nanocore | c18840a37679170657aafa5493758eabf62316ebca074d012bde8181436d96d3

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-29_f75dba012f1fb6995ba2bb64aa238672_black-basta_luca-stealer_metamorfo.exe
Size

1.5MB
MD5

f75dba012f1fb6995ba2bb64aa238672
SHA1

62ff586d4d6587d6364e8032c461fa5c554bc998
SHA256

c18840a37679170657aafa5493758eabf62316ebca074d012bde8181436d96d3
SHA512

45c8c635066eff67072b437cc98f3d916c2d51611ce3deb518171b3d1d060c62e53833be533a14d2afb7705ac4b2ca6e6064f781d7b09d076851a588889c7b88
SSDEEP

24576:6NA3R5drXDFdU4NevOUud0yTTBjExweTzqc4I+dqLIS9z1Aj3eJ3:z5vUaySd05aMzl4IMmIez1Aj3u3

Score

10^/10

nanocore defense_evasion discovery keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

christiantony388.ddns.net:7690

91.193.75.138:7690

Mutex

241a22e3-2377-4481-a4e9-b295cb644c2f

Attributes

activate_away_mode
false
backup_connection_host
91.193.75.138
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2019-08-26T03:06:00.164457636Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
4000
connection_port
7690
default_group
NOV19
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
241a22e3-2377-4481-a4e9-b295cb644c2f
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
christiantony388.ddns.net
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Nanocore family
nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	2025-03-29_f75dba012f1fb6995ba2bb64aa238672_black-basta_luca-stealer_metamorfo.exe

Executes dropped EXE 64 IoCs

pid	Process
2548	jevbrodkii.pif
4076	jevbrodkii.pif
3756	RegSvcs.exe
4904	jevbrodkii.pif
1880	RegSvcs.exe
964	jevbrodkii.pif
3252	RegSvcs.exe
4880	jevbrodkii.pif
4592	RegSvcs.exe
1536	jevbrodkii.pif
2364	RegSvcs.exe
1900	jevbrodkii.pif
2992	RegSvcs.exe
3744	jevbrodkii.pif
4956	RegSvcs.exe
3760	jevbrodkii.pif
4224	RegSvcs.exe
3944	jevbrodkii.pif
1612	RegSvcs.exe
2300	jevbrodkii.pif
4288	RegSvcs.exe
3144	jevbrodkii.pif
632	RegSvcs.exe
4628	jevbrodkii.pif
4916	RegSvcs.exe
4152	jevbrodkii.pif
2512	RegSvcs.exe
1960	jevbrodkii.pif
1160	RegSvcs.exe
4888	jevbrodkii.pif
3864	RegSvcs.exe
4456	jevbrodkii.pif
1632	RegSvcs.exe
3744	jevbrodkii.pif
4964	RegSvcs.exe
4172	jevbrodkii.pif
2644	RegSvcs.exe
4228	jevbrodkii.pif
808	RegSvcs.exe
1972	jevbrodkii.pif
3944	RegSvcs.exe
3408	jevbrodkii.pif
4880	RegSvcs.exe
432	jevbrodkii.pif
4976	RegSvcs.exe
428	jevbrodkii.pif
4564	RegSvcs.exe
4108	jevbrodkii.pif
1528	RegSvcs.exe
4596	jevbrodkii.pif
2492	RegSvcs.exe
4576	jevbrodkii.pif
4212	RegSvcs.exe
2980	jevbrodkii.pif
3868	RegSvcs.exe
4020	jevbrodkii.pif
808	RegSvcs.exe
5088	jevbrodkii.pif
1160	RegSvcs.exe
4204	jevbrodkii.pif
2908	RegSvcs.exe
4648	jevbrodkii.pif
1816	RegSvcs.exe
3464	jevbrodkii.pif

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Service = "C:\\Program Files (x86)\\LAN Service\\lansvc.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\JEVBRO~1.PIF C:\\Users\\Admin\\AppData\\Local\\Temp\\81159274\\nghje.ebi"	jevbrodkii.pif

