gh0strat | a1732b9038446d9d600bb8413ca86eccf1272e26844f4b65632c22189c80f7e5

Analysis

max time kernel
154s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
Size

8.5MB
MD5

e450334557d6d45d2a873e648cdf1b50
SHA1

aee26beb05128e839d0279e779ce7cef283ef2b5
SHA256

a1732b9038446d9d600bb8413ca86eccf1272e26844f4b65632c22189c80f7e5
SHA512

4cd8ac4fa2ec37530eb9c1de4b699aafda43b8d3d86624d592995d49a574662931650e14a333c0bea754fde3bfd76295988375e31b7ff2786d3205b92d7fdb31
SSDEEP

196608:0yEbq8kKU1qXD0QwAIYfIFtCe8lN4XuWEA1HaugJKvgabfT8z//QTDQsNkEC1:0mK8qjwAaCe8f4eWVYKoabfT6QT0s2E6

Score

10^/10

gh0strat discovery rat upx

Malware Config

Signatures

Gh0st RAT payload 10 IoCs

resource	yara_rule
behavioral2/memory/2956-141-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/2956-140-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/2956-143-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/2212-167-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/2212-168-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/2956-142-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/972-191-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/972-192-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/4916-207-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat
behavioral2/memory/4916-208-0x0000000010000000-0x000000001018F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000800000002324c-9.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	w.exe

Executes dropped EXE 64 IoCs

pid	Process
1212	w.exe
2132	kpzs.exe
1068	kpzs.exe
1444	kpzs.exe
4328	kpzs.exe
4728	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
4044	EPEvenue_SB.exe
2212	EPEvenue_SB.exe
2064	EPEvenue_SB.exe
972	EPEvenue_SB.exe
2448	EPEvenue_SB.exe
4916	EPEvenue_SB.exe
2336	EPEvenue_SB.exe
1904	EPEvenue_SB.exe
4924	EPEvenue_SB.exe
2616	EPEvenue_SB.exe
4732	EPEvenue_SB.exe
4728	EPEvenue_SB.exe
3772	EPEvenue_SB.exe
1924	EPEvenue_SB.exe
232	EPEvenue_SB.exe
5036	EPEvenue_SB.exe
3784	EPEvenue_SB.exe
3748	EPEvenue_SB.exe
1512	EPEvenue_SB.exe
1580	EPEvenue_SB.exe
712	EPEvenue_SB.exe
2332	EPEvenue_SB.exe
2788	EPEvenue_SB.exe
3696	EPEvenue_SB.exe
3588	EPEvenue_SB.exe
3628	EPEvenue_SB.exe
3616	EPEvenue_SB.exe
1612	EPEvenue_SB.exe
4604	EPEvenue_SB.exe
3788	EPEvenue_SB.exe
2928	EPEvenue_SB.exe
4224	EPEvenue_SB.exe
2396	EPEvenue_SB.exe
1396	EPEvenue_SB.exe
116	EPEvenue_SB.exe
1080	EPEvenue_SB.exe
2864	EPEvenue_SB.exe
4984	EPEvenue_SB.exe
2248	EPEvenue_SB.exe
2568	EPEvenue_SB.exe
3668	EPEvenue_SB.exe
2740	EPEvenue_SB.exe
2836	EPEvenue_SB.exe
3260	EPEvenue_SB.exe
1768	EPEvenue_SB.exe
2040	EPEvenue_SB.exe
1388	EPEvenue_SB.exe
4488	EPEvenue_SB.exe
2396	EPEvenue_SB.exe
788	EPEvenue_SB.exe
2260	EPEvenue_SB.exe
5044	EPEvenue_SB.exe
2784	EPEvenue_SB.exe
3248	EPEvenue_SB.exe
628	EPEvenue_SB.exe
4676	EPEvenue_SB.exe
100	EPEvenue_SB.exe

