xtremerat | dd58b13ca2153c0e00cffca4e293cdb9750b8f5bc3446a84f4c96d55f86ab82c

Analysis

max time kernel
150s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Size

100KB
MD5

3d02e6931192b9bea60579a931148b18
SHA1

c6c618cf011fbe7961e2058f05eb85d86caaa1a1
SHA256

dd58b13ca2153c0e00cffca4e293cdb9750b8f5bc3446a84f4c96d55f86ab82c
SHA512

bc4ff80845102c852b60d21ee8f059da26eda150ff7f71eba745b0905c98d43096c6f9497b1145a3b80b2f551af5f29c3e16dd4f476257885b6ff37158edb9e2
SSDEEP

1536:MqZotJJEtoB8NZojMB/x6/Fj/BPucceZcm/8hd0f1tYxG9:MqZ4UNZojMBktj8eZTPZ

Score

10^/10

xtremerat discovery evasion persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

schalfer.no-ip.org

schalschalfer.no-ip.org

琼schalfer.no-ip.org

Signatures

Detect XtremeRAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/1936-3-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/5052-11-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/1936-14-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral2/memory/64-19-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	dwmz.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EU7LFI38-3T3U-RVHC-N4W5-8I8A4KT4XO38}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe restart"	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe

Checks computer location settings 2 TTPs 37 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	dwmz.exe

Executes dropped EXE 64 IoCs

pid	Process
2512	dwmz.exe
4148	dwmz.exe
64	dwmz.exe
4456	dwmz.exe
2624	dwmz.exe
3244	dwmz.exe
4088	dwmz.exe
3448	dwmz.exe
3940	dwmz.exe
1420	dwmz.exe
3052	dwmz.exe
1100	dwmz.exe
3420	dwmz.exe
4000	dwmz.exe
4908	dwmz.exe
4880	dwmz.exe
2940	dwmz.exe
4396	dwmz.exe
1028	dwmz.exe
4404	dwmz.exe
3036	dwmz.exe
1004	dwmz.exe
2704	dwmz.exe
948	dwmz.exe
4812	dwmz.exe
3384	dwmz.exe
4808	dwmz.exe
2544	dwmz.exe
3464	dwmz.exe
2956	dwmz.exe
1940	dwmz.exe
3560	dwmz.exe
4468	dwmz.exe
2736	dwmz.exe
1436	dwmz.exe
3488	dwmz.exe
4376	dwmz.exe
3976	dwmz.exe
1036	dwmz.exe
4732	dwmz.exe
4472	dwmz.exe
4896	dwmz.exe
1592	dwmz.exe
4336	dwmz.exe
2744	dwmz.exe
1112	dwmz.exe
3580	dwmz.exe
3900	dwmz.exe
3172	dwmz.exe
5080	dwmz.exe
3488	dwmz.exe
1508	dwmz.exe
3992	dwmz.exe
3672	dwmz.exe
4528	dwmz.exe
752	dwmz.exe
2880	dwmz.exe
4896	dwmz.exe
4452	dwmz.exe
2996	dwmz.exe
3144	dwmz.exe
1344	dwmz.exe
3172	dwmz.exe
660	dwmz.exe

Identifies Wine through registry keys 2 TTPs 63 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	dwmz.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dwm = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Recovery\\dwmz.exe"	dwmz.exe