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegSvcs.exe

Suspicious use of SetThreadContext 50 IoCs

description	pid	Process	procid_target
PID 2548 set thread context of 3756	2548	jevbrodkii.pif	100
PID 4076 set thread context of 1880	4076	jevbrodkii.pif	111
PID 4904 set thread context of 3252	4904	jevbrodkii.pif	117
PID 964 set thread context of 4592	964	jevbrodkii.pif	121
PID 4880 set thread context of 2364	4880	jevbrodkii.pif	125
PID 1536 set thread context of 2992	1536	jevbrodkii.pif	129
PID 1900 set thread context of 4956	1900	jevbrodkii.pif	133
PID 3744 set thread context of 4224	3744	jevbrodkii.pif	137
PID 3760 set thread context of 1612	3760	jevbrodkii.pif	142
PID 3944 set thread context of 4288	3944	jevbrodkii.pif	146
PID 2300 set thread context of 632	2300	jevbrodkii.pif	152
PID 3144 set thread context of 4916	3144	jevbrodkii.pif	157
PID 4628 set thread context of 2512	4628	jevbrodkii.pif	164
PID 4152 set thread context of 1160	4152	jevbrodkii.pif	168
PID 1960 set thread context of 3864	1960	jevbrodkii.pif	172
PID 4888 set thread context of 1632	4888	jevbrodkii.pif	176
PID 4456 set thread context of 4964	4456	jevbrodkii.pif	180
PID 3744 set thread context of 2644	3744	jevbrodkii.pif	184
PID 4172 set thread context of 808	4172	jevbrodkii.pif	188
PID 4228 set thread context of 3944	4228	jevbrodkii.pif	192
PID 1972 set thread context of 4880	1972	jevbrodkii.pif	196
PID 3408 set thread context of 4976	3408	jevbrodkii.pif	200
PID 432 set thread context of 4564	432	jevbrodkii.pif	204
PID 428 set thread context of 1528	428	jevbrodkii.pif	209
PID 4108 set thread context of 2492	4108	jevbrodkii.pif	213
PID 4596 set thread context of 4212	4596	jevbrodkii.pif	217
PID 4576 set thread context of 3868	4576	jevbrodkii.pif	221
PID 2980 set thread context of 808	2980	jevbrodkii.pif	225
PID 5088 set thread context of 2908	5088	jevbrodkii.pif	233
PID 4204 set thread context of 1816	4204	jevbrodkii.pif	237
PID 4648 set thread context of 1608	4648	jevbrodkii.pif	241
PID 3464 set thread context of 3948	3464	jevbrodkii.pif	245
PID 404 set thread context of 4704	404	jevbrodkii.pif	249
PID 4772 set thread context of 2400	4772	jevbrodkii.pif	253
PID 2272 set thread context of 4548	2272	jevbrodkii.pif	257
PID 924 set thread context of 2980	924	jevbrodkii.pif	261
PID 4488 set thread context of 2512	4488	jevbrodkii.pif	265
PID 3868 set thread context of 5088	3868	jevbrodkii.pif	269
PID 4560 set thread context of 4148	4560	jevbrodkii.pif	273
PID 3932 set thread context of 1520	3932	jevbrodkii.pif	277
PID 3628 set thread context of 4508	3628	jevbrodkii.pif	281
PID 1536 set thread context of 2152	1536	jevbrodkii.pif	285
PID 1896 set thread context of 3512	1896	jevbrodkii.pif	289
PID 3948 set thread context of 2724	3948	jevbrodkii.pif	293
PID 4460 set thread context of 3144	4460	jevbrodkii.pif	297
PID 2492 set thread context of 4756	2492	jevbrodkii.pif	301
PID 8 set thread context of 3052	8	jevbrodkii.pif	305
PID 932 set thread context of 4628	932	jevbrodkii.pif	309
PID 4776 set thread context of 3396	4776	jevbrodkii.pif	313
PID 3800 set thread context of 1984	3800	jevbrodkii.pif	317

