blackshades | 40cb1b01ed8134da3166a01c07b100437ef4c0bd2ed5eb92c20d378866e56083

Analysis

max time kernel
149s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2025, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Size

155KB
MD5

a2c07185289b5a561f3461b921a488ab
SHA1

525df52cb136c6157f0d5a03401b2f0f663530a1
SHA256

40cb1b01ed8134da3166a01c07b100437ef4c0bd2ed5eb92c20d378866e56083
SHA512

541cf4ac7cfeaf2c2fbea09e0fbde401bc975dc3e523696a5556fb053d881941597a12663c37e0d4018e8c680640f14899013cc54a2a0b733d7b1ca0f2874db6
SSDEEP

3072:X3+OaukQv5C48A/6l+fRGkgacVK33hCJV6opNKjutbo:+sE0/4wZKKap4yu

Score

10^/10

blackshades defense_evasion discovery persistence rat upx

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 49 IoCs

resource	yara_rule
behavioral1/memory/1476-7-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1476-15-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1476-16-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/380-45-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/704-49-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1476-50-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1476-53-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2804-69-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/32-79-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3036-108-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3344-110-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/216-130-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2612-142-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2888-160-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/224-172-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/4964-199-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/4752-202-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1636-234-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/4768-235-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/4688-262-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1984-265-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1028-295-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3708-298-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2776-317-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2716-329-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1020-356-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/736-359-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2760-390-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1400-393-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2204-420-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/4516-423-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1704-453-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3492-452-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1216-474-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1092-486-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2348-510-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1308-515-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2008-538-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/4880-541-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2232-568-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/3832-571-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2124-594-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2276-597-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/4460-622-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/2748-623-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/4556-649-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1672-652-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/4864-676-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades
behavioral1/memory/1532-678-0x0000000000400000-0x000000000045D000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\xdiag.exe = "C:\\Users\\Admin\\AppData\\Roaming\\xdiag.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\xdiag.exe"	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF7B5CFC-F3A0-FB81-D8D5-86289EEE640E}	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF7B5CFC-F3A0-FB81-D8D5-86289EEE640E}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\xdiag.exe"	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{BF7B5CFC-F3A0-FB81-D8D5-86289EEE640E}	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{BF7B5CFC-F3A0-FB81-D8D5-86289EEE640E}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\xdiag.exe"	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe

Executes dropped EXE 64 IoCs

pid	Process
852	xdiag.exe
3796	xdiag.exe
380	xdiag.exe
704	xdiag.exe
4448	xdiag.exe
4072	xdiag.exe
2804	xdiag.exe
32	xdiag.exe
3728	xdiag.exe
2824	xdiag.exe
3344	xdiag.exe
3036	xdiag.exe
3796	xdiag.exe
468	xdiag.exe
216	xdiag.exe
2612	xdiag.exe
4396	xdiag.exe
4708	xdiag.exe
2888	xdiag.exe
224	xdiag.exe
2472	xdiag.exe
2380	xdiag.exe
4752	xdiag.exe
4964	xdiag.exe
3148	xdiag.exe
4880	xdiag.exe
1636	xdiag.exe
4768	xdiag.exe
5040	xdiag.exe
1944	xdiag.exe
4688	xdiag.exe
1984	xdiag.exe
116	xdiag.exe
4192	xdiag.exe
1028	xdiag.exe
3708	xdiag.exe
1988	xdiag.exe
620	xdiag.exe
2776	xdiag.exe
2716	xdiag.exe
4008	xdiag.exe
1764	xdiag.exe
736	xdiag.exe
1020	xdiag.exe
532	xdiag.exe
3552	xdiag.exe
2760	xdiag.exe
1400	xdiag.exe
4372	xdiag.exe
4636	xdiag.exe
2204	xdiag.exe
4516	xdiag.exe
1812	xdiag.exe
2996	xdiag.exe
1704	xdiag.exe
3492	xdiag.exe
4908	xdiag.exe
5088	xdiag.exe
1216	xdiag.exe
1092	xdiag.exe
968	xdiag.exe
2100	xdiag.exe
2348	xdiag.exe
1308	xdiag.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\xdiag.exe"	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\xdiag.exe"	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 1476	5052	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	90
PID 852 set thread context of 380	852	xdiag.exe	111
PID 3796 set thread context of 704	3796	xdiag.exe	112
PID 4448 set thread context of 2804	4448	xdiag.exe	121
PID 4072 set thread context of 32	4072	xdiag.exe	122
PID 2824 set thread context of 3344	2824	xdiag.exe	131
PID 3728 set thread context of 3036	3728	xdiag.exe	132
PID 3796 set thread context of 216	3796	xdiag.exe	140
PID 468 set thread context of 2612	468	xdiag.exe	141
PID 4708 set thread context of 2888	4708	xdiag.exe	148
PID 4396 set thread context of 224	4396	xdiag.exe	149
PID 2380 set thread context of 4752	2380	xdiag.exe	156
PID 2472 set thread context of 4964	2472	xdiag.exe	157
PID 3148 set thread context of 1636	3148	xdiag.exe	164
PID 4880 set thread context of 4768	4880	xdiag.exe	165
PID 1944 set thread context of 4688	1944	xdiag.exe	172
PID 5040 set thread context of 1984	5040	xdiag.exe	173
PID 4192 set thread context of 1028	4192	xdiag.exe	181
PID 116 set thread context of 3708	116	xdiag.exe	182
PID 1988 set thread context of 2776	1988	xdiag.exe	189
PID 620 set thread context of 2716	620	xdiag.exe	190
PID 1764 set thread context of 736	1764	xdiag.exe	200
PID 4008 set thread context of 1020	4008	xdiag.exe	199
PID 532 set thread context of 2760	532	xdiag.exe	209
PID 3552 set thread context of 1400	3552	xdiag.exe	210
PID 4372 set thread context of 2204	4372	xdiag.exe	222
PID 4636 set thread context of 4516	4636	xdiag.exe	223
PID 2996 set thread context of 1704	2996	xdiag.exe	231
PID 1812 set thread context of 3492	1812	xdiag.exe	230
PID 4908 set thread context of 1216	4908	xdiag.exe	238
PID 5088 set thread context of 1092	5088	xdiag.exe	239
PID 2100 set thread context of 2348	2100	xdiag.exe	246
PID 968 set thread context of 1308	968	xdiag.exe	247
PID 5080 set thread context of 2008	5080	xdiag.exe	254
PID 948 set thread context of 4880	948	xdiag.exe	255
PID 3492 set thread context of 2232	3492	xdiag.exe	262
PID 1820 set thread context of 3832	1820	xdiag.exe	263
PID 1628 set thread context of 2124	1628	xdiag.exe	270
PID 2584 set thread context of 2276	2584	xdiag.exe	271
PID 2000 set thread context of 4460	2000	xdiag.exe	278
PID 5068 set thread context of 2748	5068	xdiag.exe	279
PID 1200 set thread context of 4556	1200	xdiag.exe	286
PID 2596 set thread context of 1672	2596	xdiag.exe	287
PID 2088 set thread context of 1532	2088	xdiag.exe	295
PID 3208 set thread context of 4864	3208	xdiag.exe	296
PID 3976 set thread context of 1644	3976	xdiag.exe	303
PID 3452 set thread context of 3744	3452	xdiag.exe	304
PID 968 set thread context of 4460	968	xdiag.exe	311
PID 3060 set thread context of 2748	3060	xdiag.exe	312
PID 2592 set thread context of 2844	2592	xdiag.exe	319
PID 1200 set thread context of 4648	1200	xdiag.exe	320
PID 2512 set thread context of 3472	2512	xdiag.exe	327
PID 2160 set thread context of 3536	2160	xdiag.exe	328
PID 912 set thread context of 5084	912	xdiag.exe	335
PID 1416 set thread context of 1452	1416	xdiag.exe	336
PID 1364 set thread context of 2352	1364	xdiag.exe	343
PID 1096 set thread context of 5048	1096	xdiag.exe	344
PID 5000 set thread context of 4040	5000	xdiag.exe	352
PID 1728 set thread context of 3696	1728	xdiag.exe	351
PID 3320 set thread context of 4708	3320	xdiag.exe	359
PID 3796 set thread context of 4908	3796	xdiag.exe	360
PID 3184 set thread context of 884	3184	xdiag.exe	367
PID 5100 set thread context of 4496	5100	xdiag.exe	368
PID 1944 set thread context of 2316	1944	xdiag.exe	375