Loads dropped DLL 64 IoCs

pid	Process
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
1212	w.exe
1212	w.exe
1212	w.exe
1212	w.exe
2132	kpzs.exe
2132	kpzs.exe
1068	kpzs.exe
1068	kpzs.exe
1444	kpzs.exe
1444	kpzs.exe
4328	kpzs.exe
4328	kpzs.exe
4328	kpzs.exe
4728	EPEvenue_SB.exe
4728	EPEvenue_SB.exe
4728	EPEvenue_SB.exe
4728	EPEvenue_SB.exe
4728	EPEvenue_SB.exe
4728	EPEvenue_SB.exe
4044	EPEvenue_SB.exe
4044	EPEvenue_SB.exe
4044	EPEvenue_SB.exe
4044	EPEvenue_SB.exe
4044	EPEvenue_SB.exe
2064	EPEvenue_SB.exe
2064	EPEvenue_SB.exe
2064	EPEvenue_SB.exe
2064	EPEvenue_SB.exe
2064	EPEvenue_SB.exe
2064	EPEvenue_SB.exe
2064	EPEvenue_SB.exe
2448	EPEvenue_SB.exe
2448	EPEvenue_SB.exe
2448	EPEvenue_SB.exe
2448	EPEvenue_SB.exe
2448	EPEvenue_SB.exe
2448	EPEvenue_SB.exe
2448	EPEvenue_SB.exe
2336	EPEvenue_SB.exe
2336	EPEvenue_SB.exe
2336	EPEvenue_SB.exe
2336	EPEvenue_SB.exe
2336	EPEvenue_SB.exe
2336	EPEvenue_SB.exe
4924	EPEvenue_SB.exe
4924	EPEvenue_SB.exe
4924	EPEvenue_SB.exe
4924	EPEvenue_SB.exe
4924	EPEvenue_SB.exe
4924	EPEvenue_SB.exe
4924	EPEvenue_SB.exe
4732	EPEvenue_SB.exe
4732	EPEvenue_SB.exe
4732	EPEvenue_SB.exe
4732	EPEvenue_SB.exe
4732	EPEvenue_SB.exe
4732	EPEvenue_SB.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000800000002324c-9.dat	upx
behavioral2/memory/224-11-0x0000000074F90000-0x000000007504C000-memory.dmp	upx
behavioral2/memory/224-45-0x0000000074F90000-0x000000007504C000-memory.dmp	upx
behavioral2/memory/2956-141-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/2956-140-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/2956-138-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/2956-143-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/2212-167-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/2212-168-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/2956-142-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/972-191-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/972-192-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/4916-207-0x0000000010000000-0x000000001018F000-memory.dmp	upx
behavioral2/memory/4916-208-0x0000000010000000-0x000000001018F000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	EPEvenue_SB.exe
File opened (read-only)	\??\L:	EPEvenue_SB.exe
File opened (read-only)	\??\R:	EPEvenue_SB.exe
File opened (read-only)	\??\T:	EPEvenue_SB.exe
File opened (read-only)	\??\E:	EPEvenue_SB.exe
File opened (read-only)	\??\M:	EPEvenue_SB.exe
File opened (read-only)	\??\O:	EPEvenue_SB.exe
File opened (read-only)	\??\P:	EPEvenue_SB.exe
File opened (read-only)	\??\Q:	EPEvenue_SB.exe
File opened (read-only)	\??\W:	EPEvenue_SB.exe
File opened (read-only)	\??\X:	EPEvenue_SB.exe
File opened (read-only)	\??\Z:	EPEvenue_SB.exe
File opened (read-only)	\??\J:	EPEvenue_SB.exe
File opened (read-only)	\??\S:	EPEvenue_SB.exe
File opened (read-only)	\??\U:	EPEvenue_SB.exe
File opened (read-only)	\??\V:	EPEvenue_SB.exe
File opened (read-only)	\??\B:	EPEvenue_SB.exe
File opened (read-only)	\??\H:	EPEvenue_SB.exe
File opened (read-only)	\??\K:	EPEvenue_SB.exe
File opened (read-only)	\??\N:	EPEvenue_SB.exe
File opened (read-only)	\??\Y:	EPEvenue_SB.exe
File opened (read-only)	\??\G:	EPEvenue_SB.exe

