xtremerat | dd58b13ca2153c0e00cffca4e293cdb9750b8f5bc3446a84f4c96d55f86ab82c

Analysis

max time kernel
132s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Size

100KB
MD5

3d02e6931192b9bea60579a931148b18
SHA1

c6c618cf011fbe7961e2058f05eb85d86caaa1a1
SHA256

dd58b13ca2153c0e00cffca4e293cdb9750b8f5bc3446a84f4c96d55f86ab82c
SHA512

bc4ff80845102c852b60d21ee8f059da26eda150ff7f71eba745b0905c98d43096c6f9497b1145a3b80b2f551af5f29c3e16dd4f476257885b6ff37158edb9e2
SSDEEP

1536:MqZotJJEtoB8NZojMB/x6/Fj/BPucceZcm/8hd0f1tYxG9:MqZ4UNZojMBktj8eZTPZ

Score

10^/10

xtremerat discovery evasion persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

schalfer.no-ip.org

schalschalfer.no-ip.org

琼schalfer.no-ip.org

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/2560-8-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2560-9-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2552-18-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2560-22-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe

Executes dropped EXE 64 IoCs

pid	Process
2612	dwmz.exe
2748	dwmz.exe
2960	dwmz.exe
1956	dwmz.exe
2796	dwmz.exe
2968	dwmz.exe
3056	dwmz.exe
1676	dwmz.exe
800	dwmz.exe
1748	dwmz.exe
1944	dwmz.exe
1840	dwmz.exe
764	dwmz.exe
1508	dwmz.exe
2496	dwmz.exe
2416	dwmz.exe
1976	dwmz.exe
2620	dwmz.exe
1460	dwmz.exe
2864	dwmz.exe
1744	dwmz.exe
1736	dwmz.exe
2720	dwmz.exe
956	dwmz.exe
2576	dwmz.exe
2980	dwmz.exe
584	dwmz.exe
2964	dwmz.exe
2216	dwmz.exe
532	dwmz.exe
2320	dwmz.exe
2572	dwmz.exe
2256	dwmz.exe
832	dwmz.exe
1736	dwmz.exe
1428	dwmz.exe
2192	dwmz.exe
2728	dwmz.exe
964	dwmz.exe
2896	dwmz.exe
432	dwmz.exe
2208	dwmz.exe
1960	dwmz.exe
2472	dwmz.exe
2456	dwmz.exe
2256	dwmz.exe
1124	dwmz.exe
1440	dwmz.exe
1500	dwmz.exe
2224	dwmz.exe
680	dwmz.exe
2832	dwmz.exe
2856	dwmz.exe
3196	dwmz.exe
2800	dwmz.exe
3300	dwmz.exe
3328	dwmz.exe
964	dwmz.exe
2732	dwmz.exe
3596	dwmz.exe
3292	dwmz.exe
3756	dwmz.exe
3424	dwmz.exe
3932	dwmz.exe

Identifies Wine through registry keys 2 TTPs 61 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	dwmz.exe