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5052-0-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1476-3-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1476-7-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1476-5-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/5052-11-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1476-15-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1476-16-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/files/0x000e000000023f6a-18.dat	upx
behavioral1/memory/3796-22-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/852-32-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3796-46-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/380-45-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/704-49-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1476-50-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1476-53-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4448-64-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2804-69-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4072-74-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/32-79-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2824-93-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3728-102-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3036-108-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3344-110-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3796-125-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/216-130-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/468-136-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2612-142-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4708-155-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2888-160-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4396-166-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/224-172-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/2472-189-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2380-191-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/4964-199-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4752-202-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4880-221-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3148-224-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1636-234-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4768-235-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1944-248-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/5040-255-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/4688-262-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1984-265-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/116-286-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/4192-284-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1028-295-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/3708-298-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1988-314-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2776-317-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/620-323-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2716-329-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1764-343-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/4008-349-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/1020-356-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/736-359-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/532-361-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/532-376-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/3552-384-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2760-390-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1400-393-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4372-406-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/4636-417-0x0000000000400000-0x000000000043E000-memory.dmp	upx
behavioral1/memory/2204-420-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/4516-423-0x0000000000400000-0x000000000045D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdiag.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4280	reg.exe
3756	reg.exe
2792	reg.exe
5104	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeCreateTokenPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeAssignPrimaryTokenPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeLockMemoryPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeIncreaseQuotaPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeMachineAccountPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeTcbPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeSecurityPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeTakeOwnershipPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeLoadDriverPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeSystemProfilePrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeSystemtimePrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeProfSingleProcessPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeIncBasePriorityPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeCreatePagefilePrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeCreatePermanentPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeBackupPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeRestorePrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeShutdownPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeDebugPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeAuditPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeSystemEnvironmentPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeChangeNotifyPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeRemoteShutdownPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeUndockPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeSyncAgentPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeEnableDelegationPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeManageVolumePrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeImpersonatePrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeCreateGlobalPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: 31	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: 32	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: 33	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: 34	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: 35	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