Suspicious use of SetThreadContext 43 IoCs

description	pid	Process	procid_target
PID 4728 set thread context of 2956	4728	EPEvenue_SB.exe	108
PID 4044 set thread context of 2212	4044	EPEvenue_SB.exe	110
PID 2064 set thread context of 972	2064	EPEvenue_SB.exe	112
PID 2448 set thread context of 4916	2448	EPEvenue_SB.exe	114
PID 2336 set thread context of 1904	2336	EPEvenue_SB.exe	116
PID 4924 set thread context of 2616	4924	EPEvenue_SB.exe	118
PID 4732 set thread context of 4728	4732	EPEvenue_SB.exe	120
PID 3772 set thread context of 1924	3772	EPEvenue_SB.exe	122
PID 232 set thread context of 5036	232	EPEvenue_SB.exe	124
PID 3784 set thread context of 3748	3784	EPEvenue_SB.exe	126
PID 1512 set thread context of 1580	1512	EPEvenue_SB.exe	128
PID 712 set thread context of 2332	712	EPEvenue_SB.exe	130
PID 2788 set thread context of 3696	2788	EPEvenue_SB.exe	132
PID 3588 set thread context of 3628	3588	EPEvenue_SB.exe	134
PID 3616 set thread context of 1612	3616	EPEvenue_SB.exe	136
PID 4604 set thread context of 3788	4604	EPEvenue_SB.exe	138
PID 2928 set thread context of 4224	2928	EPEvenue_SB.exe	140
PID 2396 set thread context of 1396	2396	EPEvenue_SB.exe	142
PID 116 set thread context of 1080	116	EPEvenue_SB.exe	144
PID 2864 set thread context of 4984	2864	EPEvenue_SB.exe	146
PID 2248 set thread context of 2568	2248	EPEvenue_SB.exe	148
PID 3668 set thread context of 2740	3668	EPEvenue_SB.exe	150
PID 2836 set thread context of 3260	2836	EPEvenue_SB.exe	152
PID 1768 set thread context of 2040	1768	EPEvenue_SB.exe	154
PID 1388 set thread context of 4488	1388	EPEvenue_SB.exe	156
PID 2396 set thread context of 788	2396	EPEvenue_SB.exe	158
PID 2260 set thread context of 5044	2260	EPEvenue_SB.exe	160
PID 2784 set thread context of 3248	2784	EPEvenue_SB.exe	162
PID 628 set thread context of 4676	628	EPEvenue_SB.exe	164
PID 100 set thread context of 2136	100	EPEvenue_SB.exe	166
PID 2716 set thread context of 2708	2716	EPEvenue_SB.exe	168
PID 3152 set thread context of 4712	3152	EPEvenue_SB.exe	170
PID 648 set thread context of 2580	648	EPEvenue_SB.exe	172
PID 3592 set thread context of 4008	3592	EPEvenue_SB.exe	174
PID 4000 set thread context of 952	4000	EPEvenue_SB.exe	176
PID 3000 set thread context of 2396	3000	EPEvenue_SB.exe	178
PID 1868 set thread context of 2260	1868	EPEvenue_SB.exe	180
PID 2432 set thread context of 2784	2432	EPEvenue_SB.exe	182
PID 764 set thread context of 556	764	EPEvenue_SB.exe	184
PID 4136 set thread context of 4472	4136	EPEvenue_SB.exe	186
PID 3668 set thread context of 772	3668	EPEvenue_SB.exe	188
PID 4960 set thread context of 3460	4960	EPEvenue_SB.exe	190
PID 3500 set thread context of 2792	3500	EPEvenue_SB.exe	192