Loads dropped DLL 1 IoCs

pid	Process
2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe

Suspicious use of SetThreadContext 56 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 2560	2116	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	30
PID 2612 set thread context of 2960	2612	dwmz.exe	41
PID 2748 set thread context of 2796	2748	dwmz.exe	44
PID 1956 set thread context of 800	1956	dwmz.exe	55
PID 2968 set thread context of 1944	2968	dwmz.exe	65
PID 3056 set thread context of 1840	3056	dwmz.exe	67
PID 1676 set thread context of 2496	1676	dwmz.exe	75
PID 1748 set thread context of 1976	1748	dwmz.exe	81
PID 764 set thread context of 1744	764	dwmz.exe	100
PID 1508 set thread context of 1736	1508	dwmz.exe	103
PID 2416 set thread context of 2576	2416	dwmz.exe	116
PID 2620 set thread context of 2980	2620	dwmz.exe	120
PID 1460 set thread context of 584	1460	dwmz.exe	124
PID 2864 set thread context of 2216	2864	dwmz.exe	138
PID 2720 set thread context of 2320	2720	dwmz.exe	141
PID 956 set thread context of 2256	956	dwmz.exe	145
PID 2964 set thread context of 2728	2964	dwmz.exe	171
PID 532 set thread context of 2896	532	dwmz.exe	187
PID 2572 set thread context of 432	2572	dwmz.exe	192
PID 832 set thread context of 2208	832	dwmz.exe	197
PID 1736 set thread context of 2456	1736	dwmz.exe	204
PID 1428 set thread context of 1440	1428	dwmz.exe	211
PID 2192 set thread context of 1500	2192	dwmz.exe	213
PID 964 set thread context of 2224	964	dwmz.exe	219
PID 1960 set thread context of 2856	1960	dwmz.exe	242
PID 2472 set thread context of 2800	2472	dwmz.exe	247
PID 2256 set thread context of 964	2256	dwmz.exe	260
PID 1124 set thread context of 2732	1124	dwmz.exe	262
PID 680 set thread context of 3292	680	dwmz.exe	271
PID 2832 set thread context of 3424	2832	dwmz.exe	280
PID 3196 set thread context of 3608	3196	dwmz.exe	291
PID 3300 set thread context of 3692	3300	dwmz.exe	296
PID 3328 set thread context of 3736	3328	dwmz.exe	299
PID 3596 set thread context of 4024	3596	dwmz.exe	317
PID 3756 set thread context of 3244	3756	dwmz.exe	325
PID 3932 set thread context of 3336	3932	dwmz.exe	333
PID 3924 set thread context of 2472	3924	dwmz.exe	334
PID 3236 set thread context of 3888	3236	dwmz.exe	350
PID 3636 set thread context of 3852	3636	dwmz.exe	362
PID 3944 set thread context of 3692	3944	dwmz.exe	370
PID 3988 set thread context of 1344	3988	dwmz.exe	426
PID 2800 set thread context of 3928	2800	dwmz.exe	386
PID 1640 set thread context of 3244	1640	dwmz.exe	390
PID 3688 set thread context of 3512	3688	dwmz.exe	393
PID 3936 set thread context of 3852	3936	dwmz.exe	414
PID 4040 set thread context of 3992	4040	dwmz.exe	419
PID 3972 set thread context of 2800	3972	dwmz.exe	430
PID 2732 set thread context of 4260	2732	dwmz.exe	442
PID 3604 set thread context of 4380	3604	dwmz.exe	448
PID 3176 set thread context of 4436	3176	dwmz.exe	539
PID 4248 set thread context of 4768	4248	dwmz.exe	470
PID 4332 set thread context of 4816	4332	dwmz.exe	474
PID 4368 set thread context of 4888	4368	dwmz.exe	476
PID 4452 set thread context of 4972	4452	dwmz.exe	556
PID 4700 set thread context of 4284	4700	dwmz.exe	569
PID 4960 set thread context of 4684	4960	dwmz.exe	580

