xtremerat | 423bbaf907eb2af786f3765585e8b09f9a8a6931191361ec1e25a7e8ed173fb4

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-10-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
Size

184KB
MD5

60a86330789a0643714d2c4ef9c7be5c
SHA1

6cf5eb75e9bb75c2f42bcb301f42f444c5fd595f
SHA256

423bbaf907eb2af786f3765585e8b09f9a8a6931191361ec1e25a7e8ed173fb4
SHA512

e9d36ad02b0fb7adfa42d78aedb1d899ddeaf0a27fd688b00572e0acc158ead5e71f91fe954c7aa25ded65dc77640ff5b7af28b2e607284dd7ba50f4389c4ee3
SSDEEP

1536:34VcdfuvL1VITgv3NOnouy8Vk+3or43OMvkvacjBy02WMm:3oAfKyg1OoutVk+Ys+MvkNjBqWMm

Score

10^/10

xtremerat discovery evasion persistence rat spyware upx

Malware Config

Extracted

Family

xtremerat

schalfer.no-ip.org

33schalfer.no-ip.org

翿翿翿翿schalfer.no-ip.org

Signatures

Detect XtremeRAT payload 5 IoCs

resource	yara_rule
behavioral1/memory/2400-11-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2400-10-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1820-20-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/2400-27-0x0000000000C80000-0x0000000000C96000-memory.dmp	family_xtremerat
behavioral1/memory/1820-229-0x0000000004810000-0x0000000004840000-memory.dmp	family_xtremerat

Modifies WinLogon for persistence 2 TTPs 64 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe

XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
persistence spyware rat xtremerat

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	RtlUmd.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 64 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15L2M2S1-DO8F-T0KX-6P6J-RJ7Q744F3K35}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe restart"	RtlUmd.exe

Executes dropped EXE 64 IoCs

pid	Process
2604	RtlUmd.exe
2592	RtlUmd.exe
2308	RtlUmd.exe
664	RtlUmd.exe
1288	RtlUmd.exe
2840	RtlUmd.exe
2044	RtlUmd.exe
1780	RtlUmd.exe
2940	RtlUmd.exe
1904	RtlUmd.exe
928	RtlUmd.exe
1744	RtlUmd.exe
3048	RtlUmd.exe
700	RtlUmd.exe
3028	RtlUmd.exe
2508	RtlUmd.exe
2072	RtlUmd.exe
964	RtlUmd.exe
2632	RtlUmd.exe
1512	RtlUmd.exe
2388	RtlUmd.exe
2700	RtlUmd.exe
2868	RtlUmd.exe
1288	RtlUmd.exe
1136	RtlUmd.exe
448	RtlUmd.exe
900	RtlUmd.exe
2172	RtlUmd.exe
2516	RtlUmd.exe
2960	RtlUmd.exe
2804	RtlUmd.exe
2400	RtlUmd.exe
2560	RtlUmd.exe
556	RtlUmd.exe
1824	RtlUmd.exe
2592	RtlUmd.exe
1920	RtlUmd.exe
1784	RtlUmd.exe
2296	RtlUmd.exe
2660	RtlUmd.exe
1264	RtlUmd.exe
2928	RtlUmd.exe
1032	RtlUmd.exe
636	RtlUmd.exe
908	RtlUmd.exe
2528	RtlUmd.exe
580	RtlUmd.exe
1496	RtlUmd.exe
3048	RtlUmd.exe
2076	RtlUmd.exe
832	RtlUmd.exe
1784	RtlUmd.exe
2064	RtlUmd.exe
908	RtlUmd.exe
1836	RtlUmd.exe
1696	RtlUmd.exe
2236	RtlUmd.exe
1000	RtlUmd.exe
2240	RtlUmd.exe
1500	RtlUmd.exe
3128	RtlUmd.exe
3088	RtlUmd.exe
3328	RtlUmd.exe
3440	RtlUmd.exe

Identifies Wine through registry keys 2 TTPs 64 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Wine	RtlUmd.exe

Loads dropped DLL 64 IoCs

pid	Process
2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
2632	WerFault.exe
1820	svchost.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
2720	WerFault.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
2996	WerFault.exe
1820	svchost.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1700	WerFault.exe
1820	svchost.exe
2364	WerFault.exe
2364	WerFault.exe
2364	WerFault.exe
2364	WerFault.exe
2364	WerFault.exe
2364	WerFault.exe
2364	WerFault.exe
1820	svchost.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
1820	svchost.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
2236	WerFault.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
1820	svchost.exe
2516	WerFault.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\RtlUmd = "C:\\Users\\Admin\\AppData\\Roaming\\Netwrk\\RtlUmd.exe"	RtlUmd.exe

