gh0strat | a1732b9038446d9d600bb8413ca86eccf1272e26844f4b65632c22189c80f7e5

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
16/05/2024, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
Size

8.5MB
MD5

e450334557d6d45d2a873e648cdf1b50
SHA1

aee26beb05128e839d0279e779ce7cef283ef2b5
SHA256

a1732b9038446d9d600bb8413ca86eccf1272e26844f4b65632c22189c80f7e5
SHA512

4cd8ac4fa2ec37530eb9c1de4b699aafda43b8d3d86624d592995d49a574662931650e14a333c0bea754fde3bfd76295988375e31b7ff2786d3205b92d7fdb31
SSDEEP

196608:0yEbq8kKU1qXD0QwAIYfIFtCe8lN4XuWEA1HaugJKvgabfT8z//QTDQsNkEC1:0mK8qjwAaCe8f4eWVYKoabfT6QT0s2E6

Score

10^/10

gh0strat discovery rat upx

Malware Config

Signatures

Gh0st RAT payload 8 IoCs

resource	yara_rule
behavioral1/memory/1508-134-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/1508-133-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/1508-135-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/1508-136-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/2876-163-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/2876-165-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/1472-186-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral1/memory/1472-187-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000014353-11.dat	acprotect

Executes dropped EXE 64 IoCs

pid	Process
2208	w.exe
2828	kpzs.exe
2176	kpzs.exe
1744	kpzs.exe
1240	kpzs.exe
2580	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1332	EPEvenue_SB.exe
2876	EPEvenue_SB.exe
336	EPEvenue_SB.exe
1472	EPEvenue_SB.exe
2376	EPEvenue_SB.exe
448	EPEvenue_SB.exe
948	EPEvenue_SB.exe
1868	EPEvenue_SB.exe
1312	EPEvenue_SB.exe
2236	EPEvenue_SB.exe
2976	EPEvenue_SB.exe
992	EPEvenue_SB.exe
1588	EPEvenue_SB.exe
1592	EPEvenue_SB.exe
1208	EPEvenue_SB.exe
2248	EPEvenue_SB.exe
2648	EPEvenue_SB.exe
2528	EPEvenue_SB.exe
3068	EPEvenue_SB.exe
2688	EPEvenue_SB.exe
2764	EPEvenue_SB.exe
2824	EPEvenue_SB.exe
1124	EPEvenue_SB.exe
1756	EPEvenue_SB.exe
1444	EPEvenue_SB.exe
468	EPEvenue_SB.exe
2004	EPEvenue_SB.exe
2560	EPEvenue_SB.exe
308	EPEvenue_SB.exe
320	EPEvenue_SB.exe
1824	EPEvenue_SB.exe
836	EPEvenue_SB.exe
424	EPEvenue_SB.exe
2492	EPEvenue_SB.exe
1348	EPEvenue_SB.exe
1140	EPEvenue_SB.exe
2388	EPEvenue_SB.exe
296	EPEvenue_SB.exe
2160	EPEvenue_SB.exe
2980	EPEvenue_SB.exe
1716	EPEvenue_SB.exe
2988	EPEvenue_SB.exe
1732	EPEvenue_SB.exe
2668	EPEvenue_SB.exe
2628	EPEvenue_SB.exe
2640	EPEvenue_SB.exe
3068	EPEvenue_SB.exe
2516	EPEvenue_SB.exe
2764	EPEvenue_SB.exe
1580	EPEvenue_SB.exe
1664	EPEvenue_SB.exe
1952	EPEvenue_SB.exe
1188	EPEvenue_SB.exe
1396	EPEvenue_SB.exe
1912	EPEvenue_SB.exe
2972	EPEvenue_SB.exe
536	EPEvenue_SB.exe