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\LAN Service\lansvc.exe	RegSvcs.exe
File created	C:\Program Files (x86)\LAN Service\lansvc.exe	RegSvcs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jevbrodkii.pif

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3760	schtasks.exe
3360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
1880	RegSvcs.exe
1880	RegSvcs.exe
1880	RegSvcs.exe
1880	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3252	RegSvcs.exe
3252	RegSvcs.exe
3252	RegSvcs.exe
3252	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
4592	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
2364	RegSvcs.exe
2364	RegSvcs.exe
2364	RegSvcs.exe
2364	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
2992	RegSvcs.exe
2992	RegSvcs.exe
2992	RegSvcs.exe
2992	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
4956	RegSvcs.exe
4956	RegSvcs.exe
4956	RegSvcs.exe
4956	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
4224	RegSvcs.exe
4224	RegSvcs.exe
4224	RegSvcs.exe
4224	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
1612	RegSvcs.exe
1612	RegSvcs.exe
1612	RegSvcs.exe
1612	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe
3756	RegSvcs.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3756	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	RegSvcs.exe
Token: SeDebugPrivilege	3756	RegSvcs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2548	1632	2025-03-29_f75dba012f1fb6995ba2bb64aa238672_black-basta_luca-stealer_metamorfo.exe	89
PID 1632 wrote to memory of 2548	1632	2025-03-29_f75dba012f1fb6995ba2bb64aa238672_black-basta_luca-stealer_metamorfo.exe	89
PID 1632 wrote to memory of 2548	1632	2025-03-29_f75dba012f1fb6995ba2bb64aa238672_black-basta_luca-stealer_metamorfo.exe	89
PID 4252 wrote to memory of 4076	4252	cmd.exe	99
PID 4252 wrote to memory of 4076	4252	cmd.exe	99
PID 4252 wrote to memory of 4076	4252	cmd.exe	99
PID 2548 wrote to memory of 3756	2548	jevbrodkii.pif	100
PID 2548 wrote to memory of 3756	2548	jevbrodkii.pif	100
PID 2548 wrote to memory of 3756	2548	jevbrodkii.pif	100
PID 2548 wrote to memory of 3756	2548	jevbrodkii.pif	100
PID 2548 wrote to memory of 3756	2548	jevbrodkii.pif	100
PID 800 wrote to memory of 4904	800	cmd.exe	104
PID 800 wrote to memory of 4904	800	cmd.exe	104
PID 800 wrote to memory of 4904	800	cmd.exe	104
PID 3756 wrote to memory of 3760	3756	RegSvcs.exe	106
PID 3756 wrote to memory of 3760	3756	RegSvcs.exe	106
PID 3756 wrote to memory of 3760	3756	RegSvcs.exe	106
PID 3756 wrote to memory of 3360	3756	RegSvcs.exe	109
PID 3756 wrote to memory of 3360	3756	RegSvcs.exe	109
PID 3756 wrote to memory of 3360	3756	RegSvcs.exe	109
PID 4076 wrote to memory of 1880	4076	jevbrodkii.pif	111
PID 4076 wrote to memory of 1880	4076	jevbrodkii.pif	111
PID 4076 wrote to memory of 1880	4076	jevbrodkii.pif	111
PID 4076 wrote to memory of 1880	4076	jevbrodkii.pif	111
PID 4076 wrote to memory of 1880	4076	jevbrodkii.pif	111
PID 3460 wrote to memory of 964	3460	cmd.exe	116
PID 3460 wrote to memory of 964	3460	cmd.exe	116
PID 3460 wrote to memory of 964	3460	cmd.exe	116
PID 4904 wrote to memory of 3252	4904	jevbrodkii.pif	117
PID 4904 wrote to memory of 3252	4904	jevbrodkii.pif	117
PID 4904 wrote to memory of 3252	4904	jevbrodkii.pif	117
PID 4904 wrote to memory of 3252	4904	jevbrodkii.pif	117
PID 4904 wrote to memory of 3252	4904	jevbrodkii.pif	117
PID 1796 wrote to memory of 4880	1796	cmd.exe	120
PID 1796 wrote to memory of 4880	1796	cmd.exe	120
PID 1796 wrote to memory of 4880	1796	cmd.exe	120
PID 964 wrote to memory of 4592	964	jevbrodkii.pif	121
PID 964 wrote to memory of 4592	964	jevbrodkii.pif	121
PID 964 wrote to memory of 4592	964	jevbrodkii.pif	121
PID 964 wrote to memory of 4592	964	jevbrodkii.pif	121
PID 964 wrote to memory of 4592	964	jevbrodkii.pif	121
PID 4520 wrote to memory of 1536	4520	cmd.exe	124
PID 4520 wrote to memory of 1536	4520	cmd.exe	124
PID 4520 wrote to memory of 1536	4520	cmd.exe	124
PID 4880 wrote to memory of 2364	4880	jevbrodkii.pif	125
PID 4880 wrote to memory of 2364	4880	jevbrodkii.pif	125
PID 4880 wrote to memory of 2364	4880	jevbrodkii.pif	125
PID 4880 wrote to memory of 2364	4880	jevbrodkii.pif	125
PID 4880 wrote to memory of 2364	4880	jevbrodkii.pif	125
PID 4488 wrote to memory of 1900	4488	cmd.exe	128
PID 4488 wrote to memory of 1900	4488	cmd.exe	128
PID 4488 wrote to memory of 1900	4488	cmd.exe	128
PID 1536 wrote to memory of 2992	1536	jevbrodkii.pif	129
PID 1536 wrote to memory of 2992	1536	jevbrodkii.pif	129
PID 1536 wrote to memory of 2992	1536	jevbrodkii.pif	129
PID 1536 wrote to memory of 2992	1536	jevbrodkii.pif	129
PID 1536 wrote to memory of 2992	1536	jevbrodkii.pif	129
PID 1044 wrote to memory of 3744	1044	cmd.exe	132
PID 1044 wrote to memory of 3744	1044	cmd.exe	132
PID 1044 wrote to memory of 3744	1044	cmd.exe	132
PID 1900 wrote to memory of 4956	1900	jevbrodkii.pif	133
PID 1900 wrote to memory of 4956	1900	jevbrodkii.pif	133
PID 1900 wrote to memory of 4956	1900	jevbrodkii.pif	133
PID 1900 wrote to memory of 4956	1900	jevbrodkii.pif	133

C:\Users\Admin\AppData\Local\Temp\2025-03-29_f75dba012f1fb6995ba2bb64aa238672_black-basta_luca-stealer_metamorfo.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-29_f75dba012f1fb6995ba2bb64aa238672_black-basta_luca-stealer_metamorfo.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  "C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif" nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3756
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "LAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAE41.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3760
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "LAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpAEDE.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
- Suspicious use of WriteProcessMemory
PID:800
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Program Files (x86)\LAN Service\lansvc.exe
1⤵
PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
- Suspicious use of WriteProcessMemory
PID:4488
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:4204
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:3760
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:3100
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3944
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:4672
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:4612
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:3144
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    PID:4916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:1776
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:4224
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:3404
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:4888
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:4352
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:224
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:3764
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4172
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:2468
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4228
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:2808
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:3408
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:3972
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:432
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:3948
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:428
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:2548
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:2400
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4596
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:5116
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:2252
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    PID:808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:1444
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:716
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:2828
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:4648
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:1632
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:3464
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:2300
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:404
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:1888
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4772
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:2848
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:1768
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:924
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:3748
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4488
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:4592
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3868
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:2044
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:1936
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3932
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:716
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3628
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:3336
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:916
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:428
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3948
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:1908
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:4840
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:8
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:2588
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:932
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:2512
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:3028
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
1⤵
PID:4900
- C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif
  C:\Users\Admin\AppData\Local\Temp\81159274\JEVBRO~1.PIF C:\Users\Admin\AppData\Local\Temp\81159274\nghje.ebi
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
1KB