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2560-2-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2560-1-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2560-5-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2560-8-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2560-9-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2560-7-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2552-18-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2560-22-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2116	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
2612	dwmz.exe
2748	dwmz.exe
1956	dwmz.exe
2968	dwmz.exe
3056	dwmz.exe
1676	dwmz.exe
1748	dwmz.exe
764	dwmz.exe
1508	dwmz.exe
2416	dwmz.exe
2620	dwmz.exe
1460	dwmz.exe
2864	dwmz.exe
2864	dwmz.exe
2720	dwmz.exe
2720	dwmz.exe
956	dwmz.exe
956	dwmz.exe
2964	dwmz.exe
2964	dwmz.exe
2964	dwmz.exe
532	dwmz.exe
532	dwmz.exe
532	dwmz.exe
2572	dwmz.exe
2572	dwmz.exe
2572	dwmz.exe
832	dwmz.exe
832	dwmz.exe
832	dwmz.exe
832	dwmz.exe
1736	dwmz.exe
1736	dwmz.exe
1736	dwmz.exe
1736	dwmz.exe
1428	dwmz.exe
1428	dwmz.exe
1428	dwmz.exe
1428	dwmz.exe
2192	dwmz.exe
2192	dwmz.exe
2192	dwmz.exe
2192	dwmz.exe
964	dwmz.exe
964	dwmz.exe
964	dwmz.exe
964	dwmz.exe
1960	dwmz.exe
1960	dwmz.exe
1960	dwmz.exe
1960	dwmz.exe
1960	dwmz.exe
2472	dwmz.exe
2472	dwmz.exe
2472	dwmz.exe
2472	dwmz.exe
2472	dwmz.exe
2256	dwmz.exe
2256	dwmz.exe
2256	dwmz.exe
2256	dwmz.exe
2256	dwmz.exe
2256	dwmz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2560	2116	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2560	2116	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2560	2116	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2560	2116	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2560	2116	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2560	2116	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2560	2116	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2560	2116	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	30
PID 2560 wrote to memory of 2552	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2552	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2552	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2552	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2552	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	31
PID 2560 wrote to memory of 2196	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	32
PID 2560 wrote to memory of 2196	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	32
PID 2560 wrote to memory of 2196	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	32
PID 2560 wrote to memory of 2196	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	32
PID 2560 wrote to memory of 2196	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	32
PID 2560 wrote to memory of 668	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	33
PID 2560 wrote to memory of 668	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	33
PID 2560 wrote to memory of 668	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	33
PID 2560 wrote to memory of 668	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	33
PID 2560 wrote to memory of 668	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	33
PID 2560 wrote to memory of 2872	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	34
PID 2560 wrote to memory of 2872	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	34
PID 2560 wrote to memory of 2872	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	34
PID 2560 wrote to memory of 2872	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	34
PID 2560 wrote to memory of 2872	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	34
PID 2560 wrote to memory of 2932	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	35
PID 2560 wrote to memory of 2932	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	35
PID 2560 wrote to memory of 2932	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	35
PID 2560 wrote to memory of 2932	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	35
PID 2560 wrote to memory of 2932	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	35
PID 2560 wrote to memory of 2944	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	36
PID 2560 wrote to memory of 2944	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	36
PID 2560 wrote to memory of 2944	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	36
PID 2560 wrote to memory of 2944	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	36
PID 2560 wrote to memory of 2944	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	36
PID 2560 wrote to memory of 2952	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	37
PID 2560 wrote to memory of 2952	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	37
PID 2560 wrote to memory of 2952	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	37
PID 2560 wrote to memory of 2952	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	37
PID 2560 wrote to memory of 2952	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	37
PID 2560 wrote to memory of 2928	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	38
PID 2560 wrote to memory of 2928	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	38
PID 2560 wrote to memory of 2928	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	38
PID 2560 wrote to memory of 2928	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	38
PID 2560 wrote to memory of 2928	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	38
PID 2560 wrote to memory of 2880	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	39
PID 2560 wrote to memory of 2880	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	39
PID 2560 wrote to memory of 2880	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	39
PID 2560 wrote to memory of 2880	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	39
PID 2560 wrote to memory of 2612	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	40
PID 2560 wrote to memory of 2612	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	40
PID 2560 wrote to memory of 2612	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	40
PID 2560 wrote to memory of 2612	2560	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	40
PID 2612 wrote to memory of 2960	2612	dwmz.exe	41
PID 2612 wrote to memory of 2960	2612	dwmz.exe	41
PID 2612 wrote to memory of 2960	2612	dwmz.exe	41
PID 2612 wrote to memory of 2960	2612	dwmz.exe	41
PID 2552 wrote to memory of 2748	2552	svchost.exe	42
PID 2552 wrote to memory of 2748	2552	svchost.exe	42
PID 2552 wrote to memory of 2748	2552	svchost.exe	42
PID 2552 wrote to memory of 2748	2552	svchost.exe	42

C:\Users\Admin\AppData\Local\Temp\3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies WinLogon for persistence
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:2748
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2796
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1520
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2812
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1348
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2544
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1584
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1932
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1672
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2900
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2216
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        11⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        12⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        13⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3948
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4092
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1956
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1868
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1592
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2428
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2076
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2260
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2520
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:1744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1656
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:3056
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1840
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1120
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1776
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2412
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2432
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1448
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1004
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1312
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:2980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:1124
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        11⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:2732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3520
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        12⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1748
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1036
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2184
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2656
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2220
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2096
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1272
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2396
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1668
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1428
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:1440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:3196
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        11⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        12⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:3636
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        13⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        14⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        15⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        
        PID:2800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4712
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        16⤵
        Identifies Wine through registry keys
        