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\13\DuiLib.dll	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\msvcr100.exe	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\12345678.EXE	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\msvcp100.dll	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\w.exe	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\kpzs.exe	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\libcef.dll	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\msvcr100.dll	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\rtl70.bpl	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\CefControl.dll	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\EPEvenue_SB.exe	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\vcl70.bpl	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
File created	C:\Program Files (x86)\13\XPFarmer.bpl	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	EPEvenue_SB.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EPEvenue_SB.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
224	e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
1212	w.exe
1212	w.exe
1212	w.exe
1212	w.exe
1212	w.exe
1212	w.exe
1212	w.exe
1212	w.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe
2956	EPEvenue_SB.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	EPEvenue_SB.exe
Token: SeDebugPrivilege	2212	EPEvenue_SB.exe
Token: SeDebugPrivilege	972	EPEvenue_SB.exe
Token: SeDebugPrivilege	4916	EPEvenue_SB.exe
Token: SeDebugPrivilege	1904	EPEvenue_SB.exe
Token: SeDebugPrivilege	2616	EPEvenue_SB.exe
Token: SeDebugPrivilege	4728	EPEvenue_SB.exe
Token: SeDebugPrivilege	1924	EPEvenue_SB.exe
Token: SeDebugPrivilege	5036	EPEvenue_SB.exe
Token: SeDebugPrivilege	3748	EPEvenue_SB.exe
Token: SeDebugPrivilege	1580	EPEvenue_SB.exe
Token: SeDebugPrivilege	2332	EPEvenue_SB.exe
Token: SeDebugPrivilege	3696	EPEvenue_SB.exe
Token: SeDebugPrivilege	3628	EPEvenue_SB.exe
Token: SeDebugPrivilege	1612	EPEvenue_SB.exe
Token: SeDebugPrivilege	3788	EPEvenue_SB.exe
Token: SeDebugPrivilege	4224	EPEvenue_SB.exe
Token: SeDebugPrivilege	1396	EPEvenue_SB.exe
Token: SeDebugPrivilege	1080	EPEvenue_SB.exe
Token: SeDebugPrivilege	4984	EPEvenue_SB.exe
Token: SeDebugPrivilege	2568	EPEvenue_SB.exe
Token: SeDebugPrivilege	2740	EPEvenue_SB.exe
Token: SeDebugPrivilege	3260	EPEvenue_SB.exe
Token: SeDebugPrivilege	2040	EPEvenue_SB.exe
Token: SeDebugPrivilege	4488	EPEvenue_SB.exe
Token: SeDebugPrivilege	788	EPEvenue_SB.exe
Token: SeDebugPrivilege	5044	EPEvenue_SB.exe
Token: SeDebugPrivilege	3248	EPEvenue_SB.exe
Token: SeDebugPrivilege	4676	EPEvenue_SB.exe
Token: SeDebugPrivilege	2136	EPEvenue_SB.exe
Token: 33	2956	EPEvenue_SB.exe
Token: SeIncBasePriorityPrivilege	2956	EPEvenue_SB.exe
Token: SeDebugPrivilege	2708	EPEvenue_SB.exe
Token: SeDebugPrivilege	4712	EPEvenue_SB.exe
Token: SeDebugPrivilege	2580	EPEvenue_SB.exe
Token: SeDebugPrivilege	4008	EPEvenue_SB.exe
Token: SeDebugPrivilege	952	EPEvenue_SB.exe
Token: SeDebugPrivilege	2396	EPEvenue_SB.exe
Token: SeDebugPrivilege	2260	EPEvenue_SB.exe
Token: SeDebugPrivilege	2784	EPEvenue_SB.exe
Token: SeDebugPrivilege	556	EPEvenue_SB.exe
Token: SeDebugPrivilege	4472	EPEvenue_SB.exe
Token: SeDebugPrivilege	772	EPEvenue_SB.exe
Token: SeDebugPrivilege	3460	EPEvenue_SB.exe
Token: SeDebugPrivilege	2792	EPEvenue_SB.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1212	w.exe
2132	kpzs.exe
1068	kpzs.exe
1444	kpzs.exe