Suspicious use of SetThreadContext 50 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 2400	2684	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	30
PID 2308 set thread context of 664	2308	RtlUmd.exe	46
PID 1288 set thread context of 2044	1288	RtlUmd.exe	55
PID 2840 set thread context of 2940	2840	RtlUmd.exe	63
PID 1904 set thread context of 3048	1904	RtlUmd.exe	77
PID 928 set thread context of 700	928	RtlUmd.exe	83
PID 2508 set thread context of 964	2508	RtlUmd.exe	102
PID 2632 set thread context of 1512	2632	RtlUmd.exe	111
PID 2388 set thread context of 2868	2388	RtlUmd.exe	122
PID 1288 set thread context of 448	1288	RtlUmd.exe	134
PID 1136 set thread context of 2172	1136	RtlUmd.exe	141
PID 900 set thread context of 2960	900	RtlUmd.exe	148
PID 2516 set thread context of 2560	2516	RtlUmd.exe	161
PID 2804 set thread context of 556	2804	RtlUmd.exe	166
PID 2400 set thread context of 1920	2400	RtlUmd.exe	177
PID 1824 set thread context of 2296	1824	RtlUmd.exe	187
PID 2592 set thread context of 2660	2592	RtlUmd.exe	188
PID 1264 set thread context of 636	1264	RtlUmd.exe	215
PID 2928 set thread context of 908	2928	RtlUmd.exe	219
PID 1032 set thread context of 580	1032	RtlUmd.exe	222
PID 2076 set thread context of 2064	2076	RtlUmd.exe	254
PID 832 set thread context of 908	832	RtlUmd.exe	257
PID 1784 set thread context of 1836	1784	RtlUmd.exe	259
PID 1696 set thread context of 2240	1696	RtlUmd.exe	277
PID 2236 set thread context of 1500	2236	RtlUmd.exe	281
PID 1000 set thread context of 3088	1000	RtlUmd.exe	284
PID 3328 set thread context of 3464	3328	RtlUmd.exe	309
PID 3504 set thread context of 3644	3504	RtlUmd.exe	318
PID 3788 set thread context of 3884	3788	RtlUmd.exe	331
PID 3836 set thread context of 3900	3836	RtlUmd.exe	333
PID 4072 set thread context of 3136	4072	RtlUmd.exe	343
PID 1836 set thread context of 3272	1836	RtlUmd.exe	346
PID 3516 set thread context of 3660	3516	RtlUmd.exe	361
PID 3572 set thread context of 3868	3572	RtlUmd.exe	369
PID 3468 set thread context of 3644	3468	RtlUmd.exe	377
PID 3364 set thread context of 4076	3364	RtlUmd.exe	394
PID 3272 set thread context of 3108	3272	RtlUmd.exe	411
PID 3216 set thread context of 3300	3216	RtlUmd.exe	413
PID 1836 set thread context of 3884	1836	RtlUmd.exe	425
PID 3612 set thread context of 3720	3612	RtlUmd.exe	434
PID 2528 set thread context of 3208	2528	RtlUmd.exe	446
PID 1500 set thread context of 3704	1500	RtlUmd.exe	448
PID 2232 set thread context of 4176	2232	RtlUmd.exe	461
PID 3124 set thread context of 4284	3124	RtlUmd.exe	466
PID 4292 set thread context of 4480	4292	RtlUmd.exe	479
PID 4444 set thread context of 4648	4444	RtlUmd.exe	489
PID 4524 set thread context of 4724	4524	RtlUmd.exe	495
PID 4692 set thread context of 4964	4692	RtlUmd.exe	506
PID 4856 set thread context of 3512	4856	RtlUmd.exe	514
PID 5076 set thread context of 4280	5076	RtlUmd.exe	520