        PID:5060
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        17⤵
        
        PID:4796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4700
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1508
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1736
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2448
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1224
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2272
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1872
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1040
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:1460
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:584
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1496
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2488
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2688
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1924
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2504
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2268
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:956
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2256
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1976
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2960
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2072
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2540
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1456
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2772
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2120
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1536
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1500
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2964
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2728
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:520
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:584
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:760
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2560
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1028
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2172
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:3596
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3772
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:832
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2208
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2668
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1212
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2684
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2188
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2392
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2112
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:964
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2224
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2576
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2208
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2116
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2240
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1428
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3124
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3212
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3284
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:2472
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2800
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3276
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3320
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3348
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3388
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:680
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3292
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3764
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3812
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3916
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3956
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4000
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3328
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3736
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3308
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3372
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3432
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3264
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1124
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3668
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3788
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:3692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5072
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        10⤵
        Identifies Wine through registry keys
        
        PID:4224
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        11⤵
        
        PID:3908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        12⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        13⤵
        
        PID:5416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:5944
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3756
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3244
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3896
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4084
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3092
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3152
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3192
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3120
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4376
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      PID:3236
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3888
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3184
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4044
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3656
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3820
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3580
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3856
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3912
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1128
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        10⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        11⤵
        
        PID:4684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5544
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:5872
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        12⤵
        
        PID:5920
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3988
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:1344
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2204
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3608
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3600
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4024
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4016
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3884
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3880
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3604
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4860
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      PID:1640
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3244
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3508
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1604
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3248
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3200
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3196
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4120
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4172
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4268
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:4332
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        
        PID:4664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5432
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        10⤵
        
        PID:5516
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      PID:4040
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        
        PID:3992
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4416
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4472
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4536
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4584
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4608
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4688
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4776
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:4960
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        
        PID:4960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5912
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      PID:3176
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4944
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5032
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5080
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5100
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4152
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4356
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4520
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        
        PID:4340
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        
        PID:5136
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        
        PID:5628
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:4452
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4972
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4220
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4756
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4824
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4840
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4384
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4876
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5040
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4740
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        
        PID:4868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5160
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5368
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5508
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        
        PID:5552
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:5004
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        
        PID:4728
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4532
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4624
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4372
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4856
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:4752
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        
        PID:4528
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4708
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4200
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4468
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3988
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4292
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4680
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5128
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        
        PID:5196
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        
        PID:5716
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      PID:4672
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        
        PID:4720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5228
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5264
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5352
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5424
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5476
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5580
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5636
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        
        PID:5696
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      PID:4284
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        
        PID:5252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5804
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:5860
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      PID:5288
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        
        PID:5788
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      PID:5820
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2196
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:668
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2872
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2932
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2944
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2952
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2928
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2880
- - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
    "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      4⤵
      Modifies WinLogon for persistence
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Adds Run key to start application
      PID:2960
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2776
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2332
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2336
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2768
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2468
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2352
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2704
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1752
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2968
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:1280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2592
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        7⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2416
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        8⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        9⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:532
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        10⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        11⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        12⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3796
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        13⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        14⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3996
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:3476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        15⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        16⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2456
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        17⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        18⤵
        
        PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ZQD7FHROZA.cfg

Filesize
1KB

MD5
2e7c9c78761db5cf63fa560dd09b8384

SHA1
1a2edf9e73dc3524e35fbe6eb9a4a750db4e162d

SHA256
db604f75e47ec53b71df69cd76c953b4a1f9d182adfb333ae0c273154be97701

SHA512
876d7f920607009132ef9795a5e51360f09ab9c3ba2534b93638335d73a562031b1d7b426d1681c7247239e8923dc9a2e514685a2d6b1235526d9f678d6a8d35

Download Submit
C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe

Filesize
100KB

MD5
3d02e6931192b9bea60579a931148b18

SHA1
c6c618cf011fbe7961e2058f05eb85d86caaa1a1

SHA256
dd58b13ca2153c0e00cffca4e293cdb9750b8f5bc3446a84f4c96d55f86ab82c

SHA512
bc4ff80845102c852b60d21ee8f059da26eda150ff7f71eba745b0905c98d43096c6f9497b1145a3b80b2f551af5f29c3e16dd4f476257885b6ff37158edb9e2

Download Submit
memory/2552-18-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-0-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-2-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-1-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-5-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-8-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-9-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-7-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2560-22-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download