Suspicious use of SetThreadContext 53 IoCs

description	pid	Process	procid_target
PID 2800 set thread context of 1936	2800	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	86
PID 2512 set thread context of 64	2512	dwmz.exe	97
PID 4148 set thread context of 3244	4148	dwmz.exe	101
PID 4456 set thread context of 3448	4456	dwmz.exe	113
PID 2624 set thread context of 3052	2624	dwmz.exe	122
PID 4088 set thread context of 1100	4088	dwmz.exe	126
PID 3940 set thread context of 4908	3940	dwmz.exe	135
PID 1420 set thread context of 2940	1420	dwmz.exe	139
PID 3420 set thread context of 3036	3420	dwmz.exe	158
PID 4000 set thread context of 2704	4000	dwmz.exe	169
PID 4880 set thread context of 948	4880	dwmz.exe	174
PID 4396 set thread context of 4812	4396	dwmz.exe	177
PID 1028 set thread context of 3464	1028	dwmz.exe	186
PID 4404 set thread context of 2956	4404	dwmz.exe	191
PID 1004 set thread context of 3560	1004	dwmz.exe	198
PID 3384 set thread context of 3488	3384	dwmz.exe	222
PID 4808 set thread context of 4376	4808	dwmz.exe	226
PID 2544 set thread context of 4732	2544	dwmz.exe	234
PID 1940 set thread context of 4472	1940	dwmz.exe	239
PID 2736 set thread context of 4896	2736	dwmz.exe	247
PID 1436 set thread context of 2744	1436	dwmz.exe	262
PID 3976 set thread context of 1112	3976	dwmz.exe	267
PID 4336 set thread context of 3488	4336	dwmz.exe	293
PID 3580 set thread context of 1508	3580	dwmz.exe	304
PID 3172 set thread context of 4528	3172	dwmz.exe	311
PID 5080 set thread context of 752	5080	dwmz.exe	320
PID 3992 set thread context of 2996	3992	dwmz.exe	336
PID 3672 set thread context of 3144	3672	dwmz.exe	337
PID 2880 set thread context of 660	2880	dwmz.exe	351
PID 4896 set thread context of 2468	4896	dwmz.exe	354
PID 4452 set thread context of 3940	4452	dwmz.exe	360
PID 1344 set thread context of 2276	1344	dwmz.exe	365
PID 3172 set thread context of 3992	3172	dwmz.exe	370
PID 1532 set thread context of 5216	1532	dwmz.exe	389
PID 3688 set thread context of 5296	3688	dwmz.exe	394
PID 5172 set thread context of 5512	5172	dwmz.exe	411
PID 5328 set thread context of 5692	5328	dwmz.exe	418
PID 5428 set thread context of 5756	5428	dwmz.exe	423
PID 5548 set thread context of 5856	5548	dwmz.exe	427
PID 5648 set thread context of 5908	5648	dwmz.exe	431
PID 5712 set thread context of 5996	5712	dwmz.exe	435
PID 5952 set thread context of 4884	5952	dwmz.exe	453
PID 3392 set thread context of 6076	3392	dwmz.exe	483
PID 5596 set thread context of 5156	5596	dwmz.exe	487
PID 5580 set thread context of 5428	5580	dwmz.exe	489
PID 5948 set thread context of 5412	5948	dwmz.exe	494
PID 5820 set thread context of 3352	5820	dwmz.exe	496
PID 6124 set thread context of 3288	6124	dwmz.exe	499
PID 1304 set thread context of 4136	1304	dwmz.exe	504
PID 5532 set thread context of 5600	5532	dwmz.exe	521
PID 5340 set thread context of 5632	5340	dwmz.exe	533
PID 5196 set thread context of 6356	5196	dwmz.exe	559
PID 1736 set thread context of 6412	1736	dwmz.exe	564

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1936-0-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1936-2-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1936-4-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1936-3-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/5052-11-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/1936-14-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/64-18-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral2/memory/64-19-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 6 IoCs

pid	pid_target	Process	procid_target
3360	4468	WerFault.exe	223
3332	4468	WerFault.exe	223
2216	1592	WerFault.exe	272
2800	1592	WerFault.exe	272
3360	3900	WerFault.exe	301
4548	3900	WerFault.exe	301