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2400-7-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2400-4-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2400-3-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2400-9-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2400-11-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2400-10-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1820-20-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/2400-27-0x0000000000C80000-0x0000000000C96000-memory.dmp	upx
behavioral1/memory/1820-402-0x0000000004C60000-0x0000000004C90000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 18 IoCs

pid	pid_target	Process	procid_target
2632	2604	WerFault.exe	41
2720	2592	WerFault.exe	43
2996	1780	WerFault.exe	61
1700	1744	WerFault.exe	80
2364	3028	WerFault.exe	92
2648	2072	WerFault.exe	101
2236	2700	WerFault.exe	119
2516	1784	WerFault.exe	192
1484	2528	WerFault.exe	224
2712	1496	WerFault.exe	232
2928	3048	WerFault.exe	245
3364	3128	WerFault.exe	286
3608	3440	WerFault.exe	307
3652	3472	WerFault.exe	310
1500	4044	WerFault.exe	373
4024	3448	WerFault.exe	388
3440	3696	WerFault.exe	397
3728	4972	WerFault.exe	507

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtlUmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
2604	RtlUmd.exe
2592	RtlUmd.exe
2308	RtlUmd.exe
1288	RtlUmd.exe
2840	RtlUmd.exe
1780	RtlUmd.exe
1904	RtlUmd.exe
928	RtlUmd.exe
1744	RtlUmd.exe
3028	RtlUmd.exe
2508	RtlUmd.exe
2072	RtlUmd.exe
2632	RtlUmd.exe
2388	RtlUmd.exe
2700	RtlUmd.exe
1288	RtlUmd.exe
1136	RtlUmd.exe
900	RtlUmd.exe
2516	RtlUmd.exe
2516	RtlUmd.exe
2804	RtlUmd.exe
2804	RtlUmd.exe
2400	RtlUmd.exe
2400	RtlUmd.exe
1824	RtlUmd.exe
1824	RtlUmd.exe
1824	RtlUmd.exe
2592	RtlUmd.exe
2592	RtlUmd.exe
2592	RtlUmd.exe
1784	RtlUmd.exe
1784	RtlUmd.exe
1784	RtlUmd.exe
1264	RtlUmd.exe
1264	RtlUmd.exe
1264	RtlUmd.exe
2928	RtlUmd.exe
2928	RtlUmd.exe
2928	RtlUmd.exe
2928	RtlUmd.exe
1032	RtlUmd.exe
1032	RtlUmd.exe
1032	RtlUmd.exe
1032	RtlUmd.exe
2528	RtlUmd.exe
2528	RtlUmd.exe
2528	RtlUmd.exe
2528	RtlUmd.exe
1496	RtlUmd.exe
1496	RtlUmd.exe
1496	RtlUmd.exe
1496	RtlUmd.exe
1496	RtlUmd.exe
3048	RtlUmd.exe
3048	RtlUmd.exe
3048	RtlUmd.exe
3048	RtlUmd.exe
3048	RtlUmd.exe
2076	RtlUmd.exe
2076	RtlUmd.exe
2076	RtlUmd.exe
2076	RtlUmd.exe
2076	RtlUmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2400	2684	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2400	2684	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2400	2684	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2400	2684	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2400	2684	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2400	2684	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2400	2684	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2400	2684	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	30
PID 2400 wrote to memory of 1820	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	31
PID 2400 wrote to memory of 1820	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	31
PID 2400 wrote to memory of 1820	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	31
PID 2400 wrote to memory of 1820	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	31
PID 2400 wrote to memory of 1820	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	31
PID 2400 wrote to memory of 1800	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	32
PID 2400 wrote to memory of 1800	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	32
PID 2400 wrote to memory of 1800	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	32
PID 2400 wrote to memory of 1800	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	32
PID 2400 wrote to memory of 1800	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	32
PID 2400 wrote to memory of 2208	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	33
PID 2400 wrote to memory of 2208	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	33
PID 2400 wrote to memory of 2208	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	33
PID 2400 wrote to memory of 2208	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	33
PID 2400 wrote to memory of 2208	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	33
PID 2400 wrote to memory of 2980	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	35
PID 2400 wrote to memory of 2980	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	35
PID 2400 wrote to memory of 2980	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	35
PID 2400 wrote to memory of 2980	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	35
PID 2400 wrote to memory of 2980	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	35
PID 2400 wrote to memory of 2812	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	36
PID 2400 wrote to memory of 2812	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	36
PID 2400 wrote to memory of 2812	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	36
PID 2400 wrote to memory of 2812	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	36
PID 2400 wrote to memory of 2812	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	36
PID 2400 wrote to memory of 2824	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	37
PID 2400 wrote to memory of 2824	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	37
PID 2400 wrote to memory of 2824	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	37
PID 2400 wrote to memory of 2824	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	37
PID 2400 wrote to memory of 2824	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	37
PID 2400 wrote to memory of 2836	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	38
PID 2400 wrote to memory of 2836	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	38
PID 2400 wrote to memory of 2836	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	38
PID 2400 wrote to memory of 2836	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	38
PID 2400 wrote to memory of 2836	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	38
PID 2400 wrote to memory of 2988	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	39
PID 2400 wrote to memory of 2988	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	39
PID 2400 wrote to memory of 2988	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	39
PID 2400 wrote to memory of 2988	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	39
PID 2400 wrote to memory of 2988	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	39
PID 2400 wrote to memory of 2752	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	40
PID 2400 wrote to memory of 2752	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	40
PID 2400 wrote to memory of 2752	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	40
PID 2400 wrote to memory of 2752	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	40
PID 2400 wrote to memory of 2604	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	41
PID 2400 wrote to memory of 2604	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	41
PID 2400 wrote to memory of 2604	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	41
PID 2400 wrote to memory of 2604	2400	60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe	41
PID 2604 wrote to memory of 2632	2604	RtlUmd.exe	42
PID 2604 wrote to memory of 2632	2604	RtlUmd.exe	42
PID 2604 wrote to memory of 2632	2604	RtlUmd.exe	42
PID 2604 wrote to memory of 2632	2604	RtlUmd.exe	42
PID 1820 wrote to memory of 2592	1820	svchost.exe	43
PID 1820 wrote to memory of 2592	1820	svchost.exe	43
PID 1820 wrote to memory of 2592	1820	svchost.exe	43
PID 1820 wrote to memory of 2592	1820	svchost.exe	43