4328	kpzs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2132	1212	w.exe	94
PID 1212 wrote to memory of 2132	1212	w.exe	94
PID 1212 wrote to memory of 2132	1212	w.exe	94
PID 1212 wrote to memory of 1444	1212	w.exe	104
PID 1212 wrote to memory of 1444	1212	w.exe	104
PID 1212 wrote to memory of 1444	1212	w.exe	104
PID 1212 wrote to memory of 4728	1212	w.exe	120
PID 1212 wrote to memory of 4728	1212	w.exe	120
PID 1212 wrote to memory of 4728	1212	w.exe	120
PID 4728 wrote to memory of 2956	4728	EPEvenue_SB.exe	108
PID 4728 wrote to memory of 2956	4728	EPEvenue_SB.exe	108
PID 4728 wrote to memory of 2956	4728	EPEvenue_SB.exe	108
PID 4728 wrote to memory of 2956	4728	EPEvenue_SB.exe	108
PID 4728 wrote to memory of 2956	4728	EPEvenue_SB.exe	108
PID 1212 wrote to memory of 4044	1212	w.exe	109
PID 1212 wrote to memory of 4044	1212	w.exe	109
PID 1212 wrote to memory of 4044	1212	w.exe	109
PID 4044 wrote to memory of 2212	4044	EPEvenue_SB.exe	110
PID 4044 wrote to memory of 2212	4044	EPEvenue_SB.exe	110
PID 4044 wrote to memory of 2212	4044	EPEvenue_SB.exe	110
PID 4044 wrote to memory of 2212	4044	EPEvenue_SB.exe	110
PID 4044 wrote to memory of 2212	4044	EPEvenue_SB.exe	110
PID 1212 wrote to memory of 2064	1212	w.exe	111
PID 1212 wrote to memory of 2064	1212	w.exe	111
PID 1212 wrote to memory of 2064	1212	w.exe	111
PID 2064 wrote to memory of 972	2064	EPEvenue_SB.exe	112
PID 2064 wrote to memory of 972	2064	EPEvenue_SB.exe	112
PID 2064 wrote to memory of 972	2064	EPEvenue_SB.exe	112
PID 2064 wrote to memory of 972	2064	EPEvenue_SB.exe	112
PID 2064 wrote to memory of 972	2064	EPEvenue_SB.exe	112
PID 1212 wrote to memory of 2448	1212	w.exe	113
PID 1212 wrote to memory of 2448	1212	w.exe	113
PID 1212 wrote to memory of 2448	1212	w.exe	113
PID 2448 wrote to memory of 4916	2448	EPEvenue_SB.exe	114
PID 2448 wrote to memory of 4916	2448	EPEvenue_SB.exe	114
PID 2448 wrote to memory of 4916	2448	EPEvenue_SB.exe	114
PID 2448 wrote to memory of 4916	2448	EPEvenue_SB.exe	114
PID 2448 wrote to memory of 4916	2448	EPEvenue_SB.exe	114
PID 1212 wrote to memory of 2336	1212	w.exe	115
PID 1212 wrote to memory of 2336	1212	w.exe	115
PID 1212 wrote to memory of 2336	1212	w.exe	115
PID 2336 wrote to memory of 1904	2336	EPEvenue_SB.exe	116
PID 2336 wrote to memory of 1904	2336	EPEvenue_SB.exe	116
PID 2336 wrote to memory of 1904	2336	EPEvenue_SB.exe	116
PID 2336 wrote to memory of 1904	2336	EPEvenue_SB.exe	116
PID 2336 wrote to memory of 1904	2336	EPEvenue_SB.exe	116
PID 1212 wrote to memory of 4924	1212	w.exe	117
PID 1212 wrote to memory of 4924	1212	w.exe	117
PID 1212 wrote to memory of 4924	1212	w.exe	117
PID 4924 wrote to memory of 2616	4924	EPEvenue_SB.exe	118
PID 4924 wrote to memory of 2616	4924	EPEvenue_SB.exe	118
PID 4924 wrote to memory of 2616	4924	EPEvenue_SB.exe	118
PID 4924 wrote to memory of 2616	4924	EPEvenue_SB.exe	118
PID 4924 wrote to memory of 2616	4924	EPEvenue_SB.exe	118
PID 1212 wrote to memory of 4732	1212	w.exe	119
PID 1212 wrote to memory of 4732	1212	w.exe	119
PID 1212 wrote to memory of 4732	1212	w.exe	119
PID 4732 wrote to memory of 4728	4732	EPEvenue_SB.exe	120
PID 4732 wrote to memory of 4728	4732	EPEvenue_SB.exe	120
PID 4732 wrote to memory of 4728	4732	EPEvenue_SB.exe	120
PID 4732 wrote to memory of 4728	4732	EPEvenue_SB.exe	120
PID 4732 wrote to memory of 4728	4732	EPEvenue_SB.exe	120
PID 1212 wrote to memory of 3772	1212	w.exe	121
PID 1212 wrote to memory of 3772	1212	w.exe	121