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwmz.exe

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	dwmz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2800	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
2800	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
2512	dwmz.exe
2512	dwmz.exe
4148	dwmz.exe
4148	dwmz.exe
4456	dwmz.exe
4456	dwmz.exe
2624	dwmz.exe
2624	dwmz.exe
4088	dwmz.exe
4088	dwmz.exe
3940	dwmz.exe
3940	dwmz.exe
1420	dwmz.exe
1420	dwmz.exe
3420	dwmz.exe
3420	dwmz.exe
4000	dwmz.exe
4000	dwmz.exe
4880	dwmz.exe
4880	dwmz.exe
4396	dwmz.exe
4396	dwmz.exe
1028	dwmz.exe
1028	dwmz.exe
4404	dwmz.exe
4404	dwmz.exe
1004	dwmz.exe
1004	dwmz.exe
3384	dwmz.exe
3384	dwmz.exe
4808	dwmz.exe
4808	dwmz.exe
2544	dwmz.exe
2544	dwmz.exe
1940	dwmz.exe
1940	dwmz.exe
4468	dwmz.exe
4468	dwmz.exe
2736	dwmz.exe
2736	dwmz.exe
1436	dwmz.exe
1436	dwmz.exe
3976	dwmz.exe
3976	dwmz.exe
1592	dwmz.exe
1592	dwmz.exe
4336	dwmz.exe
4336	dwmz.exe
3580	dwmz.exe
3580	dwmz.exe
3900	dwmz.exe
3900	dwmz.exe
3172	dwmz.exe
3172	dwmz.exe
5080	dwmz.exe
5080	dwmz.exe
3992	dwmz.exe
3992	dwmz.exe
3672	dwmz.exe
3672	dwmz.exe
2880	dwmz.exe
2880	dwmz.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 1936	2800	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	86
PID 2800 wrote to memory of 1936	2800	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	86
PID 2800 wrote to memory of 1936	2800	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	86
PID 2800 wrote to memory of 1936	2800	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	86
PID 2800 wrote to memory of 1936	2800	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	86
PID 2800 wrote to memory of 1936	2800	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	86
PID 2800 wrote to memory of 1936	2800	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	86
PID 2800 wrote to memory of 1936	2800	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	86
PID 1936 wrote to memory of 5052	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	87
PID 1936 wrote to memory of 5052	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	87
PID 1936 wrote to memory of 5052	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	87
PID 1936 wrote to memory of 5052	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	87
PID 1936 wrote to memory of 4052	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	88
PID 1936 wrote to memory of 4052	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	88
PID 1936 wrote to memory of 4052	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	88
PID 1936 wrote to memory of 3044	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	89
PID 1936 wrote to memory of 3044	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	89
PID 1936 wrote to memory of 3044	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	89
PID 1936 wrote to memory of 3656	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	90
PID 1936 wrote to memory of 3656	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	90
PID 1936 wrote to memory of 3656	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	90
PID 1936 wrote to memory of 3068	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	91
PID 1936 wrote to memory of 3068	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	91
PID 1936 wrote to memory of 3068	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	91
PID 1936 wrote to memory of 2248	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	92
PID 1936 wrote to memory of 2248	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	92
PID 1936 wrote to memory of 2248	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	92
PID 1936 wrote to memory of 1848	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	93
PID 1936 wrote to memory of 1848	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	93
PID 1936 wrote to memory of 1848	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	93
PID 1936 wrote to memory of 4416	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	94
PID 1936 wrote to memory of 4416	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	94
PID 1936 wrote to memory of 4416	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	94
PID 1936 wrote to memory of 3520	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	95
PID 1936 wrote to memory of 3520	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	95
PID 1936 wrote to memory of 2512	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	96
PID 1936 wrote to memory of 2512	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	96
PID 1936 wrote to memory of 2512	1936	3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe	96
PID 2512 wrote to memory of 64	2512	dwmz.exe	97
PID 2512 wrote to memory of 64	2512	dwmz.exe	97
PID 2512 wrote to memory of 64	2512	dwmz.exe	97
PID 5052 wrote to memory of 4148	5052	svchost.exe	98
PID 5052 wrote to memory of 4148	5052	svchost.exe	98
PID 5052 wrote to memory of 4148	5052	svchost.exe	98
PID 2512 wrote to memory of 64	2512	dwmz.exe	97
PID 2512 wrote to memory of 64	2512	dwmz.exe	97
PID 2512 wrote to memory of 64	2512	dwmz.exe	97
PID 2512 wrote to memory of 64	2512	dwmz.exe	97
PID 2512 wrote to memory of 64	2512	dwmz.exe	97
PID 64 wrote to memory of 1072	64	dwmz.exe	99
PID 64 wrote to memory of 1072	64	dwmz.exe	99
PID 64 wrote to memory of 1072	64	dwmz.exe	99
PID 64 wrote to memory of 3632	64	dwmz.exe	100
PID 64 wrote to memory of 3632	64	dwmz.exe	100
PID 64 wrote to memory of 3632	64	dwmz.exe	100
PID 4148 wrote to memory of 3244	4148	dwmz.exe	101
PID 4148 wrote to memory of 3244	4148	dwmz.exe	101
PID 4148 wrote to memory of 3244	4148	dwmz.exe	101
PID 64 wrote to memory of 1452	64	dwmz.exe	102
PID 64 wrote to memory of 1452	64	dwmz.exe	102
PID 5052 wrote to memory of 4456	5052	svchost.exe	103
PID 5052 wrote to memory of 4456	5052	svchost.exe	103
PID 5052 wrote to memory of 4456	5052	svchost.exe	103
PID 64 wrote to memory of 1452	64	dwmz.exe	102

C:\Users\Admin\AppData\Local\Temp\3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Local\Temp\3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3d02e6931192b9bea60579a931148b18_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Boot or Logon Autostart Execution: Active Setup
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies WinLogon for persistence
    - Boot or Logon Autostart Execution: Active Setup
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5052
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4148
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2920
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1992
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2492
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4280
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3940
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1536
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1028
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1376
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:4456
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4420
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4520
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1660
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4088
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4976
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2840
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4012
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4668
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4880
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:948
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:4472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3364
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2720
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4908
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1420
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3980
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1016
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1200
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4064
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4744
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4404
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:820
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:64
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4328
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3056
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4724
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 616
        11⤵
        Program crash
        
        PID:3360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 640
        11⤵
        Program crash
        
        PID:4548
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3420
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:3036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:208
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4200
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:436
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1172
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4660
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3388
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3384
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:432
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:760
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4396
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3244
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2784
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2572
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1192
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5008
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3800
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:856
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4468
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 640
        7⤵
        Program crash
        
        PID:3360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 664
        7⤵
        Program crash
        