MD5
84e77a587d94307c0ac1357eb4d3d46f

SHA1
83cc900f9401f43d181207d64c5adba7a85edc1e

SHA256
e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99

SHA512
aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Download Submit
C:\Users\Admin\AppData\Local\Temp\81159274\hhtgxrd.pdf

Filesize
456KB

MD5
75e0188d4d7dd193101bcfb5d8bcb6c8

SHA1
797c9cca37b349788a6da142639f43caabba6930

SHA256
20581e403d3854321633aea43dfd9a8c11415c001ea5efb6f68b035ab703b583

SHA512
6a971254f7b06d08b51465df7d6b50ac480babc03197a970389467980d16049aa3e2a85b7a86711b249e2184cc716c7469aa6d72e55dcff22d392a2b0b561a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\81159274\jevbrodkii.pif

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Filesize
44KB

MD5
9d352bc46709f0cb5ec974633a0c3c94

SHA1
1969771b2f022f9a86d77ac4d4d239becdf08d07

SHA256
2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

SHA512
13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE41.tmp

Filesize
1KB

MD5
95aceabc58acad5d73372b0966ee1b35

SHA1
2293b7ad4793cf574b1a5220e85f329b5601040a

SHA256
8d9642e1c3cd1e0b5d1763de2fb5e605ba593e5a918b93eec15acbc5dcc48fd4

SHA512
00760dfc9d8caf357f0cee5336e5448a4cca18e32cc63e1a69c16e34fe00ea29acd5b2cf278e86c6f9c3e66a1b176d27ed927361848212e6bf1fade7d3d06e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAEDE.tmp

Filesize
1KB

MD5
10fabfd2c6060c2db1bd6c6f3070be16

SHA1
65f418ad9715165a57efb4da44717dfcdfb71097

SHA256
1dd3aba494ff6ac9cd0437cbdeac0b0da0dea26828f45acded7d40f1b3461270

SHA512
9b21ce066c75fe9d4b12d8770920c51f5dcd0ba986b453fec93643f08d656b13e8d618d712414ca4dfda3f0cfad7371b3c2ad2d5620909e0ce43f1352d8a4485