C:\Users\Admin\AppData\Local\Temp\e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e450334557d6d45d2a873e648cdf1b50_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:224

C:\Program Files (x86)\13\w.exe
"C:\Program Files (x86)\13\w.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Program Files (x86)\13\kpzs.exe
  "C:\Program Files (x86)\13\kpzs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2132
- C:\Program Files (x86)\13\kpzs.exe
  "C:\Program Files (x86)\13\kpzs.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1444
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:972
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4732
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3772
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:232
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3784
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3748
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1512
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:712
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2788
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3696
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3588
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3616
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4604
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3788
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2928
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4224
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2396
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1396
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:116
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2864
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2248
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3668
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2836
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3260
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1768
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1388
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4488
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2396
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:788
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2260
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5044
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2784
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3248
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:628
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:100
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2716
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:3152
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4712
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:648
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:3592
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4008
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:4000
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:3000
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:1868
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:2432
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:764
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:4136
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4472
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:3668
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:4960
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- C:\Program Files (x86)\13\EPEvenue_SB.exe
  "C:\Program Files (x86)\13\EPEvenue_SB.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:3500
- - C:\Program Files (x86)\13\EPEvenue_SB.exe
    "C:\Program Files (x86)\13\EPEvenue_SB.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c08afd90-f2a1-11d1-8455-00a0c91f3880} -Embedding
1⤵
PID:4660

C:\Program Files (x86)\13\kpzs.exe
"C:\Program Files (x86)\13\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\A2F6B8F63EA54eee8B84D7.lnk"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Program Files (x86)\13\kpzs.exe
"C:\Program Files (x86)\13\kpzs.exe" "C:\Users\Admin\AppData\Local\Temp\\19C8C01105F54d94A88515.lnk"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4368 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:4048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\13\12345678.exe

Filesize
302KB

MD5
1528bb964aa3d843c2b1c11fd8293209

SHA1
489ea3fe1512799a77227c69d0c6a58c07027335

SHA256
e040320cbe34295f2dc084886da310fa369505ab490579f9d4c84a8ddb91b375

SHA512
05aa3d172ed474f7eae15faf09be0674fe8abc7c3c76b3683d665523e0aa23a308ebc3dab49ecfb1090408277f15cb42df9504857e57c9c31f4ae5f747654351

Download Submit
C:\Program Files (x86)\13\CefControl.dll

Filesize
590KB

MD5
037d4ae83b30c3ba8f7f23e54a168bb2

SHA1
05a291f0397928c30d5b8fd4980c9ffb0472a4e7

SHA256
2422e71145ae364a4992cf37eba2938e541253bec467419ea6d1f037822c77f4

SHA512
fe2119eb042044049e0916086a815b19af8873133ea85edb8657533abeea95d2608aae3a6a0519132a7d064726121ae792ba9a22d6393f43ec1f28e1f857dac4

Download Submit
C:\Program Files (x86)\13\DuiLib.dll

Filesize
2.2MB

MD5
cbfc4a8bc75a556dd97981531fadd751

SHA1
25e8eccb28e804db23d1d5123f3766d29b99294f

SHA256
4640ad02300c1311697c5592acdcfa59dba923eae1f2f2cb215a4a09d5055676

SHA512
3b02ea196b431e44a242ddafb0392420f1221b95e4a987a453bf3b1f72cc9ff707df7d5ff27f421edac0b6138cfa0205a98abf1dd92c7c5defcfdae2db34988c

Download Submit
C:\Program Files (x86)\13\EPEvenue_SB.exe

Filesize
1.1MB

MD5
4ddce14e5c6c09bbe5154167a74d271e

SHA1
3985cd3c8b49fcaa9c9dd244ef53d9e86889a3ad

SHA256
37865f209c91b291282c51515a868e6993070d3d7594cf931b42f5a6a8f09a3a

SHA512
f49cf8709fbc1a507416cc61c0678cf153d8fab38527d8e9eece7619196e4c194be437e57de635bea511cdcde7bc62469380f97005b7202c625ae6ceb70b610b