        PID:3332
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1004
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4748
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2344
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4268
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4772
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4700
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4572
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3976
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4004
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2656
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3172
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        11⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5256
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5376
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        12⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:5428
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        13⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5756
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6084
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6104
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:2468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:1092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5484
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:5492
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        14⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        15⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:5428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:1508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:3648
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        16⤵
        
        PID:3816
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:4808
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:4376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2936
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:2736
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4896
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3052
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3528
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4148
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2412
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3652
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:1036
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious behavior: EnumeratesProcesses
      PID:1592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 628
        5⤵
        Program crash
        
        PID:2216
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 620
        5⤵
        Program crash
        
        PID:2800
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:3580
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2632
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1592
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3120
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2744
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:316
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:764
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4468
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5172
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5920
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5080
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4760
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3964
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1292
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3488
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:2276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5188
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5472
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:5548
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5184
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5148
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:2800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        10⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5948
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        11⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:3392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5552
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5268
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        12⤵
        
        PID:5548
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        12⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        13⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        14⤵
        
        PID:6720
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3992
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4048
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3952
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4840
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:4528
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:5216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5564
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5612
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      PID:4896
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1612
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:548
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:752
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3328
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      PID:3172
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Modifies registry class
        
        PID:3992
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5280
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5316
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5360
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5444
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5504
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5584
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:5648
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5248
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3172
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5628
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:5820
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:3352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5664
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:3880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:4884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5892
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5816
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:5692
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        10⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:6176
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        11⤵
        
        PID:6476
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      PID:3688
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Modifies registry class
        
        PID:5296
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5680
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5700
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5740
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5764
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5776
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5864
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5884
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5952
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5436
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:4088
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6024
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5532
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5600
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6204
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6348
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        10⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        10⤵
        Identifies Wine through registry keys
        
        PID:6492
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:5328
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5692
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5984
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6032
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6112
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:1628
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5276
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5688
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5908
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6000
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:3424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5936
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:5712
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5996
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5488
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2908
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6060
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:6124
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5940
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:5232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:2780
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        8⤵
        
        PID:6216
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        8⤵
        Identifies Wine through registry keys
        
        PID:6260
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        9⤵
        
        PID:6516
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      PID:6016
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:5596
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        
        PID:5156
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5860
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:2796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5328
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5956
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5832
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5560
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3348
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1304
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4136
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5824
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:5648
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:3640
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:5340
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Adds Run key to start application
        Modifies registry class
        
        PID:5632
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6336
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6428
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6508
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6536
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        6⤵
        Identifies Wine through registry keys
        
        PID:6564
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      PID:5196
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:6356
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6616
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6636
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        6⤵
        
        PID:6708
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:6376
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        5⤵
        
        PID:6628
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:2248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:1848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:4416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    3⤵
    PID:3520
- - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
    "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
      4⤵
      Modifies WinLogon for persistence
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:64
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:4444
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:1216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        5⤵
        
        PID:3436
    - - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2624
      - C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        6⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3752
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3524
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:1624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:2636
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        7⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        7⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4000
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        8⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2704
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:2228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:4392
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:3496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        9⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        9⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        10⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1048
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:1028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2640
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:2464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4208
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        11⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        11⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4336
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        12⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4040
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:2740
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4500
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:1584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:1804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
        13⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        "C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe"
        13⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3672
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        
        C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe
        14⤵
        Executes dropped EXE
        
        PID:3144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4468 -ip 4468
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4468 -ip 4468
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1592 -ip 1592
1⤵
PID:984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1592 -ip 1592
1⤵
PID:1736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3900 -ip 3900
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3900 -ip 3900
1⤵
PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\ZQD7FHROZA.cfg

Filesize
1KB

MD5
2e7c9c78761db5cf63fa560dd09b8384

SHA1
1a2edf9e73dc3524e35fbe6eb9a4a750db4e162d

SHA256
db604f75e47ec53b71df69cd76c953b4a1f9d182adfb333ae0c273154be97701

SHA512
876d7f920607009132ef9795a5e51360f09ab9c3ba2534b93638335d73a562031b1d7b426d1681c7247239e8923dc9a2e514685a2d6b1235526d9f678d6a8d35

Download Submit
C:\Users\Admin\AppData\Roaming\Recovery\dwmz.exe

Filesize
100KB

MD5
3d02e6931192b9bea60579a931148b18

SHA1
c6c618cf011fbe7961e2058f05eb85d86caaa1a1

SHA256
dd58b13ca2153c0e00cffca4e293cdb9750b8f5bc3446a84f4c96d55f86ab82c

SHA512
bc4ff80845102c852b60d21ee8f059da26eda150ff7f71eba745b0905c98d43096c6f9497b1145a3b80b2f551af5f29c3e16dd4f476257885b6ff37158edb9e2

Download Submit
memory/64-18-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/64-19-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1936-0-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1936-2-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1936-4-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1936-3-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1936-14-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/5052-11-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download