Token: SeDebugPrivilege	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5052	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
852	xdiag.exe
3796	xdiag.exe
380	xdiag.exe
380	xdiag.exe
704	xdiag.exe
704	xdiag.exe
4448	xdiag.exe
4072	xdiag.exe
2804	xdiag.exe
2804	xdiag.exe
32	xdiag.exe
32	xdiag.exe
2824	xdiag.exe
3728	xdiag.exe
3344	xdiag.exe
3344	xdiag.exe
3036	xdiag.exe
3036	xdiag.exe
468	xdiag.exe
3796	xdiag.exe
216	xdiag.exe
216	xdiag.exe
2612	xdiag.exe
2612	xdiag.exe
4396	xdiag.exe
4708	xdiag.exe
2888	xdiag.exe
2888	xdiag.exe
224	xdiag.exe
224	xdiag.exe
2380	xdiag.exe
2472	xdiag.exe
4964	xdiag.exe
4964	xdiag.exe
4752	xdiag.exe
4752	xdiag.exe
4880	xdiag.exe
3148	xdiag.exe
4768	xdiag.exe
1636	xdiag.exe
4768	xdiag.exe
1636	xdiag.exe
1944	xdiag.exe
5040	xdiag.exe
4688	xdiag.exe
4688	xdiag.exe
1984	xdiag.exe
1984	xdiag.exe
116	xdiag.exe
4192	xdiag.exe
1028	xdiag.exe
1028	xdiag.exe
3708	xdiag.exe
3708	xdiag.exe
1988	xdiag.exe
620	xdiag.exe
2776	xdiag.exe
2776	xdiag.exe
2716	xdiag.exe
2716	xdiag.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1476	5052	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	90
PID 5052 wrote to memory of 1476	5052	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	90
PID 5052 wrote to memory of 1476	5052	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	90
PID 5052 wrote to memory of 1476	5052	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	90
PID 5052 wrote to memory of 1476	5052	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	90
PID 5052 wrote to memory of 1476	5052	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	90
PID 5052 wrote to memory of 1476	5052	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	90
PID 5052 wrote to memory of 1476	5052	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	90
PID 1476 wrote to memory of 1948	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	91
PID 1476 wrote to memory of 1948	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	91
PID 1476 wrote to memory of 1948	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	91
PID 1476 wrote to memory of 2692	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	92
PID 1476 wrote to memory of 2692	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	92
PID 1476 wrote to memory of 2692	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	92
PID 1476 wrote to memory of 2848	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	93
PID 1476 wrote to memory of 2848	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	93
PID 1476 wrote to memory of 2848	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	93
PID 1476 wrote to memory of 2420	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	94
PID 1476 wrote to memory of 2420	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	94
PID 1476 wrote to memory of 2420	1476	JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe	94
PID 1948 wrote to memory of 4280	1948	cmd.exe	105
PID 1948 wrote to memory of 4280	1948	cmd.exe	105
PID 1948 wrote to memory of 4280	1948	cmd.exe	105
PID 2420 wrote to memory of 2792	2420	cmd.exe	106
PID 2420 wrote to memory of 2792	2420	cmd.exe	106
PID 2420 wrote to memory of 2792	2420	cmd.exe	106
PID 2848 wrote to memory of 3756	2848	cmd.exe	107
PID 2848 wrote to memory of 3756	2848	cmd.exe	107
PID 2848 wrote to memory of 3756	2848	cmd.exe	107
PID 2692 wrote to memory of 5104	2692	cmd.exe	108
PID 2692 wrote to memory of 5104	2692	cmd.exe	108
PID 2692 wrote to memory of 5104	2692	cmd.exe	108
PID 4792 wrote to memory of 852	4792	cmd.exe	109
PID 4792 wrote to memory of 852	4792	cmd.exe	109
PID 4792 wrote to memory of 852	4792	cmd.exe	109
PID 216 wrote to memory of 3796	216	cmd.exe	110
PID 216 wrote to memory of 3796	216	cmd.exe	110
PID 216 wrote to memory of 3796	216	cmd.exe	110
PID 852 wrote to memory of 380	852	xdiag.exe	111
PID 852 wrote to memory of 380	852	xdiag.exe	111
PID 852 wrote to memory of 380	852	xdiag.exe	111
PID 3796 wrote to memory of 704	3796	xdiag.exe	112
PID 3796 wrote to memory of 704	3796	xdiag.exe	112
PID 3796 wrote to memory of 704	3796	xdiag.exe	112
PID 852 wrote to memory of 380	852	xdiag.exe	111
PID 3796 wrote to memory of 704	3796	xdiag.exe	112
PID 852 wrote to memory of 380	852	xdiag.exe	111
PID 3796 wrote to memory of 704	3796	xdiag.exe	112
PID 852 wrote to memory of 380	852	xdiag.exe	111
PID 3796 wrote to memory of 704	3796	xdiag.exe	112
PID 852 wrote to memory of 380	852	xdiag.exe	111
PID 3796 wrote to memory of 704	3796	xdiag.exe	112
PID 852 wrote to memory of 380	852	xdiag.exe	111
PID 3796 wrote to memory of 704	3796	xdiag.exe	112
PID 2128 wrote to memory of 4448	2128	cmd.exe	119
PID 2128 wrote to memory of 4448	2128	cmd.exe	119
PID 2128 wrote to memory of 4448	2128	cmd.exe	119
PID 3488 wrote to memory of 4072	3488	cmd.exe	120
PID 3488 wrote to memory of 4072	3488	cmd.exe	120
PID 3488 wrote to memory of 4072	3488	cmd.exe	120
PID 4448 wrote to memory of 2804	4448	xdiag.exe	121
PID 4448 wrote to memory of 2804	4448	xdiag.exe	121
PID 4448 wrote to memory of 2804	4448	xdiag.exe	121
PID 4448 wrote to memory of 2804	4448	xdiag.exe	121

