xtremerat | 6d9c56da19bbd740c69ef0f36517e0b398fbee1bd5bab0d1e5e87c7bfea76225

Analysis

max time kernel
148s
max time network
127s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Size

1.5MB
MD5

ffbab9517e714bc602e6bfcea36b5c19
SHA1

eaf51aa3339794074b1ae032a8e7dbcf2b3c20a8
SHA256

6d9c56da19bbd740c69ef0f36517e0b398fbee1bd5bab0d1e5e87c7bfea76225
SHA512

8af37d66ba78e940a30580f64bedd2baccafaddb09ce9c5a3cb3e63b1a8e259c1857ced7f530f677f8dbe8283bea458adede91edc7c239ecc51a2ca166436095
SSDEEP

24576:lP2PU8hQzGNtWtR440slkQ6sgm7M+unMpbFbU67BzJi20+/emgeNfaPqcqbXJitR:Rq1NIR4fOtf7zpb9Ji20+NGqQDuEpIK

Score

10^/10

xtremerat discovery persistence rat spyware upx

Malware Config

Signatures

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat
Xtremerat family
xtremerat

Adds policy Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Pidgin Utilities = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	pidginutily.exe

Deletes itself 1 IoCs

pid	Process
2824	explorer.exe

Executes dropped EXE 20 IoCs

pid	Process
1284	pidginutily.exe
2372	pidginutily.exe
1756	pidginutily.exe
2556	pidginutily.exe
2008	pidginutily.exe
1536	pidginutily.exe
1592	pidginutily.exe
2796	pidginutily.exe
2856	pidginutily.exe
2768	pidginutily.exe
2476	pidginutily.exe
1872	pidginutily.exe
1940	pidginutily.exe
2944	pidginutily.exe
2808	pidginutily.exe
2856	pidginutily.exe
2520	pidginutily.exe
696	pidginutily.exe
2492	pidginutily.exe
2380	pidginutily.exe

Loads dropped DLL 11 IoCs

pid	Process
1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
2956	svchost.exe
2956	svchost.exe
2956	svchost.exe
2956	svchost.exe
2956	svchost.exe
2956	svchost.exe
2956	svchost.exe
2956	svchost.exe
2956	svchost.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Pidgin Utility = "C:\\Users\\Admin\\AppData\\Roaming\\Pidgin Utility\\pidginutily.exe"	pidginutily.exe

Suspicious use of SetThreadContext 12 IoCs

description	pid	Process	procid_target
PID 1956 set thread context of 1908	1956	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	31
PID 2372 set thread context of 1756	2372	pidginutily.exe	70
PID 1284 set thread context of 2556	1284	pidginutily.exe	71
PID 2556 set thread context of 2552	2556	pidginutily.exe	73
PID 2008 set thread context of 1536	2008	pidginutily.exe	75
PID 1592 set thread context of 2796	1592	pidginutily.exe	103
PID 2856 set thread context of 2768	2856	pidginutily.exe	125
PID 2476 set thread context of 1872	2476	pidginutily.exe	159
PID 1940 set thread context of 2944	1940	pidginutily.exe	189
PID 2808 set thread context of 2856	2808	pidginutily.exe	219
PID 2520 set thread context of 696	2520	pidginutily.exe	241
PID 2492 set thread context of 2380	2492	pidginutily.exe	271