Download Submit
C:\Program Files (x86)\13\MSVCP100.dll

Filesize
411KB

MD5
e3c817f7fe44cc870ecdbcbc3ea36132

SHA1
2ada702a0c143a7ae39b7de16a4b5cc994d2548b

SHA256
d769fafa2b3232de9fa7153212ba287f68e745257f1c00fafb511e7a02de7adf

SHA512
4fcf3fcdd27c97a714e173aa221f53df6c152636d77dea49e256a9788f2d3f2c2d7315dd0b4d72ecefc553082f9149b8580779abb39891a88907f16ec9e13cbe

Download Submit
C:\Program Files (x86)\13\MSVCR100.dll

Filesize
755KB

MD5
bf38660a9125935658cfa3e53fdc7d65

SHA1
0b51fb415ec89848f339f8989d323bea722bfd70

SHA256
60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa

SHA512
25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

Download Submit
C:\Program Files (x86)\13\XPFarmer.bpl

Filesize
1.5MB

MD5
b6b5969b658b647fa0c6ec11de139c96

SHA1
87b0e1176b5d5cae31bee708c8daa383da4adf02

SHA256
a2b6b2c4e1a49809936780149416e8cbb793a0631f81f746350c3c06fcd2bc8e

SHA512
28b4ef210ac75e5d93ed7f99ed39e7bc1d918852a5f34ff0a95d0f4c742f190a969e5be30dd1845457d0880e1ce1975fb9d5e614de5b5b5e66e362ec3bde3842

Download Submit
C:\Program Files (x86)\13\kpzs.exe

Filesize
72KB

MD5
3ffb2d1b619bd7841df50aaf619922fd

SHA1
6973d1b9f33ceb741569db9d0d1fa06712a2565e

SHA256
8ce68528e25b86977f18d42c8c5dddbd6e6f24f34a340d447f4b4db0cb96bfbe

SHA512
7855b96335088bb718215eeea63d6d36c871f3f946de3de48fcc0bb7666cc61c7922f7c84d886d19c5454d283971a5e704c2cc97795c629fc20183c29040d4da

Download Submit
C:\Program Files (x86)\13\libcef.dll

Filesize
2.3MB

MD5
973289689f5caa955afae5fc92190353

SHA1
2b1879a82bfc6f53aaf9d4dc286c59d749c38718

SHA256
8cbf2119df0183acad56d9c8db40bfcde91007cbc956b39ab15764273baa04bf

SHA512
5674e6ffa232fd85409fae66605b118eb4be226886ce3430b8d7d6039536807629907becad1c1cd0a43e680da5c5eea9755b4fff0ecb978cefb7ff9c3649b4a5

Download Submit
C:\Program Files (x86)\13\rtl70.bpl

Filesize
1.8MB

MD5
92f4a54a2ce971ef1971c05bc653bcf6

SHA1
13a5ea44bfa6b1cce7a997b6cc1408ef89cc19c4

SHA256
94bc0e96d3cbab43de9110ca979975007412e2f477b393409fbad3fc27de384f

SHA512
ebc87bd74cc81b6a2f63a064dad93d6d3814d2a18a9800c5d4b4b17d993bfead1db424863e1cba12218d1faa4dce2fe413de4f00ccf4c7225759a829cdbdc299

Download Submit
C:\Program Files (x86)\13\vcl70.bpl

Filesize
1.3MB

MD5
16a1c27ed415d1816f8888ea2cefb3f6

SHA1
80db800b805d548f6df4eb2cb37ba2064dc37c05

SHA256
a7a26cbf6968063c51d4d70f4599f295e4a88e352f19bdd475f3416e6411c390

SHA512
68a3e563dd9745210eb7295cde692af68cd5fc430a95856f4823dc10e42d067f332ae1d2445e8810e0c15c3c779e195735bd311c45e9690cb05dbedcd7354306

Download Submit
C:\Program Files (x86)\13\w.exe

Filesize
5.2MB

MD5
dfff7fdeb342305504b35b2261eab611

SHA1
000f37471c5cf6d245848368d3eec4c1a21b624e

SHA256
2df0837884c042ec6c889702bed52df643722e9f949b4f2d7b9834ae42c6f246

SHA512
588b6f3fdf64c695c0b4465f78ae6eaf36a9b350b9ccd2fd5e891ae1b4e36329403184a2e0f60dc45d7ca33f43a0546ae24c909f3b82e5f402b03bf46fdb01d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2D94.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2D94.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2D94.tmp\System.dll