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe"
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2c07185289b5a561f3461b921a488ab.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:5104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\xdiag.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\xdiag.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\xdiag.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\xdiag.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:4072
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:32

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2456
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2824
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:916
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:3728
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1392
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:468
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2140
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:3796
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4060
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:4708
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1900
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4396
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2264
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:2472
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4444
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:2380
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3792
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:3148
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1936
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4880
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1396
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5040
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2928
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:1944
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3044
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4192
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1556
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:116
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4332
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:1988
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4656
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:620
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2036
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4008
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    PID:1020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1392
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1764
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4188
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:532
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1672
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3552
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:548
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4372
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3428
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:4636
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3536
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2996
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2260
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1812
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4724
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5088
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    PID:1092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4584
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4908
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1756
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:968
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:372
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2100
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - Executes dropped EXE
    PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:596
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:948
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2192
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5080
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2512
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3492
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2136
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1820
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3976
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2584
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2792
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1628
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1392
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5068
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:5076
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2000
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1424
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1200
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2028
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2596
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1372
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3208
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3184
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2088
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3868
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3976
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1436
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3452
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3388
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:968
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2200
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3060
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4388
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1200
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4804
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2592
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:2844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4808
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:2160
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2924
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2512
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2608
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:912
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2488
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1416
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4584
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1096
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3764
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1364
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2396
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:5000
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2952
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1728
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2736
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3796
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:720
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:3320
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1704
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3184
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:636
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5100
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3660
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:4948
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3264
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - Suspicious use of SetThreadContext
  PID:1944
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2792
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5048
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:3644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3764
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:2424
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1272
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4980
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:1916
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:436
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:4036
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3096
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3384
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4124
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:1248
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2924
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:1080
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2400
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3216
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2764
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1532
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2424
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1436
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:2432
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:2792
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3428
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:3208
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:756
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:4652
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:4704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:436
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:2956
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4224
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:4152
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4808
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:2276
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3352
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:3660
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:4072
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:3516
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:3248
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:1624
- - C:\Users\Admin\AppData\Roaming\xdiag.exe
    "C:\Users\Admin\AppData\Roaming\xdiag.exe"
    3⤵
    PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1616
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\xdiag.exe
1⤵
PID:1420
- C:\Users\Admin\AppData\Roaming\xdiag.exe
  C:\Users\Admin\AppData\Roaming\xdiag.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4540

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\xdiag.exe

Filesize
155KB

MD5
a2c07185289b5a561f3461b921a488ab

SHA1
525df52cb136c6157f0d5a03401b2f0f663530a1

SHA256
40cb1b01ed8134da3166a01c07b100437ef4c0bd2ed5eb92c20d378866e56083

SHA512
541cf4ac7cfeaf2c2fbea09e0fbde401bc975dc3e523696a5556fb053d881941597a12663c37e0d4018e8c680640f14899013cc54a2a0b733d7b1ca0f2874db6

Download Submit
memory/32-79-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/116-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/216-130-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/224-172-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/380-45-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/468-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/532-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/620-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/704-49-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/736-359-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/852-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/948-534-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/968-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1020-356-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1028-295-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1092-486-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1200-636-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1216-474-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1308-515-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1400-393-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1476-7-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1476-53-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1476-3-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1476-5-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1476-50-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1476-16-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1476-15-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1532-678-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1628-583-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-234-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1672-652-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1704-453-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1764-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1812-439-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-558-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1944-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-265-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1988-314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2000-609-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2008-538-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2088-666-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2100-498-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-594-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2204-420-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2232-568-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2276-597-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2348-510-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2380-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2472-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-587-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2596-643-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-142-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2716-329-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2748-623-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2760-390-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2776-317-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2804-69-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2824-93-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2888-160-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2996-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3036-108-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3148-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3208-665-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3344-110-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3452-691-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3492-452-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3492-560-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3552-384-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-298-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3728-102-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3796-22-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3796-46-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3796-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3832-571-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4008-349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-74-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4192-284-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4396-166-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4448-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-622-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4516-423-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4556-649-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4636-417-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4688-262-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4708-155-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4752-202-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4768-235-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4864-676-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4880-221-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4880-541-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4908-469-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4964-199-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/5040-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5052-11-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5052-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5068-611-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5080-524-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5088-479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads