context of 2316 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 640 set thread context of 1132 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 676 set thread context of 356 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1000 set thread context of 756 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2032 set thread context of 1748 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2320 set thread context of 2532 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2296 set thread context of 3044 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2672 set thread context of 2652 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2584 set thread context of 2492 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 240 set thread context of 2824 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2844 set thread context of 2932 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3004 set thread context of 3020 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1368 set thread context of 1920 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2072 set thread context of 672 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1500 set thread context of 772 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2128 set thread context of 640 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 960 set thread context of 784 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2336 set thread context of 1432 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1320 set thread context of 1744 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2108 set thread context of 764 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1664 set thread context of 1856 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2328 set thread context of 2260 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 320 set thread context of 2676 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2452 set thread context of 2704 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1948 set thread context of 2136 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1264 set thread context of 1572 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2276 set thread context of 2140 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 588 set thread context of 2880 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 812 set thread context of 2512 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1592 set thread context of 1096 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2084 set thread context of 1112 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1048 set thread context of 1648 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2228 set thread context of 908 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1436 set thread context of 1604 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\12\12345678.exe C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\kpzs.exe C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\msvcr100.dll C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\vcl70.bpl C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\winos.exe C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\XPFarmer.bpl C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\CefControl.dll C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\DuiLib.dll C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\libcef.dll C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\msvcp100.dll C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\rtl70.bpl C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\12\EPEvenue_SB.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: 33 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: 33 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 2964 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 2484 wrote to memory of 2964 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 2484 wrote to memory of 2964 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 2484 wrote to memory of 2964 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 2484 wrote to memory of 1248 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 2484 wrote to memory of 1248 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 2484 wrote to memory of 1248 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 2484 wrote to memory of 1248 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 2484 wrote to memory of 1028 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 1028 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 1028 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 1028 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1028 wrote to memory of 844 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1028 wrote to memory of 844 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1028 wrote to memory of 844 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1028 wrote to memory of 844 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1028 wrote to memory of 844 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1028 wrote to memory of 844 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 2884 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 2884 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 2884 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 2884 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2884 wrote to memory of 2076 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2884 wrote to memory of 2076 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2884 wrote to memory of 2076 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2884 wrote to memory of 2076 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2884 wrote to memory of 2076 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2884 wrote to memory of 2076 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 1656 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 1656 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 1656 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 1656 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1656 wrote to memory of 988 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1656 wrote to memory of 988 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1656 wrote to memory of 988 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1656 wrote to memory of 988 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1656 wrote to memory of 988 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1656 wrote to memory of 988 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 2120 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 2120 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 2120 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 2120 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2120 wrote to memory of 2180 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2120 wrote to memory of 2180 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2120 wrote to memory of 2180 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2120 wrote to memory of 2180 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2120 wrote to memory of 2180 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2120 wrote to memory of 2180 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 756 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 756 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 756 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 756 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 756 wrote to memory of 2332 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 756 wrote to memory of 2332 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 756 wrote to memory of 2332 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 756 wrote to memory of 2332 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 756 wrote to memory of 2332 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 756 wrote to memory of 2332 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 2900 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 2900 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 2900 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2484 wrote to memory of 2900 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2900 wrote to memory of 2248 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2900 wrote to memory of 2248 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe

"C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe"

C:\Program Files (x86)\12\winos.exe

"C:\Program Files (x86)\12\winos.exe"

C:\Program Files (x86)\12\kpzs.exe

"C:\Program Files (x86)\12\kpzs.exe"

C:\Program Files (x86)\12\kpzs.exe

"C:\Program Files (x86)\12\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\CB89295E841A410291D7EC.lnk"

C:\Program Files (x86)\12\kpzs.exe

"C:\Program Files (x86)\12\kpzs.exe"

C:\Program Files (x86)\12\kpzs.exe

"C:\Program Files (x86)\12\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\E2FA73F6F70C48248280D3.lnk"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

Network

Country Destination Domain Proto
HK 206.238.115.62:7777 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsd1852.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsd1852.tmp\nsNiuniuSkin.dll