Download Submit
memory/632-207-0x0000000001300000-0x0000000002300000-memory.dmp

Filesize
16.0MB

Download
memory/632-209-0x0000000001300000-0x0000000001338000-memory.dmp

Filesize
224KB

Download
memory/808-273-0x00000000011C0000-0x00000000011F8000-memory.dmp

Filesize
224KB

Download
memory/808-239-0x00000000005B0000-0x00000000015B0000-memory.dmp

Filesize
16.0MB

Download
memory/808-241-0x00000000005B0000-0x00000000005E8000-memory.dmp

Filesize
224KB

Download
memory/808-271-0x00000000011C0000-0x00000000021C0000-memory.dmp

Filesize
16.0MB

Download
memory/1160-221-0x0000000000F80000-0x0000000000FB8000-memory.dmp

Filesize
224KB

Download
memory/1160-274-0x0000000001350000-0x0000000001388000-memory.dmp

Filesize
224KB

Download
memory/1160-219-0x0000000000F80000-0x0000000001F80000-memory.dmp

Filesize
16.0MB

Download
memory/1528-257-0x0000000000D00000-0x0000000001D00000-memory.dmp

Filesize
16.0MB

Download
memory/1528-259-0x0000000000D00000-0x0000000000D38000-memory.dmp

Filesize
224KB

Download
memory/1608-278-0x0000000000A00000-0x0000000001A00000-memory.dmp

Filesize
16.0MB

Download
memory/1608-279-0x0000000000A00000-0x0000000000A38000-memory.dmp

Filesize
224KB

Download
memory/1612-199-0x0000000000F00000-0x0000000001F00000-memory.dmp

Filesize
16.0MB

Download
memory/1612-201-0x0000000000F00000-0x0000000000F38000-memory.dmp

Filesize
224KB

Download
memory/1632-227-0x0000000000700000-0x0000000001700000-memory.dmp

Filesize
16.0MB

Download
memory/1632-229-0x0000000000700000-0x0000000000738000-memory.dmp

Filesize
224KB

Download
memory/1816-277-0x0000000000C10000-0x0000000000C48000-memory.dmp

Filesize
224KB

Download
memory/1816-276-0x0000000000C10000-0x0000000001C10000-memory.dmp

Filesize
16.0MB

Download
memory/1880-169-0x00000000011A0000-0x00000000021A0000-memory.dmp

Filesize
16.0MB

Download
memory/1880-171-0x00000000011A0000-0x00000000011D8000-memory.dmp

Filesize
224KB

Download
memory/2152-296-0x0000000000600000-0x0000000001600000-memory.dmp

Filesize
16.0MB

Download
memory/2152-297-0x0000000000600000-0x0000000000638000-memory.dmp

Filesize
224KB

Download
memory/2364-185-0x00000000005A0000-0x00000000005D8000-memory.dmp

Filesize
224KB

Download
memory/2364-183-0x00000000005A0000-0x00000000015A0000-memory.dmp

Filesize
16.0MB

Download
memory/2400-283-0x00000000011B0000-0x00000000021B0000-memory.dmp

Filesize
16.0MB

Download
memory/2400-284-0x00000000011B0000-0x00000000011E8000-memory.dmp

Filesize
224KB

Download
memory/2512-288-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2512-289-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2512-217-0x0000000000500000-0x0000000000538000-memory.dmp