Filesize
12KB

MD5
e38d8ff9f749ee1b141a122fec7280e0

SHA1
fbc8e410ef716fdb36977e5c16d3373a6100189a

SHA256
00f7604d4f36a728c7759f4d9cf3e30c9728c503557aac49bbcd55cfc3e4fcb4

SHA512
2b1dccf42d435445331291db94f869c4e8f6dcdfe4371969e76ee275d4e845e1d2e947c216f80484a7dd4b8e85158298e6ec7ed9add6d4259c07fdf87c316a8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2D94.tmp\nsNiuniuSkin.dll

Filesize
288KB

MD5
1e88afb7fe5b58d09d8a1b631e442538

SHA1
9ddb655cb32d002f68bdee962ce917002faa3614

SHA256
21a9a74fd631030981cdca42ab580f5aa030068ab80c183b73e99bea2d4f7708

SHA512
a7723bd73f55a716ea450f075d7a4fc7cd2080992c56ad67b6d46fdf4e30cef386068e1f4c2c788764cb092b529589cc1119ea2d62d07e32ea6d201e3afaf876

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2D94.tmp\nsProcess.dll

Filesize
4KB

MD5
88d3e48d1c1a051c702d47046ade7b4c

SHA1
8fc805a8b7900b6ba895d1b809a9f3ad4c730d23

SHA256
51da07da18a5486b11e0d51ebff77a3f2fcbb4d66b5665d212cc6bda480c4257

SHA512
83299dd948b40b4e2c226256d018716dbacfa739d8e882131c7f4c028c0913bc4ed9d770deb252931f3d4890f8f385bd43dcf2a5bfe5b922ec35f4b3144247a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2D94.tmp\skin.zip

Filesize
344KB

MD5
f89e3a65888443d9518491165d71de94

SHA1
45fbcc03d269136651d2469e211e54c4c6086ae2

SHA256
be37df145364ffcaff7dcef0c067c950f90e3e817f04d66311d6d4ded6c6f88f

SHA512
42f9cbf27377ce9d796016a0e489913df5efa1be8ca08f61943f504df887a71f7df48bfaf128a9f66a1f299555aba0a97278165f83c1dc1a954a304b387bf7c0

Download Submit
memory/224-11-0x0000000074F90000-0x000000007504C000-memory.dmp

Filesize
752KB

Download
memory/224-45-0x0000000074F90000-0x000000007504C000-memory.dmp

Filesize
752KB

Download
memory/972-192-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/972-191-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/2064-185-0x0000000000990000-0x0000000000B0A000-memory.dmp

Filesize
1.5MB

Download
memory/2064-184-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/2064-183-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/2064-180-0x0000000000990000-0x0000000000B0A000-memory.dmp

Filesize
1.5MB

Download
memory/2212-169-0x0000000000450000-0x0000000000519000-memory.dmp

Filesize
804KB

Download
memory/2212-167-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/2212-170-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2212-168-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/2448-199-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/2448-201-0x0000000000A20000-0x0000000000B9A000-memory.dmp

Filesize
1.5MB

Download
memory/2448-200-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/2448-197-0x0000000000A20000-0x0000000000B9A000-memory.dmp

Filesize
1.5MB

Download
memory/2956-132-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2956-142-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/2956-141-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/2956-140-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/2956-134-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/2956-138-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/2956-143-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/4044-159-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4044-162-0x0000000000A60000-0x0000000000BDA000-memory.dmp

Filesize
1.5MB

Download
memory/4044-161-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/4044-156-0x0000000000A60000-0x0000000000BDA000-memory.dmp

Filesize
1.5MB

Download
memory/4728-136-0x00000000400C0000-0x0000000040218000-memory.dmp

Filesize
1.3MB

Download
memory/4728-130-0x0000000000AD0000-0x0000000000C4A000-memory.dmp

Filesize
1.5MB

Download
memory/4728-135-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/4728-137-0x0000000000AD0000-0x0000000000C4A000-memory.dmp

Filesize
1.5MB

Download
memory/4916-207-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download
memory/4916-208-0x0000000010000000-0x000000001018F000-memory.dmp

Filesize
1.6MB

Download