MD5 1e88afb7fe5b58d09d8a1b631e442538
SHA1 9ddb655cb32d002f68bdee962ce917002faa3614
SHA256 21a9a74fd631030981cdca42ab580f5aa030068ab80c183b73e99bea2d4f7708
SHA512 a7723bd73f55a716ea450f075d7a4fc7cd2080992c56ad67b6d46fdf4e30cef386068e1f4c2c788764cb092b529589cc1119ea2d62d07e32ea6d201e3afaf876

memory/2416-14-0x0000000074DC0000-0x0000000074E7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd1852.tmp\skin.zip

MD5 bf53c6eaf4dfb9ecc11afba92e0a3c9a
SHA1 cacbaa3c4dc7a0d0cc365f746e468a3013473063
SHA256 727877e75ee79f940288f0c086e78ff3beae1c6c04894eb7350bdd02d7983139
SHA512 affb46fefbcea4278e82e34206aaa7afbf1b394d9e7c2708ce8cd67a68c122a9978496c24dd1d1b5db175096ddb6aecf151df7c04be41a6847708ba70fbc611e

C:\Users\Admin\AppData\Local\Temp\nsd1852.tmp\System.dll

MD5 e38d8ff9f749ee1b141a122fec7280e0
SHA1 fbc8e410ef716fdb36977e5c16d3373a6100189a
SHA256 00f7604d4f36a728c7759f4d9cf3e30c9728c503557aac49bbcd55cfc3e4fcb4
SHA512 2b1dccf42d435445331291db94f869c4e8f6dcdfe4371969e76ee275d4e845e1d2e947c216f80484a7dd4b8e85158298e6ec7ed9add6d4259c07fdf87c316a8f

\Users\Admin\AppData\Local\Temp\nsd1852.tmp\nsProcess.dll

MD5 88d3e48d1c1a051c702d47046ade7b4c
SHA1 8fc805a8b7900b6ba895d1b809a9f3ad4c730d23
SHA256 51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257
SHA512 83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

\Users\Admin\AppData\Local\Temp\nsd1852.tmp\BgWorker.dll

MD5 33ec04738007e665059cf40bc0f0c22b
SHA1 4196759a922e333d9b17bda5369f14c33cd5e3bc
SHA256 50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be
SHA512 2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

\Program Files (x86)\12\winos.exe

MD5 dfff7fdeb342305504b35b2261eab611
SHA1 000f37471c5cf6d245848368d3eec4c1a21b624e
SHA256 2df0837884c042ec6c889702bed52df643722e9f949b4f2d7b9834ae42c6f246
SHA512 588b6f3fdf64c695c0b4465f78ae6eaf36a9b350b9ccd2fd5e891ae1b4e36329403184a2e0f60dc45d7ca33f43a0546ae24c909f3b82e5f402b03bf46fdb01d8

memory/2416-80-0x0000000002A10000-0x0000000002A12000-memory.dmp

C:\Program Files (x86)\12\CefControl.dll

MD5 037d4ae83b30c3ba8f7f23e54a168bb2
SHA1 05a291f0397928c30d5b8fd4980c9ffb0472a4e7
SHA256 2422e71145ae364a4992cf37eba2938e541253bec467419ea6d1f037822c77f4
SHA512 fe2119eb042044049e0916086a815b19af8873133ea85edb8657533abeea95d2608aae3a6a0519132a7d064726121ae792ba9a22d6393f43ec1f28e1f857dac4

C:\Program Files (x86)\12\DuiLib.dll

MD5 cbfc4a8bc75a556dd97981531fadd751
SHA1 25e8eccb28e804db23d1d5123f3766d29b99294f
SHA256 4640ad02300c1311697c5592acdcfa59dba923eae1f2f2cb215a4a09d5055676
SHA512 3b02ea196b431e44a242ddafb0392420f1221b95e4a987a453bf3b1f72cc9ff707df7d5ff27f421edac0b6138cfa0205a98abf1dd92c7c5defcfdae2db34988c

C:\Program Files (x86)\12\libcef.dll

MD5 e7a550ef58c53720969017f4b739c967
SHA1 82cbe82ca632c2fcb3cd2f280593462ddb9fc708
SHA256 5fb627f9bd0621f097fc51be7d22373ead7afafbeacbed584fea07d0cf38a000
SHA512 d583ad302fc6f9db08ec08dfeca8c4d48619903e41e8024178a2195dfc508d9a057cdd25dcc6cf2d0fd688916ec7fc1c276ae1978e0b81293907801633508704

C:\Program Files (x86)\12\kpzs.exe

MD5 3ffb2d1b619bd7841df50aaf619922fd
SHA1 6973d1b9f33ceb741569db9d0d1fa06712a2565e
SHA256 8ce68528e25b86977f18d42c8c5dddbd6e6f24f34a340d447f4b4db0cb96bfbe
SHA512 7855b96335088bb718215eeea63d6d36c871f3f946de3de48fcc0bb7666cc61c7922f7c84d886d19c5454d283971a5e704c2cc97795c629fc20183c29040d4da

\Program Files (x86)\12\msvcp100.dll

MD5 e3c817f7fe44cc870ecdbcbc3ea36132
SHA1 2ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256 d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA512 4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

\Program Files (x86)\12\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Program Files (x86)\12\EPEvenue_SB.exe

MD5 4ddce14e5c6c09bbe5154167a74d271e
SHA1 3985cd3c8b49fcaa9c9dd244ef53d9e86889a3ad
SHA256 37865f209c91b291282c51515a868e6993070d3d7594cf931b42f5a6a8f09a3a
SHA512 f49cf8709fbc1a507416cc61c0678cf153d8fab38527d8e9eece7619196e4c194be437e57de635bea511cdcde7bc62469380f97005b7202c625ae6ceb70b610b

memory/1028-118-0x0000000000730000-0x00000000008AA000-memory.dmp

\Program Files (x86)\12\XPFarmer.bpl

MD5 b6b5969b658b647fa0c6ec11de139c96
SHA1 87b0e1176b5d5cae31bee708c8daa383da4adf02
SHA256 a2b6b2c4e1a49809936780149416e8cbb793a0631f81f746350c3c06fcd2bc8e
SHA512 28b4ef210ac75e5d93ed7f99ed39e7bc1d918852a5f34ff0a95d0f4c742f190a969e5be30dd1845457d0880e1ce1975fb9d5e614de5b5b5e66e362ec3bde3842

memory/1028-127-0x0000000000730000-0x00000000008AA000-memory.dmp

memory/844-128-0x0000000000400000-0x000000000044D000-memory.dmp

memory/1028-126-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/1028-125-0x0000000000400000-0x0000000000528000-memory.dmp

memory/844-129-0x0000000010000000-0x000000001018F000-memory.dmp

memory/844-123-0x0000000000400000-0x000000000044D000-memory.dmp

memory/844-121-0x0000000000400000-0x000000000044D000-memory.dmp

memory/844-120-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Program Files (x86)\12\12345678.exe

MD5 e027843c3e66ddd0b8cebbaf027497b1
SHA1 51671beb478ffcbb99fee5d34cb030efb44fe1b7
SHA256 09fea0e5f7b57b9ce700d52bc1ed58d3336eb7a9e04ceefd1b5246e4a3bc4c24
SHA512 fff8b36c2b5a1d4dadc0995d91b70317ce83de9c7f36613d64d9dbee1fe1293b8e8469b2f4239584e005675049f6eb67b4a04edc03247731b9b0f3fe45097e85

\Program Files (x86)\12\vcl70.bpl

MD5 16a1c27ed415d1816f8888ea2cefb3f6
SHA1 80db800b805d548f6df4eb2cb37ba2064dc37c05
SHA256 a7a26cbf6968063c51d4d70f4599f295e4a88e352f19bdd475f3416e6411c390
SHA512 68a3e563dd9745210eb7295cde692af68cd5fc430a95856f4823dc10e42d067f332ae1d2445e8810e0c15c3c779e195735bd311c45e9690cb05dbedcd7354306

memory/844-134-0x0000000010000000-0x000000001018F000-memory.dmp

memory/844-133-0x0000000010000000-0x000000001018F000-memory.dmp

memory/844-132-0x0000000010000000-0x000000001018F000-memory.dmp

memory/844-131-0x0000000010000000-0x000000001018F000-memory.dmp

\Program Files (x86)\12\rtl70.bpl

MD5 99b6a3a2b79d83857bd5129124592f8c
SHA1 e627d960ab29f7003ac0ea15e098bf5ada37ed3d
SHA256 d4876325de6084019f844d69b34079716746a5e52585b74bbb366d0152f0313d
SHA512 7e02a0eacf25cbfa3b685821b8cf697a6b2b125b6067337a7def18b58e7da6c216d396aefee1928c667900915ee0ee3a616e80985b77632c47f964899d835e1c

memory/2884-155-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/2884-153-0x0000000000400000-0x0000000000528000-memory.dmp

memory/2076-164-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2076-162-0x0000000000450000-0x00000000004B7000-memory.dmp

memory/2076-161-0x0000000010000000-0x000000001018F000-memory.dmp

memory/2076-163-0x0000000010000000-0x000000001018F000-memory.dmp

memory/2884-156-0x00000000006C0000-0x000000000083A000-memory.dmp

memory/2884-147-0x00000000006C0000-0x000000000083A000-memory.dmp

memory/1656-170-0x00000000005A0000-0x000000000071A000-memory.dmp

memory/1656-177-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/1656-178-0x00000000005A0000-0x000000000071A000-memory.dmp

memory/1656-176-0x0000000000400000-0x0000000000528000-memory.dmp

memory/988-186-0x0000000010000000-0x000000001018F000-memory.dmp

memory/988-184-0x0000000010000000-0x000000001018F000-memory.dmp

memory/2120-193-0x0000000000710000-0x000000000088A000-memory.dmp

memory/2120-199-0x0000000000400000-0x0000000000528000-memory.dmp

memory/2120-201-0x00000000400C0000-0x0000000040218000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-28 03:15

Reported

2024-04-28 03:17

Platform

win10v2004-20240419-en

Max time kernel

75s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe"

Signatures

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\12\winos.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
N/A N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3956 set thread context of 116 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1628 set thread context of 1832 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2636 set thread context of 3636 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4780 set thread context of 3692 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3828 set thread context of 4276 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4864 set thread context of 2596 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1676 set thread context of 3948 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4532 set thread context of 3248 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1780 set thread context of 4184 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 628 set thread context of 3696 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2692 set thread context of 3644 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4280 set thread context of 3128 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2632 set thread context of 2996 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1612 set thread context of 4576 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3408 set thread context of 4864 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2276 set thread context of 2560 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2572 set thread context of 2460 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1504 set thread context of 632 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3468 set thread context of 1352 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1308 set thread context of 2692 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2552 set thread context of 1048 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3564 set thread context of 2420 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3616 set thread context of 4896 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\12\12345678.exe C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\DuiLib.dll C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\kpzs.exe C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\msvcp100.dll C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\rtl70.bpl C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\vcl70.bpl C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\winos.exe C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\CefControl.dll C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\libcef.dll C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\msvcr100.dll C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
File created C:\Program Files (x86)\12\XPFarmer.bpl C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\winos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\12\EPEvenue_SB.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\12\winos.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A
N/A N/A C:\Program Files (x86)\12\kpzs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3108 wrote to memory of 2456 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 3108 wrote to memory of 2456 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 3108 wrote to memory of 2456 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 3108 wrote to memory of 4976 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 3108 wrote to memory of 4976 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 3108 wrote to memory of 4976 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\kpzs.exe
PID 3108 wrote to memory of 3956 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 3956 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 3956 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3956 wrote to memory of 116 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3956 wrote to memory of 116 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3956 wrote to memory of 116 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3956 wrote to memory of 116 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3956 wrote to memory of 116 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 2496 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 2496 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 2496 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 1628 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 1628 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 1628 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1628 wrote to memory of 1832 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1628 wrote to memory of 1832 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1628 wrote to memory of 1832 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1628 wrote to memory of 1832 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1628 wrote to memory of 1832 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 2636 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 2636 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 2636 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2636 wrote to memory of 3636 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2636 wrote to memory of 3636 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2636 wrote to memory of 3636 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2636 wrote to memory of 3636 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 2636 wrote to memory of 3636 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 4780 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 4780 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 4780 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4780 wrote to memory of 3692 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4780 wrote to memory of 3692 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4780 wrote to memory of 3692 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4780 wrote to memory of 3692 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4780 wrote to memory of 3692 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 3828 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 3828 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 3828 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3828 wrote to memory of 4276 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3828 wrote to memory of 4276 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3828 wrote to memory of 4276 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3828 wrote to memory of 4276 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3828 wrote to memory of 4276 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 4864 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 4864 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 4864 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4864 wrote to memory of 2596 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4864 wrote to memory of 2596 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4864 wrote to memory of 2596 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4864 wrote to memory of 2596 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 4864 wrote to memory of 2596 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 1676 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 1676 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 3108 wrote to memory of 1676 N/A C:\Program Files (x86)\12\winos.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1676 wrote to memory of 3948 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1676 wrote to memory of 3948 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1676 wrote to memory of 3948 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe
PID 1676 wrote to memory of 3948 N/A C:\Program Files (x86)\12\EPEvenue_SB.exe C:\Program Files (x86)\12\EPEvenue_SB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe

"C:\Users\Admin\AppData\Local\Temp\6a1843e8589f7a7d11e91865331f12026eec91f24712954c94d27cbade22c11f.exe"

C:\Program Files (x86)\12\winos.exe

"C:\Program Files (x86)\12\winos.exe"

C:\Program Files (x86)\12\kpzs.exe

"C:\Program Files (x86)\12\kpzs.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding

C:\Program Files (x86)\12\kpzs.exe

"C:\Program Files (x86)\12\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\E159133B47AF49b39C538B.lnk"

C:\Program Files (x86)\12\kpzs.exe

"C:\Program Files (x86)\12\kpzs.exe"

C:\Program Files (x86)\12\kpzs.exe

"C:\Program Files (x86)\12\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\0C045E8D0D3842bfA5D217.lnk"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

C:\Program Files (x86)\12\EPEvenue_SB.exe

"C:\Program Files (x86)\12\EPEvenue_SB.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 138.91.171.81:80 tcp
US 23.53.113.159:80 tcp
HK 206.238.115.62:7777 tcp
HK 206.238.115.62:7777 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nss4027.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nss4027.tmp\nsNiuniuSkin.dll

MD5 1e88afb7fe5b58d09d8a1b631e442538
SHA1 9ddb655cb32d002f68bdee962ce917002faa3614
SHA256 21a9a74fd631030981cdca42ab580f5aa030068ab80c183b73e99bea2d4f7708
SHA512 a7723bd73f55a716ea450f075d7a4fc7cd2080992c56ad67b6d46fdf4e30cef386068e1f4c2c788764cb092b529589cc1119ea2d62d07e32ea6d201e3afaf876

memory/3372-12-0x0000000074FF0000-0x00000000750AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nss4027.tmp\skin.zip

MD5 bf53c6eaf4dfb9ecc11afba92e0a3c9a
SHA1 cacbaa3c4dc7a0d0cc365f746e468a3013473063
SHA256 727877e75ee79f940288f0c086e78ff3beae1c6c04894eb7350bdd02d7983139
SHA512 affb46fefbcea4278e82e34206aaa7afbf1b394d9e7c2708ce8cd67a68c122a9978496c24dd1d1b5db175096ddb6aecf151df7c04be41a6847708ba70fbc611e

C:\Users\Admin\AppData\Local\Temp\nss4027.tmp\System.dll

MD5 e38d8ff9f749ee1b141a122fec7280e0
SHA1 fbc8e410ef716fdb36977e5c16d3373a6100189a
SHA256 00f7604d4f36a728c7759f4d9cf3e30c9728c503557aac49bbcd55cfc3e4fcb4
SHA512 2b1dccf42d435445331291db94f869c4e8f6dcdfe4371969e76ee275d4e845e1d2e947c216f80484a7dd4b8e85158298e6ec7ed9add6d4259c07fdf87c316a8f

C:\Users\Admin\AppData\Local\Temp\nss4027.tmp\nsProcess.dll

MD5 88d3e48d1c1a051c702d47046ade7b4c
SHA1 8fc805a8b7900b6ba895d1b809a9f3ad4c730d23
SHA256 51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257
SHA512 83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

C:\Users\Admin\AppData\Local\Temp\nss4027.tmp\BgWorker.dll

MD5 33ec04738007e665059cf40bc0f0c22b
SHA1 4196759a922e333d9b17bda5369f14c33cd5e3bc
SHA256 50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be
SHA512 2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

C:\Program Files (x86)\12\winos.exe

MD5 dfff7fdeb342305504b35b2261eab611
SHA1 000f37471c5cf6d245848368d3eec4c1a21b624e
SHA256 2df0837884c042ec6c889702bed52df643722e9f949b4f2d7b9834ae42c6f246
SHA512 588b6f3fdf64c695c0b4465f78ae6eaf36a9b350b9ccd2fd5e891ae1b4e36329403184a2e0f60dc45d7ca33f43a0546ae24c909f3b82e5f402b03bf46fdb01d8

C:\Program Files (x86)\12\libcef.dll

MD5 e7a550ef58c53720969017f4b739c967
SHA1 82cbe82ca632c2fcb3cd2f280593462ddb9fc708
SHA256 5fb627f9bd0621f097fc51be7d22373ead7afafbeacbed584fea07d0cf38a000
SHA512 d583ad302fc6f9db08ec08dfeca8c4d48619903e41e8024178a2195dfc508d9a057cdd25dcc6cf2d0fd688916ec7fc1c276ae1978e0b81293907801633508704

C:\Program Files (x86)\12\CefControl.dll

MD5 037d4ae83b30c3ba8f7f23e54a168bb2
SHA1 05a291f0397928c30d5b8fd4980c9ffb0472a4e7
SHA256 2422e71145ae364a4992cf37eba2938e541253bec467419ea6d1f037822c77f4
SHA512 fe2119eb042044049e0916086a815b19af8873133ea85edb8657533abeea95d2608aae3a6a0519132a7d064726121ae792ba9a22d6393f43ec1f28e1f857dac4

C:\Program Files (x86)\12\DuiLib.dll

MD5 cbfc4a8bc75a556dd97981531fadd751
SHA1 25e8eccb28e804db23d1d5123f3766d29b99294f
SHA256 4640ad02300c1311697c5592acdcfa59dba923eae1f2f2cb215a4a09d5055676
SHA512 3b02ea196b431e44a242ddafb0392420f1221b95e4a987a453bf3b1f72cc9ff707df7d5ff27f421edac0b6138cfa0205a98abf1dd92c7c5defcfdae2db34988c

C:\Program Files (x86)\12\kpzs.exe

MD5 3ffb2d1b619bd7841df50aaf619922fd
SHA1 6973d1b9f33ceb741569db9d0d1fa06712a2565e
SHA256 8ce68528e25b86977f18d42c8c5dddbd6e6f24f34a340d447f4b4db0cb96bfbe
SHA512 7855b96335088bb718215eeea63d6d36c871f3f946de3de48fcc0bb7666cc61c7922f7c84d886d19c5454d283971a5e704c2cc97795c629fc20183c29040d4da

C:\Program Files (x86)\12\MSVCR100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Program Files (x86)\12\msvcp100.dll

MD5 e3c817f7fe44cc870ecdbcbc3ea36132
SHA1 2ada702a0c143a7ae39b7de16a4b5cc994d2548b
SHA256 d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf
SHA512 4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

C:\Program Files (x86)\12\EPEvenue_SB.exe

MD5 4ddce14e5c6c09bbe5154167a74d271e
SHA1 3985cd3c8b49fcaa9c9dd244ef53d9e86889a3ad
SHA256 37865f209c91b291282c51515a868e6993070d3d7594cf931b42f5a6a8f09a3a
SHA512 f49cf8709fbc1a507416cc61c0678cf153d8fab38527d8e9eece7619196e4c194be437e57de635bea511cdcde7bc62469380f97005b7202c625ae6ceb70b610b

C:\Program Files (x86)\12\rtl70.bpl

MD5 99b6a3a2b79d83857bd5129124592f8c
SHA1 e627d960ab29f7003ac0ea15e098bf5ada37ed3d
SHA256 d4876325de6084019f844d69b34079716746a5e52585b74bbb366d0152f0313d
SHA512 7e02a0eacf25cbfa3b685821b8cf697a6b2b125b6067337a7def18b58e7da6c216d396aefee1928c667900915ee0ee3a616e80985b77632c47f964899d835e1c

C:\Program Files (x86)\12\vcl70.bpl

MD5 16a1c27ed415d1816f8888ea2cefb3f6
SHA1 80db800b805d548f6df4eb2cb37ba2064dc37c05
SHA256 a7a26cbf6968063c51d4d70f4599f295e4a88e352f19bdd475f3416e6411c390
SHA512 68a3e563dd9745210eb7295cde692af68cd5fc430a95856f4823dc10e42d067f332ae1d2445e8810e0c15c3c779e195735bd311c45e9690cb05dbedcd7354306

C:\Program Files (x86)\12\XPFarmer.bpl

MD5 b6b5969b658b647fa0c6ec11de139c96
SHA1 87b0e1176b5d5cae31bee708c8daa383da4adf02
SHA256 a2b6b2c4e1a49809936780149416e8cbb793a0631f81f746350c3c06fcd2bc8e
SHA512 28b4ef210ac75e5d93ed7f99ed39e7bc1d918852a5f34ff0a95d0f4c742f190a969e5be30dd1845457d0880e1ce1975fb9d5e614de5b5b5e66e362ec3bde3842

memory/3956-126-0x0000000000B00000-0x0000000000C7A000-memory.dmp

C:\Program Files (x86)\12\12345678.exe

MD5 e027843c3e66ddd0b8cebbaf027497b1
SHA1 51671beb478ffcbb99fee5d34cb030efb44fe1b7
SHA256 09fea0e5f7b57b9ce700d52bc1ed58d3336eb7a9e04ceefd1b5246e4a3bc4c24
SHA512 fff8b36c2b5a1d4dadc0995d91b70317ce83de9c7f36613d64d9dbee1fe1293b8e8469b2f4239584e005675049f6eb67b4a04edc03247731b9b0f3fe45097e85

memory/116-130-0x0000000000400000-0x000000000044D000-memory.dmp

memory/116-128-0x0000000000400000-0x000000000044D000-memory.dmp

memory/116-135-0x0000000010000000-0x000000001018F000-memory.dmp

memory/3956-137-0x0000000000B00000-0x0000000000C7A000-memory.dmp

memory/3956-136-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/3956-131-0x0000000000400000-0x0000000000528000-memory.dmp

memory/116-134-0x0000000010000000-0x000000001018F000-memory.dmp

memory/116-132-0x0000000010000000-0x000000001018F000-memory.dmp

memory/116-138-0x0000000010000000-0x000000001018F000-memory.dmp

memory/116-139-0x0000000010000000-0x000000001018F000-memory.dmp

memory/2496-154-0x0000000000400000-0x0000000000528000-memory.dmp

memory/2496-162-0x0000000000C00000-0x0000000000D7A000-memory.dmp

memory/1576-166-0x0000000010000000-0x000000001018F000-memory.dmp

memory/1576-167-0x0000000010000000-0x000000001018F000-memory.dmp

memory/1576-168-0x0000000000400000-0x000000000044D000-memory.dmp

memory/2496-156-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/1628-176-0x0000000000C10000-0x0000000000D8A000-memory.dmp

memory/1628-183-0x0000000000C10000-0x0000000000D8A000-memory.dmp

memory/1628-181-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/1628-180-0x0000000000400000-0x0000000000528000-memory.dmp

memory/1832-190-0x0000000010000000-0x000000001018F000-memory.dmp

memory/1832-188-0x0000000010000000-0x000000001018F000-memory.dmp

memory/1832-189-0x0000000000450000-0x0000000000519000-memory.dmp

memory/2636-195-0x00000000008C0000-0x0000000000A3A000-memory.dmp

memory/2636-198-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/2636-197-0x0000000000400000-0x0000000000528000-memory.dmp

memory/2636-200-0x00000000008C0000-0x0000000000A3A000-memory.dmp

memory/3636-205-0x0000000010000000-0x000000001018F000-memory.dmp

memory/3636-206-0x0000000010000000-0x000000001018F000-memory.dmp

memory/4780-210-0x0000000000990000-0x0000000000B0A000-memory.dmp

memory/4780-213-0x00000000400C0000-0x0000000040218000-memory.dmp

memory/4780-215-0x0000000000990000-0x0000000000B0A000-memory.dmp

memory/4780-212-0x0000000000400000-0x0000000000528000-memory.dmp