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1956-0-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/1956-2-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/1956-21-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/files/0x0008000000016c66-37.dat	upx
behavioral1/memory/1284-54-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2372-58-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2372-103-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/1284-104-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/1284-63-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2372-64-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2008-131-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2008-152-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/1592-160-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/1592-181-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2856-189-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2856-210-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2476-219-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2476-238-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/1940-249-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/1940-270-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2808-278-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2808-299-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2520-308-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2520-329-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2492-338-0x0000000000400000-0x00000000007C1000-memory.dmp	upx
behavioral1/memory/2492-361-0x0000000000400000-0x00000000007C1000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pidginutily.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2552	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1908	1956	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1908	1956	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1908	1956	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1908	1956	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1908	1956	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1908	1956	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1908	1956	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1908	1956	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1908	1956	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1908	1956	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1908	1956	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	31
PID 1956 wrote to memory of 1908	1956	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2956	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	32
PID 1908 wrote to memory of 2956	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	32
PID 1908 wrote to memory of 2956	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	32
PID 1908 wrote to memory of 2956	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	32
PID 1908 wrote to memory of 2956	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	32
PID 1908 wrote to memory of 2848	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	33
PID 1908 wrote to memory of 2848	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	33
PID 1908 wrote to memory of 2848	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	33
PID 1908 wrote to memory of 2848	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	33
PID 1908 wrote to memory of 2840	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	34
PID 1908 wrote to memory of 2840	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	34
PID 1908 wrote to memory of 2840	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	34
PID 1908 wrote to memory of 2840	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	34
PID 1908 wrote to memory of 2824	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	35
PID 1908 wrote to memory of 2824	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	35
PID 1908 wrote to memory of 2824	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	35
PID 1908 wrote to memory of 2824	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	35
PID 1908 wrote to memory of 2824	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	35
PID 1908 wrote to memory of 3044	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	36
PID 1908 wrote to memory of 3044	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	36
PID 1908 wrote to memory of 3044	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	36
PID 1908 wrote to memory of 3044	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	36
PID 1908 wrote to memory of 3020	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	37
PID 1908 wrote to memory of 3020	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	37
PID 1908 wrote to memory of 3020	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	37
PID 1908 wrote to memory of 3020	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	37
PID 1908 wrote to memory of 2716	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	38
PID 1908 wrote to memory of 2716	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	38
PID 1908 wrote to memory of 2716	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	38
PID 1908 wrote to memory of 2716	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	38
PID 1908 wrote to memory of 2920	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	39
PID 1908 wrote to memory of 2920	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	39
PID 1908 wrote to memory of 2920	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	39
PID 1908 wrote to memory of 2920	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	39
PID 1908 wrote to memory of 2828	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	40
PID 1908 wrote to memory of 2828	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	40
PID 1908 wrote to memory of 2828	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	40
PID 1908 wrote to memory of 2828	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	40
PID 1908 wrote to memory of 2740	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	41
PID 1908 wrote to memory of 2740	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	41
PID 1908 wrote to memory of 2740	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	41
PID 1908 wrote to memory of 2740	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	41
PID 1908 wrote to memory of 2968	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	42
PID 1908 wrote to memory of 2968	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	42
PID 1908 wrote to memory of 2968	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	42
PID 1908 wrote to memory of 2968	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	42
PID 1908 wrote to memory of 1784	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	43
PID 1908 wrote to memory of 1784	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	43
PID 1908 wrote to memory of 1784	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	43
PID 1908 wrote to memory of 1784	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	43
PID 1908 wrote to memory of 2864	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	44
PID 1908 wrote to memory of 2864	1908	ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe	44

C:\Users\Admin\AppData\Local\Temp\ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ffbab9517e714bc602e6bfcea36b5c19_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Adds policy Run key to start application
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2956
  - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
      "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2372
    - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
        
        "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe" Utility\pidginutily.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1756
  - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
      "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2008
    - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
        
        "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe" Utility\pidginutily.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1536
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2232
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:288
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2248
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1752
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:884
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:336
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1504
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2212
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2316
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2440
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1616
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1600
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2108
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2000
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1740
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2392
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2124
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2876
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:580
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1264
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2356
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2616
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2104
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1420
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2268
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1776
  - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
      "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1592
    - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
        
        "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe" Utility\pidginutily.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2796
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2912
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1188
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:768
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2868
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1708
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2816
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1156
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3044
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3020
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2716
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:324
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2452
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2696
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2704
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2712
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2744
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2860
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2972
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2896
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1848
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3008
  - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
      "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2856
    - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
        
        "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe" Utility\pidginutily.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2360
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2992
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2568
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2348
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2344
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2544
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2088
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2280
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2424
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1800
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2376
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2156
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2492
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:548
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1960
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1256
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:764
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2084
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2536
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1104
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:408
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:448
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:924
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1944
  - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
      "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2476
    - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
        
        "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe" Utility\pidginutily.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1872
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2464
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1988
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1764
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2308
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1572
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1080
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2460
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2216
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2188
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:812
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2640
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1500
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1956
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:320
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2832
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1416
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2604
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2820
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:892
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2776
  - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
      "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1940
    - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
        
        "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe" Utility\pidginutily.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1700
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2108
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1964
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2612
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1904
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1476
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:580
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1264
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2356
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2616
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2096
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2728
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2328
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2724
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2916
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2792
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1040
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2180
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2420
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1376
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:944
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:936
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3036
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1844
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2680
  - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
      "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2808
    - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
        
        "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe" Utility\pidginutily.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2816
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1156
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3020
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2716
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:324
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2452
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2692
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2704
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2712
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:852
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3024
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2208
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3056
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1796
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1340
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:956
  - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
      "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2520
    - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
        
        "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe" Utility\pidginutily.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:696
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2560
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1160
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2568
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2348
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2344
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2152
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2080
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2052
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2400
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2592
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2384
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2240
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2996
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2652
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2304
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1008
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:448
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:924
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1944
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2552
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1348
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2880
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2072
  - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
      "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2492
    - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
        