Loads dropped DLL 64 IoCs

pid	Process
3016	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
3016	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
3016	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
3016	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
3016	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
3016	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
3016	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
3016	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2828	kpzs.exe
2828	kpzs.exe
2176	kpzs.exe
2176	kpzs.exe
1744	kpzs.exe
1744	kpzs.exe
1240	kpzs.exe
1240	kpzs.exe
2208	w.exe
2208	w.exe
2580	EPEvenue_SB.exe
2580	EPEvenue_SB.exe
2580	EPEvenue_SB.exe
2208	w.exe
1332	EPEvenue_SB.exe
1332	EPEvenue_SB.exe
1332	EPEvenue_SB.exe
2208	w.exe
336	EPEvenue_SB.exe
336	EPEvenue_SB.exe
336	EPEvenue_SB.exe
2208	w.exe
2376	EPEvenue_SB.exe
2376	EPEvenue_SB.exe
2376	EPEvenue_SB.exe
2208	w.exe
948	EPEvenue_SB.exe
948	EPEvenue_SB.exe
948	EPEvenue_SB.exe
2208	w.exe
1312	EPEvenue_SB.exe
1312	EPEvenue_SB.exe
1312	EPEvenue_SB.exe
2208	w.exe
2976	EPEvenue_SB.exe
2976	EPEvenue_SB.exe
2976	EPEvenue_SB.exe
2208	w.exe
1588	EPEvenue_SB.exe
1588	EPEvenue_SB.exe
1588	EPEvenue_SB.exe
2208	w.exe
1208	EPEvenue_SB.exe
1208	EPEvenue_SB.exe
1208	EPEvenue_SB.exe
2208	w.exe
2648	EPEvenue_SB.exe
2648	EPEvenue_SB.exe
2648	EPEvenue_SB.exe
2208	w.exe
3068	EPEvenue_SB.exe
3068	EPEvenue_SB.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000014353-11.dat	upx
behavioral1/memory/3016-14-0x0000000074380000-0x000000007443C000-memory.dmp	upx
behavioral1/memory/1508-131-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/1508-134-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/1508-133-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/1508-135-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/1508-136-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/2876-163-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/2876-165-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/1472-186-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral1/memory/1472-187-0x0000000010000000-0x000000001018F000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	EPEvenue_SB.exe
File opened (read-only)	\??\L:	EPEvenue_SB.exe
File opened (read-only)	\??\M:	EPEvenue_SB.exe
File opened (read-only)	\??\N:	EPEvenue_SB.exe
File opened (read-only)	\??\Q:	EPEvenue_SB.exe
File opened (read-only)	\??\S:	EPEvenue_SB.exe
File opened (read-only)	\??\T:	EPEvenue_SB.exe
File opened (read-only)	\??\J:	EPEvenue_SB.exe
File opened (read-only)	\??\O:	EPEvenue_SB.exe
File opened (read-only)	\??\P:	EPEvenue_SB.exe
File opened (read-only)	\??\X:	EPEvenue_SB.exe
File opened (read-only)	\??\I:	EPEvenue_SB.exe
File opened (read-only)	\??\K:	EPEvenue_SB.exe
File opened (read-only)	\??\Z:	EPEvenue_SB.exe
File opened (read-only)	\??\V:	EPEvenue_SB.exe
File opened (read-only)	\??\W:	EPEvenue_SB.exe
File opened (read-only)	\??\B:	EPEvenue_SB.exe
File opened (read-only)	\??\E:	EPEvenue_SB.exe
File opened (read-only)	\??\G:	EPEvenue_SB.exe
File opened (read-only)	\??\H:	EPEvenue_SB.exe
File opened (read-only)	\??\R:	EPEvenue_SB.exe
File opened (read-only)	\??\U:	EPEvenue_SB.exe