C:\Users\Admin\AppData\Local\Temp\60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\60a86330789a0643714d2c4ef9c7be5c_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Modifies WinLogon for persistence
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2592
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 144
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2720
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:2308
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1932
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2900
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2668
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:852
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1792
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1888
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2940
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1740
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 144
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:1700
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:1288
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2044
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2012
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1244
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1220
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2948
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3032
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2244
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1548
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1904
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        11⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3056
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        12⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:900
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        13⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:2844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1472
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        14⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        15⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:2960
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        16⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious behavior: EnumeratesProcesses
        
        PID:2528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 144
        17⤵
        Program crash
        
        PID:1484
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1780
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 144
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2996
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:928
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:700
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:292
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1376
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:868
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2148
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2356
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2384
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2556
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2072
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 144
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2648
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3028
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 144
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2364
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2632
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1512
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:304
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1052
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1440
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2308
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:268
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2008
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3008
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        9⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1264
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        11⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2152
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1200
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:988
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        12⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious behavior: EnumeratesProcesses
        
        PID:3048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 144
        13⤵
        Program crash
        
        PID:2928
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious behavior: EnumeratesProcesses
      PID:2700
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 144
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2236
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:1136
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2172
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2972
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:692
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1672
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1620
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2880
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2732
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2852
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2884
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        7⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1904
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:1744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1920
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2300
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3016
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        10⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:832
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        11⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:1936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2896
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        12⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        13⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3156
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        14⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 144
        15⤵
        Program crash
        
        PID:3608
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:2516
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2560
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2780
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2072
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1092
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2252
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1764
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1784
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1784 -s 144
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2516
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:1824
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1768
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1480
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2444
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2788
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1392
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2864
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:2928
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Executes dropped EXE
        Adds Run key to start application
        
        PID:908
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2340
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1148
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2052
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2180
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2084
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2056
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2136
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:332
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        7⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:2700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:556
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious behavior: EnumeratesProcesses
      PID:1496
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 144
        5⤵
        Program crash
        
        PID:2712
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1784
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2516
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2560
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1864
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2860
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1032
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:652
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2816
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3344
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3452
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        8⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        9⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        10⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        11⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3320
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2132
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3556
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        12⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        13⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3224
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3560
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:3768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        14⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        14⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        15⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:4032
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:1264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        16⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        16⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        17⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:3364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        18⤵
        
        PID:4204
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1696
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        
        PID:2240
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2296
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:2568
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3144
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3164
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3248
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3276
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3304
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3632
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        8⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:3836
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        9⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3176
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:3316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        10⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        11⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3844
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3880
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4004
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:3196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        12⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 144
        13⤵
        Program crash
        