        "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe" Utility\pidginutily.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2380
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2824
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3020
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2920
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2740
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1784
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2696
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2712
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2756
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2860
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2516
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2500
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1320
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1280
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:3056
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2896
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:816
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:692
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:1848
- - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
    "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:1284
  - - C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe
      "C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe" Utility\pidginutily.exe"
      4⤵
      Adds policy Run key to start application
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2556
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Q1j3hCKCyxW\Q1j3hCKCyxW.nfo

Filesize
3KB

MD5
14bb0770b00759a393067240244bf690

SHA1
419344adff151fa951ccb604b8a55ca8c3197732

SHA256
a4d73a576f88e0fc979a501a406146227f2f9294384585472b41f9acb338c7b1

SHA512
354a5ae937325e8710881591b90ccfdc5e0c423e87bd2c13ca1168b998deae31225f036468d73cf023b8a5164bd3f0c15e7a54b3d0af378d53a35edcf9ccc4ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Q1j3hCKCyxW\Q1j3hCKCyxW.svr

Filesize
357KB

MD5
28c66465338c1740d341e2c4427fb065

SHA1
1b9c40c1046c08e4cb63e5be9076f38386142161

SHA256
97a5caded2fe081539eb7102c13b62c6ea5a55257f04333eec12aff8ae272a46

SHA512
3e6ea31f69fed2c2732bbb98158899d5e2c657b2653ebf857652d67a3925bfeab4245f8dda14d63a90cfe7eb15f3089fead00583f1e7641cd69e9007577ce0c9

Download Submit
C:\Users\Admin\AppData\Roaming\Pidgin Utility\pidginutily.exe

Filesize
1.5MB

MD5
ffbab9517e714bc602e6bfcea36b5c19

SHA1
eaf51aa3339794074b1ae032a8e7dbcf2b3c20a8

SHA256
6d9c56da19bbd740c69ef0f36517e0b398fbee1bd5bab0d1e5e87c7bfea76225

SHA512
8af37d66ba78e940a30580f64bedd2baccafaddb09ce9c5a3cb3e63b1a8e259c1857ced7f530f677f8dbe8283bea458adede91edc7c239ecc51a2ca166436095

Download Submit
memory/1284-63-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1284-104-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1284-54-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1592-181-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1592-160-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1908-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1908-25-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1908-14-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1908-12-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1908-10-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1908-8-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1908-5-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1908-23-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1908-28-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1908-52-0x0000000005630000-0x00000000059F1000-memory.dmp

Filesize
3.8MB

Download
memory/1908-18-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1908-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1908-43-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1908-47-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1908-60-0x0000000000670000-0x00000000007F1000-memory.dmp

Filesize
1.5MB

Download
memory/1908-51-0x0000000005630000-0x00000000059F1000-memory.dmp

Filesize
3.8MB

Download
memory/1908-16-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1940-249-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1940-270-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1956-2-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1956-21-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1956-0-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/1956-22-0x00000000004CC000-0x00000000004D5000-memory.dmp

Filesize
36KB

Download
memory/1956-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2008-131-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2008-152-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2372-58-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2372-103-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2372-64-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2476-219-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2476-238-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2492-361-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2492-338-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2520-308-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2520-329-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2808-299-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2808-278-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2824-40-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2856-189-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2856-210-0x0000000000400000-0x00000000007C1000-memory.dmp

Filesize
3.8MB

Download
memory/2956-159-0x0000000004B80000-0x0000000004F41000-memory.dmp

Filesize
3.8MB

Download
memory/2956-218-0x0000000004B10000-0x0000000004ED1000-memory.dmp

Filesize
3.8MB

Download
memory/2956-248-0x0000000004A90000-0x0000000004E51000-memory.dmp

Filesize
3.8MB

Download
memory/2956-36-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2956-188-0x0000000004970000-0x0000000004D31000-memory.dmp

Filesize
3.8MB

Download
memory/2956-277-0x0000000004C80000-0x0000000005041000-memory.dmp

Filesize
3.8MB

Download
memory/2956-48-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2956-307-0x0000000004D30000-0x00000000050F1000-memory.dmp

Filesize
3.8MB

Download
memory/2956-155-0x0000000004920000-0x0000000004CE1000-memory.dmp

Filesize
3.8MB

Download
memory/2956-129-0x0000000004920000-0x0000000004CE1000-memory.dmp

Filesize
3.8MB

Download
memory/2956-336-0x0000000004BB0000-0x0000000004F71000-memory.dmp

Filesize
3.8MB

Download
memory/2956-56-0x0000000004750000-0x0000000004B11000-memory.dmp

Filesize
3.8MB

Download
memory/2956-108-0x0000000004750000-0x0000000004B11000-memory.dmp

Filesize
3.8MB

Download