Filesize
224KB

Download
memory/2512-215-0x0000000000500000-0x0000000001500000-memory.dmp

Filesize
16.0MB

Download
memory/2644-237-0x0000000000900000-0x0000000000938000-memory.dmp

Filesize
224KB

Download
memory/2644-235-0x0000000000900000-0x0000000001900000-memory.dmp

Filesize
16.0MB

Download
memory/2992-189-0x0000000000760000-0x0000000000798000-memory.dmp

Filesize
224KB

Download
memory/2992-187-0x0000000000760000-0x0000000001760000-memory.dmp

Filesize
16.0MB

Download
memory/3052-303-0x0000000000C00000-0x0000000001C00000-memory.dmp

Filesize
16.0MB

Download
memory/3052-304-0x0000000000C00000-0x0000000000C38000-memory.dmp

Filesize
224KB

Download
memory/3252-173-0x0000000001100000-0x0000000002100000-memory.dmp

Filesize
16.0MB

Download
memory/3252-175-0x0000000001100000-0x0000000001138000-memory.dmp

Filesize
224KB

Download
memory/3396-307-0x0000000000910000-0x0000000000948000-memory.dmp

Filesize
224KB

Download
memory/3396-306-0x0000000000910000-0x0000000001910000-memory.dmp

Filesize
16.0MB

Download
memory/3512-298-0x0000000000520000-0x0000000001520000-memory.dmp

Filesize
16.0MB

Download
memory/3512-299-0x0000000000520000-0x0000000000558000-memory.dmp

Filesize
224KB

Download
memory/3756-154-0x000000000EDF0000-0x000000000F394000-memory.dmp

Filesize
5.6MB

Download
memory/3756-157-0x000000000E9D0000-0x000000000E9DA000-memory.dmp

Filesize
40KB

Download
memory/3756-153-0x0000000000BB0000-0x0000000000BE8000-memory.dmp

Filesize
224KB

Download
memory/3756-150-0x0000000000BB0000-0x0000000001BB0000-memory.dmp

Filesize
16.0MB

Download
memory/3756-155-0x000000000E920000-0x000000000E9B2000-memory.dmp

Filesize
584KB

Download
memory/3756-156-0x000000000EA60000-0x000000000EAFC000-memory.dmp

Filesize
624KB

Download
memory/3756-168-0x000000000FA10000-0x000000000FA1A000-memory.dmp

Filesize
40KB

Download
memory/3756-167-0x000000000F9E0000-0x000000000F9FE000-memory.dmp

Filesize
120KB

Download
memory/3756-166-0x000000000EA50000-0x000000000EA5A000-memory.dmp

Filesize
40KB

Download
memory/3864-225-0x0000000001000000-0x0000000001038000-memory.dmp

Filesize
224KB

Download
memory/3864-223-0x0000000001000000-0x0000000002000000-memory.dmp

Filesize
16.0MB

Download
memory/3948-281-0x0000000000B50000-0x0000000000B88000-memory.dmp

Filesize
224KB

Download
memory/3948-280-0x0000000000B50000-0x0000000001B50000-memory.dmp

Filesize
16.0MB

Download
memory/4148-291-0x0000000001360000-0x0000000002360000-memory.dmp

Filesize
16.0MB

Download
memory/4148-292-0x0000000001360000-0x0000000001398000-memory.dmp

Filesize
224KB

Download
memory/4212-266-0x0000000000B60000-0x0000000000B98000-memory.dmp

Filesize
224KB

Download
memory/4212-264-0x0000000000B60000-0x0000000001B60000-memory.dmp

Filesize
16.0MB

Download
memory/4224-197-0x0000000000B90000-0x0000000000BC8000-memory.dmp

Filesize
224KB

Download
memory/4224-195-0x0000000000B90000-0x0000000001B90000-memory.dmp

Filesize
16.0MB

Download
memory/4288-203-0x00000000013A0000-0x00000000023A0000-memory.dmp

Filesize
16.0MB

Download
memory/4288-205-0x00000000013A0000-0x00000000013D8000-memory.dmp

Filesize
224KB

Download
memory/4508-295-0x0000000000590000-0x00000000005C8000-memory.dmp

Filesize
224KB

Download
memory/4508-294-0x0000000000590000-0x0000000001590000-memory.dmp

Filesize
16.0MB

Download
memory/4548-285-0x0000000000D90000-0x0000000001D90000-memory.dmp

Filesize
16.0MB

Download
memory/4548-286-0x0000000000D90000-0x0000000000DC8000-memory.dmp

Filesize
224KB

Download
memory/4592-181-0x0000000001200000-0x0000000001238000-memory.dmp

Filesize
224KB

Download
memory/4592-178-0x0000000001200000-0x0000000002200000-memory.dmp

Filesize
16.0MB

Download
memory/4880-248-0x0000000000D70000-0x0000000000DA8000-memory.dmp

Filesize
224KB

Download
memory/4880-246-0x0000000000D70000-0x0000000001D70000-memory.dmp

Filesize
16.0MB

Download
memory/4916-211-0x0000000000B00000-0x0000000001B00000-memory.dmp

Filesize
16.0MB

Download
memory/4916-213-0x0000000000B00000-0x0000000000B38000-memory.dmp

Filesize
224KB

Download
memory/4956-193-0x0000000000D40000-0x0000000000D78000-memory.dmp

Filesize
224KB

Download
memory/4956-191-0x0000000000D40000-0x0000000001D40000-memory.dmp

Filesize
16.0MB

Download
memory/4964-233-0x0000000001140000-0x0000000001178000-memory.dmp

Filesize
224KB

Download
memory/4964-231-0x0000000001140000-0x0000000002140000-memory.dmp

Filesize
16.0MB

Download
memory/4976-250-0x0000000000D20000-0x0000000001D20000-memory.dmp

Filesize
16.0MB

Download
memory/4976-252-0x0000000000D20000-0x0000000000D58000-memory.dmp

Filesize
224KB

Download