Suspicious use of SetThreadContext 63 IoCs

description	pid	Process	procid_target
PID 2580 set thread context of 1508	2580	EPEvenue_SB.exe	34
PID 1332 set thread context of 2876	1332	EPEvenue_SB.exe	36
PID 336 set thread context of 1472	336	EPEvenue_SB.exe	38
PID 2376 set thread context of 448	2376	EPEvenue_SB.exe	40
PID 948 set thread context of 1868	948	EPEvenue_SB.exe	42
PID 1312 set thread context of 2236	1312	EPEvenue_SB.exe	44
PID 2976 set thread context of 992	2976	EPEvenue_SB.exe	46
PID 1588 set thread context of 1592	1588	EPEvenue_SB.exe	48
PID 1208 set thread context of 2248	1208	EPEvenue_SB.exe	50
PID 2648 set thread context of 2528	2648	EPEvenue_SB.exe	52
PID 3068 set thread context of 2688	3068	EPEvenue_SB.exe	54
PID 2764 set thread context of 2824	2764	EPEvenue_SB.exe	56
PID 1124 set thread context of 1756	1124	EPEvenue_SB.exe	60
PID 1444 set thread context of 468	1444	EPEvenue_SB.exe	62
PID 2004 set thread context of 2560	2004	EPEvenue_SB.exe	64
PID 308 set thread context of 320	308	EPEvenue_SB.exe	66
PID 1824 set thread context of 836	1824	EPEvenue_SB.exe	68
PID 424 set thread context of 2492	424	EPEvenue_SB.exe	70
PID 1348 set thread context of 1140	1348	EPEvenue_SB.exe	72
PID 2388 set thread context of 296	2388	EPEvenue_SB.exe	74
PID 2160 set thread context of 2980	2160	EPEvenue_SB.exe	76
PID 1716 set thread context of 2988	1716	EPEvenue_SB.exe	78
PID 1732 set thread context of 2668	1732	EPEvenue_SB.exe	80
PID 2628 set thread context of 2640	2628	EPEvenue_SB.exe	82
PID 3068 set thread context of 2516	3068	EPEvenue_SB.exe	84
PID 2764 set thread context of 1580	2764	EPEvenue_SB.exe	86
PID 1664 set thread context of 1952	1664	EPEvenue_SB.exe	88
PID 1188 set thread context of 1396	1188	EPEvenue_SB.exe	90
PID 1912 set thread context of 2972	1912	EPEvenue_SB.exe	92
PID 536 set thread context of 572	536	EPEvenue_SB.exe	94
PID 1840 set thread context of 576	1840	EPEvenue_SB.exe	96
PID 2404 set thread context of 1144	2404	EPEvenue_SB.exe	98
PID 1604 set thread context of 2948	1604	EPEvenue_SB.exe	100
PID 2084 set thread context of 1948	2084	EPEvenue_SB.exe	102
PID 2872 set thread context of 1692	2872	EPEvenue_SB.exe	104
PID 1716 set thread context of 2204	1716	EPEvenue_SB.exe	106
PID 2096 set thread context of 1208	2096	EPEvenue_SB.exe	108
PID 3060 set thread context of 3028	3060	EPEvenue_SB.exe	110
PID 2300 set thread context of 2940	2300	EPEvenue_SB.exe	112
PID 2536 set thread context of 2852	2536	EPEvenue_SB.exe	114
PID 2992 set thread context of 2996	2992	EPEvenue_SB.exe	116
PID 2612 set thread context of 1184	2612	EPEvenue_SB.exe	118
PID 2052 set thread context of 2496	2052	EPEvenue_SB.exe	120
PID 308 set thread context of 988	308	EPEvenue_SB.exe	122
PID 340 set thread context of 1008	340	EPEvenue_SB.exe	124
PID 2404 set thread context of 1380	2404	EPEvenue_SB.exe	126
PID 1060 set thread context of 1072	1060	EPEvenue_SB.exe	128
PID 2444 set thread context of 2120	2444	EPEvenue_SB.exe	130
PID 2976 set thread context of 1872	2976	EPEvenue_SB.exe	132
PID 2224 set thread context of 2932	2224	EPEvenue_SB.exe	134
PID 2760 set thread context of 2776	2760	EPEvenue_SB.exe	136
PID 1644 set thread context of 2788	1644	EPEvenue_SB.exe	138
PID 2660 set thread context of 2524	2660	EPEvenue_SB.exe	140
PID 2844 set thread context of 2792	2844	EPEvenue_SB.exe	142
PID 1240 set thread context of 764	1240	EPEvenue_SB.exe	144
PID 1236 set thread context of 2580	1236	EPEvenue_SB.exe	146
PID 2504 set thread context of 2952	2504	EPEvenue_SB.exe	148
PID 2968 set thread context of 2272	2968	EPEvenue_SB.exe	150
PID 1344 set thread context of 2364	1344	EPEvenue_SB.exe	152
PID 1660 set thread context of 1536	1660	EPEvenue_SB.exe	154
PID 1060 set thread context of 2280	1060	EPEvenue_SB.exe	156
PID 1740 set thread context of 1496	1740	EPEvenue_SB.exe	158
PID 2100 set thread context of 1232	2100	EPEvenue_SB.exe	160

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\13\w.exe	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\12345678.EXE	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\CefControl.dll	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\DuiLib.dll	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\EPEvenue_SB.exe	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\msvcp100.dll	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\msvcr100.exe	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\XPFarmer.bpl	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\vcl70.bpl	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\kpzs.exe	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\libcef.dll	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\msvcr100.dll	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\rtl70.bpl	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EPEvenue_SB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EPEvenue_SB.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3016	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
3016	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
3016	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
3016	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
2208	w.exe
2208	w.exe
2208	w.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
1508	EPEvenue_SB.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe
2208	w.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1508	EPEvenue_SB.exe
Token: SeDebugPrivilege	2876	EPEvenue_SB.exe
Token: SeDebugPrivilege	1472	EPEvenue_SB.exe
Token: SeDebugPrivilege	448	EPEvenue_SB.exe
Token: SeDebugPrivilege	1868	EPEvenue_SB.exe
Token: SeDebugPrivilege	2236	EPEvenue_SB.exe
Token: SeDebugPrivilege	992	EPEvenue_SB.exe
Token: SeDebugPrivilege	1592	EPEvenue_SB.exe
Token: SeDebugPrivilege	2248	EPEvenue_SB.exe
Token: SeDebugPrivilege	2528	EPEvenue_SB.exe
Token: SeDebugPrivilege	2688	EPEvenue_SB.exe
Token: SeDebugPrivilege	2824	EPEvenue_SB.exe
Token: SeDebugPrivilege	1756	EPEvenue_SB.exe
Token: SeDebugPrivilege	468	EPEvenue_SB.exe
Token: SeDebugPrivilege	2560	EPEvenue_SB.exe
Token: SeDebugPrivilege	320	EPEvenue_SB.exe
Token: SeDebugPrivilege	836	EPEvenue_SB.exe
Token: SeDebugPrivilege	2492	EPEvenue_SB.exe
Token: SeDebugPrivilege	1140	EPEvenue_SB.exe
Token: SeDebugPrivilege	296	EPEvenue_SB.exe
Token: SeDebugPrivilege	2980	EPEvenue_SB.exe
Token: SeDebugPrivilege	2988	EPEvenue_SB.exe
Token: SeDebugPrivilege	2668	EPEvenue_SB.exe
Token: SeDebugPrivilege	2640	EPEvenue_SB.exe
Token: SeDebugPrivilege	2516	EPEvenue_SB.exe
Token: SeDebugPrivilege	1580	EPEvenue_SB.exe
Token: SeDebugPrivilege	1952	EPEvenue_SB.exe
Token: SeDebugPrivilege	1396	EPEvenue_SB.exe
Token: SeDebugPrivilege	2972	EPEvenue_SB.exe
Token: SeDebugPrivilege	572	EPEvenue_SB.exe
Token: SeDebugPrivilege	576	EPEvenue_SB.exe
Token: 33	1508	EPEvenue_SB.exe
Token: SeIncBasePriorityPrivilege	1508	EPEvenue_SB.exe
Token: SeDebugPrivilege	1144	EPEvenue_SB.exe
Token: SeDebugPrivilege	2948	EPEvenue_SB.exe
Token: SeDebugPrivilege	1948	EPEvenue_SB.exe
Token: SeDebugPrivilege	1692	EPEvenue_SB.exe
Token: SeDebugPrivilege	2204	EPEvenue_SB.exe
Token: SeDebugPrivilege	1208	EPEvenue_SB.exe
Token: SeDebugPrivilege	3028	EPEvenue_SB.exe
Token: SeDebugPrivilege	2940	EPEvenue_SB.exe
Token: SeDebugPrivilege	2852	EPEvenue_SB.exe
Token: SeDebugPrivilege	2996	EPEvenue_SB.exe
Token: SeDebugPrivilege	1184	EPEvenue_SB.exe
Token: SeDebugPrivilege	2496	EPEvenue_SB.exe
Token: SeDebugPrivilege	988	EPEvenue_SB.exe
Token: SeDebugPrivilege	1008	EPEvenue_SB.exe
Token: SeDebugPrivilege	1380	EPEvenue_SB.exe
Token: SeDebugPrivilege	1072	EPEvenue_SB.exe
Token: SeDebugPrivilege	2120	EPEvenue_SB.exe
Token: SeDebugPrivilege	1872	EPEvenue_SB.exe
Token: SeDebugPrivilege	2932	EPEvenue_SB.exe
Token: SeDebugPrivilege	2776	EPEvenue_SB.exe
Token: SeDebugPrivilege	2788	EPEvenue_SB.exe
Token: SeDebugPrivilege	2524	EPEvenue_SB.exe
Token: SeDebugPrivilege	2792	EPEvenue_SB.exe
Token: SeDebugPrivilege	764	EPEvenue_SB.exe
Token: SeDebugPrivilege	2580	EPEvenue_SB.exe
Token: SeDebugPrivilege	2952	EPEvenue_SB.exe
Token: SeDebugPrivilege	2272	EPEvenue_SB.exe
Token: SeDebugPrivilege	2364	EPEvenue_SB.exe
Token: SeDebugPrivilege	1536	EPEvenue_SB.exe
Token: 33	1508	EPEvenue_SB.exe
Token: SeIncBasePriorityPrivilege	1508	EPEvenue_SB.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2828	2208	w.exe	29
PID 2208 wrote to memory of 2828	2208	w.exe	29
PID 2208 wrote to memory of 2828	2208	w.exe	29
PID 2208 wrote to memory of 2828	2208	w.exe	29
PID 2208 wrote to memory of 1744	2208	w.exe	31
PID 2208 wrote to memory of 1744	2208	w.exe	31
PID 2208 wrote to memory of 1744	2208	w.exe	31
PID 2208 wrote to memory of 1744	2208	w.exe	31
PID 2208 wrote to memory of 2580	2208	w.exe	33
PID 2208 wrote to memory of 2580	2208	w.exe	33
PID 2208 wrote to memory of 2580	2208	w.exe	33
PID 2208 wrote to memory of 2580	2208	w.exe	33
PID 2580 wrote to memory of 1508	2580	EPEvenue_SB.exe	34
PID 2580 wrote to memory of 1508	2580	EPEvenue_SB.exe	34
PID 2580 wrote to memory of 1508	2580	EPEvenue_SB.exe	34
PID 2580 wrote to memory of 1508	2580	EPEvenue_SB.exe	34
PID 2580 wrote to memory of 1508	2580	EPEvenue_SB.exe	34
PID 2580 wrote to memory of 1508	2580	EPEvenue_SB.exe	34
PID 2208 wrote to memory of 1332	2208	w.exe	35
PID 2208 wrote to memory of 1332	2208	w.exe	35
PID 2208 wrote to memory of 1332	2208	w.exe	35
PID 2208 wrote to memory of 1332	2208	w.exe	35
PID 1332 wrote to memory of 2876	1332	EPEvenue_SB.exe	36
PID 1332 wrote to memory of 2876	1332	EPEvenue_SB.exe	36
PID 1332 wrote to memory of 2876	1332	EPEvenue_SB.exe	36
PID 1332 wrote to memory of 2876	1332	EPEvenue_SB.exe	36
PID 1332 wrote to memory of 2876	1332	EPEvenue_SB.exe	36
PID 1332 wrote to memory of 2876	1332	EPEvenue_SB.exe	36
PID 2208 wrote to memory of 336	2208	w.exe	37
PID 2208 wrote to memory of 336	2208	w.exe	37
PID 2208 wrote to memory of 336	2208	w.exe	37
PID 2208 wrote to memory of 336	2208	w.exe	37
PID 336 wrote to memory of 1472	336	EPEvenue_SB.exe	38
PID 336 wrote to memory of 1472	336	EPEvenue_SB.exe	38
PID 336 wrote to memory of 1472	336	EPEvenue_SB.exe	38
PID 336 wrote to memory of 1472	336	EPEvenue_SB.exe	38
PID 336 wrote to memory of 1472	336	EPEvenue_SB.exe	38
PID 336 wrote to memory of 1472	336	EPEvenue_SB.exe	38
PID 2208 wrote to memory of 2376	2208	w.exe	39
PID 2208 wrote to memory of 2376	2208	w.exe	39
PID 2208 wrote to memory of 2376	2208	w.exe	39
PID 2208 wrote to memory of 2376	2208	w.exe	39
PID 2376 wrote to memory of 448	2376	EPEvenue_SB.exe	40
PID 2376 wrote to memory of 448	2376	EPEvenue_SB.exe	40
PID 2376 wrote to memory of 448	2376	EPEvenue_SB.exe	40
PID 2376 wrote to memory of 448	2376	EPEvenue_SB.exe	40
PID 2376 wrote to memory of 448	2376	EPEvenue_SB.exe	40
PID 2376 wrote to memory of 448	2376	EPEvenue_SB.exe	40
PID 2208 wrote to memory of 948	2208	w.exe	41
PID 2208 wrote to memory of 948	2208	w.exe	41
PID 2208 wrote to memory of 948	2208	w.exe	41
PID 2208 wrote to memory of 948	2208	w.exe	41
PID 948 wrote to memory of 1868	948	EPEvenue_SB.exe	42
PID 948 wrote to memory of 1868	948	EPEvenue_SB.exe	42
PID 948 wrote to memory of 1868	948	EPEvenue_SB.exe	42
PID 948 wrote to memory of 1868	948	EPEvenue_SB.exe	42
PID 948 wrote to memory of 1868	948	EPEvenue_SB.exe	42
PID 948 wrote to memory of 1868	948	EPEvenue_SB.exe	42
PID 2208 wrote to memory of 1312	2208	w.exe	43
PID 2208 wrote to memory of 1312	2208	w.exe	43
PID 2208 wrote to memory of 1312	2208	w.exe	43
PID 2208 wrote to memory of 1312	2208	w.exe	43
PID 1312 wrote to memory of 2236	1312	EPEvenue_SB.exe	44
PID 1312 wrote to memory of 2236	1312	EPEvenue_SB.exe	44

C:\Users\Admin\AppData\Local\Temp\e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Program Files (x86)\13\w.exe
"C:\Program Files (x86)\13\w.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Program Files (x86)\13\kpzs.exe
  "C:\Program Files (x86)\13\kpzs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2828
- C:\Program Files (x86)\13\kpzs.exe
  "C:\Program Files (x86)\13\kpzs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1744
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1472
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2976
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:1588
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:1208
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:2648
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:3068
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2764
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2824
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1124
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1444
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:468
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2004
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:308
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1824
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:424
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1348
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1140
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2388
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:296
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2160
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1716
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1732
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2628
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3068
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2764
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1664
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1188
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1912
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:536
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1840
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2404
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1604
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2084
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1948
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2872
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1716
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2096
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1208
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:3060
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2300
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2536
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2992
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2996
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2612
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1184
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2052
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:308
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:988
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:340
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1008
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2404
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1060
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1072
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2444
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2120
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2976
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2224
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2760
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1644
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2660
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2844
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1240
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:764
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1236
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2504
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2968
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2272
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1344
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1660
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1060
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    PID:2280
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1740
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    PID:1496
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2100
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    PID:1232

C:\Program Files (x86)\13\kpzs.exe
"C:\Program Files (x86)\13\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\93E7A491F698435282BDDE.lnk"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176

C:\Program Files (x86)\13\kpzs.exe
"C:\Program Files (x86)\13\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\03A1353E08B94e5a90F10F.lnk"
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\13\12345678.exe

Filesize
302KB

MD5
1528bb964aa3d843c2b1c11fd8293209

SHA1
489ea3fe1512799a77227c69d0c6a58c07027335

SHA256
e040320cbe34295f2dc084886da310fa369505ab490579f9d4c84a8ddb91b375

SHA512
05aa3d172ed474f7eae15faf09be0674fe8abc7c3c76b3683d665523e0aa23a308ebc3dab49ecfb1090408277f15cb42df9504857e57c9c31f4ae5f747654351

Download Submit
C:\Program Files (x86)\13\CefControl.dll

Filesize
590KB

MD5
037d4ae83b30c3ba8f7f23e54a168bb2

SHA1
05a291f0397928c30d5b8fd4980c9ffb0472a4e7

SHA256
2422e71145ae364a4992cf37eba2938e541253bec467419ea6d1f037822c77f4

SHA512
fe2119eb042044049e0916086a815b19af8873133ea85edb8657533abeea95d2608aae3a6a0519132a7d064726121ae792ba9a22d6393f43ec1f28e1f857dac4

Download Submit
C:\Program Files (x86)\13\MSVCP100.dll

Filesize
411KB

MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
C:\Program Files (x86)\13\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\13\XPFarmer.bpl

Filesize
1.5MB

MD5
b6b5969b658b647fa0c6ec11de139c96

SHA1
87b0e1176b5d5cae31bee708c8daa383da4adf02

SHA256
a2b6b2c4e1a49809936780149416e8cbb793a0631f81f746350c3c06fcd2bc8e

SHA512
28b4ef210ac75e5d93ed7f99ed39e7bc1d918852a5f34ff0a95d0f4c742f190a969e5be30dd1845457d0880e1ce1975fb9d5e614de5b5b5e66e362ec3bde3842

Download Submit
C:\Program Files (x86)\13\kpzs.exe

Filesize
72KB

MD5
3ffb2d1b619bd7841df50aaf619922fd

SHA1
6973d1b9f33ceb741569db9d0d1fa06712a2565e

SHA256
8ce68528e25b86977f18d42c8c5dddbd6e6f24f34a340d447f4b4db0cb96bfbe

SHA512
7855b96335088bb718215eeea63d6d36c871f3f946de3de48fcc0bb7666cc61c7922f7c84d886d19c5454d283971a5e704c2cc97795c629fc20183c29040d4da

Download Submit
C:\Program Files (x86)\13\libcef.dll

Filesize
2.3MB

MD5
973289689f5caa955afae5fc92190353

SHA1
2b1879a82bfc6f53aaf9d4dc286c59d749c38718

SHA256
8cbf2119df0183acad56d9c8db40bfcde91007cbc956b39ab15764273baa04bf

SHA512
5674e6ffa232fd85409fae66605b118eb4be226886ce3430b8d7d6039536807629907becad1c1cd0a43e680da5c5eea9755b4fff0ecb978cefb7ff9c3649b4a5

Download Submit
C:\Program Files (x86)\13\rtl70.bpl

Filesize
1.8MB

MD5
92f4a54a2ce971ef1971c05bc653bcf6

SHA1
13a5ea44bfa6b1cce7a997b6cc1408ef89cc19c4

SHA256
94bc0e96d3cbab43de9110ca979975007412e2f477b393409fbad3fc27de384f

SHA512
ebc87bd74cc81b6a2f63a064dad93d6d3814d2a18a9800c5d4b4b17d993bfead1db424863e1cba12218d1faa4dce2fe413de4f00ccf4c7225759a829cdbdc299

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1F54.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1F54.tmp\System.dll

Filesize
12KB

MD5
e38d8ff9f749ee1b141a122fec7280e0

SHA1
fbc8e410ef716fdb36977e5c16d3373a6100189a

SHA256
00f7604d4f36a728c7759f4d9cf3e30c9728c503557aac49bbcd55cfc3e4fcb4

SHA512
2b1dccf42d435445331291db94f869c4e8f6dcdfe4371969e76ee275d4e845e1d2e947c216f80484a7dd4b8e85158298e6ec7ed9add6d4259c07fdf87c316a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd1F54.tmp\skin.zip

Filesize
344KB

MD5
f89e3a65888443d9518491165d71de94

SHA1
45fbcc03d269136651d2469e211e54c4c6086ae2

SHA256
be37df145364ffcaff7dcef0c067c950f90e3e817f04d66311d6d4ded6c6f88f

SHA512
42f9cbf27377ce9d796016a0e489913df5efa1be8ca08f61943f504df887a71f7df48bfaf128a9f66a1f299555aba0a97278165f83c1dc1a954a304b387bf7c0

Download Submit
\Program Files (x86)\13\DuiLib.dll

Filesize
2.2MB

MD5
cbfc4a8bc75a556dd97981531fadd751

SHA1
25e8eccb28e804db23d1d5123f3766d29b99294f

SHA256
4640ad02300c1311697c5592acdcfa59dba923eae1f2f2cb215a4a09d5055676

SHA512
3b02ea196b431e44a242ddafb0392420f1221b95e4a987a453bf3b1f72cc9ff707df7d5ff27f421edac0b6138cfa0205a98abf1dd92c7c5defcfdae2db34988c

Download Submit
\Program Files (x86)\13\EPEvenue_SB.exe

Filesize
1.1MB

MD5
4ddce14e5c6c09bbe5154167a74d271e

SHA1
3985cd3c8b49fcaa9c9dd244ef53d9e86889a3ad

SHA256
37865f209c91b291282c51515a868e6993070d3d7594cf931b42f5a6a8f09a3a

SHA512
f49cf8709fbc1a507416cc61c0678cf153d8fab38527d8e9eece7619196e4c194be437e57de635bea511cdcde7bc62469380f97005b7202c625ae6ceb70b610b

Download Submit
\Program Files (x86)\13\vcl70.bpl

Filesize
1.3MB

MD5
16a1c27ed415d1816f8888ea2cefb3f6

SHA1
80db800b805d548f6df4eb2cb37ba2064dc37c05

SHA256
a7a26cbf6968063c51d4d70f4599f295e4a88e352f19bdd475f3416e6411c390

SHA512
68a3e563dd9745210eb7295cde692af68cd5fc430a95856f4823dc10e42d067f332ae1d2445e8810e0c15c3c779e195735bd311c45e9690cb05dbedcd7354306

Download Submit
\Program Files (x86)\13\w.exe

Filesize
5.2MB

MD5
dfff7fdeb342305504b35b2261eab611

SHA1
000f37471c5cf6d245848368d3eec4c1a21b624e

SHA256
2df0837884c042ec6c889702bed52df643722e9f949b4f2d7b9834ae42c6f246

SHA512
588b6f3fdf64c695c0b4465f78ae6eaf36a9b350b9ccd2fd5e891ae1b4e36329403184a2e0f60dc45d7ca33f43a0546ae24c909f3b82e5f402b03bf46fdb01d8

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1F54.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1F54.tmp\nsNiuniuSkin.dll

Filesize
288KB

MD5
1e88afb7fe5b58d09d8a1b631e442538

SHA1
9ddb655cb32d002f68bdee962ce917002faa3614

SHA256
21a9a74fd631030981cdca42ab580f5aa030068ab80c183b73e99bea2d4f7708

SHA512
a7723bd73f55a716ea450f075d7a4fc7cd2080992c56ad67b6d46fdf4e30cef386068e1f4c2c788764cb092b529589cc1119ea2d62d07e32ea6d201e3afaf876

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1F54.tmp\nsProcess.dll

Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
memory/336-179-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/336-178-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/336-181-0x0000000000790000-0x000000000090A000-memory.dmp

Filesize
1.5MB

Download
memory/336-172-0x0000000000790000-0x000000000090A000-memory.dmp

Filesize
1.5MB

Download
memory/1332-155-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/1332-149-0x00000000006D0000-0x000000000084A000-memory.dmp

Filesize
1.5MB

Download
memory/1332-156-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/1332-158-0x00000000006D0000-0x000000000084A000-memory.dmp

Filesize
1.5MB

Download
memory/1472-187-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/1472-186-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/1508-134-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/1508-123-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1508-133-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/1508-135-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/1508-136-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/1508-131-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/1508-122-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1508-127-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1508-125-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2376-194-0x0000000000220000-0x000000000039A000-memory.dmp

Filesize
1.5MB

Download
memory/2376-200-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/2376-201-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/2376-203-0x0000000000220000-0x000000000039A000-memory.dmp

Filesize
1.5MB

Download
memory/2580-130-0x0000000000530000-0x00000000006AA000-memory.dmp

Filesize
1.5MB

Download
memory/2580-129-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/2580-128-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/2580-120-0x0000000000530000-0x00000000006AA000-memory.dmp

Filesize
1.5MB

Download
memory/2876-163-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/2876-166-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2876-165-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/3016-82-0x0000000001ED0000-0x0000000001ED2000-memory.dmp

Filesize
8KB

Download
memory/3016-14-0x0000000074380000-0x000000007443C000-memory.dmp

Filesize
752KB

Download