        PID:4024
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:3128
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3128 -s 144
        5⤵
        Program crash
        
        PID:3364
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3472
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 144
        5⤵
        Program crash
        
        PID:3652
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      PID:3788
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:3884
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3968
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:1836
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3272
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3092
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3520
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3548
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3332
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3664
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3472
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3508
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3916
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Identifies Wine through registry keys
        
        PID:4044
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4044 -s 144
        7⤵
        Program crash
        
        PID:1500
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3572
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:3868
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3956
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3996
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3624
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3076
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3140
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3436
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3904
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3540
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 144
        7⤵
        Program crash
        
        PID:3440
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:3364
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4076
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3136
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3964
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3924
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3952
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3128
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3792
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3628
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3676
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        7⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3884
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3336
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4000
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4040
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3700
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3672
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        8⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:3124
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4412
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4436
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        10⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        11⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        12⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      PID:3216
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3300
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3564
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3928
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3948
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3992
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3084
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3828
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1712
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3836
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        7⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4116
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4348
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        8⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:4724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:5004
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      PID:3612
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:3720
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4012
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3020
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4048
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:1836
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:3748
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4132
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4156
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4196
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        
        PID:4292
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        7⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        
        PID:4480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4640
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4848
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4992
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        8⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        9⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:2232
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4584
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4548
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        10⤵
        
        PID:4752
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      PID:2232
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4176
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4316
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4340
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4420
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4460
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4516
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4552
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4632
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4668
      - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        6⤵
        Identifies Wine through registry keys
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        7⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        Adds Run key to start application
        
        PID:4964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:5108
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3352
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4260
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:4532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        8⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
        8⤵
        Identifies Wine through registry keys
        
        PID:4568
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Identifies Wine through registry keys
      Suspicious use of SetThreadContext
      PID:4444
    - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        
        C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
        5⤵
        Modifies WinLogon for persistence
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4648
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4796
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4840
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4936
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        6⤵
        
        PID:4984
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Identifies Wine through registry keys
      System Location Discovery: System Language Discovery
      PID:4972
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 144
        5⤵
        Program crash
        
        PID:3728
  - - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
      "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
      4⤵
      Identifies Wine through registry keys
      PID:4104
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:1800
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2208
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2980
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2812
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2824
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2836
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2988
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:2752
- - C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe
    "C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2604 -s 144
      4⤵
      Loads dropped DLL
      Program crash
      PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\VLFgBuBQ.cfg

Filesize
1KB

MD5
26e43d95a3ed8dba7b730cf9c306ce7a

SHA1
eaaffc5b3c15b405de1963563f2b22e4e2927815

SHA256
be398b92af4d02c33c8a89d935b49a067fd420af5f5e632ecaa2b4576b6908df

SHA512
bcff7497d4e4061a53db2c7c0ef7b30134d7d85c5a09d3ec5363a21f4eb6174bb17ae38a2f1a970bd8facd976087def42c82a4c707f65688a523b3e6d9de9986

Download Submit
C:\Users\Admin\AppData\Roaming\Netwrk\RtlUmd.exe

Filesize
184KB

MD5
60a86330789a0643714d2c4ef9c7be5c

SHA1
6cf5eb75e9bb75c2f42bcb301f42f444c5fd595f

SHA256
423bbaf907eb2af786f3765585e8b09f9a8a6931191361ec1e25a7e8ed173fb4

SHA512
e9d36ad02b0fb7adfa42d78aedb1d899ddeaf0a27fd688b00572e0acc158ead5e71f91fe954c7aa25ded65dc77640ff5b7af28b2e607284dd7ba50f4389c4ee3

Download Submit
memory/832-400-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/900-243-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/928-149-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1000-406-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1000-447-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1032-317-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1032-359-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1136-230-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1264-314-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1264-355-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1288-216-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1288-200-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1288-85-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1496-404-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1696-432-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1744-257-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1780-138-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1784-361-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1784-287-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1784-356-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1820-360-0x0000000002AB0000-0x0000000002AE0000-memory.dmp

Filesize
192KB

Download
memory/1820-110-0x0000000002E40000-0x0000000002E70000-memory.dmp

Filesize
192KB

Download
memory/1820-448-0x00000000031E0000-0x0000000003210000-memory.dmp

Filesize
192KB

Download
memory/1820-48-0x0000000002780000-0x00000000027B0000-memory.dmp

Filesize
192KB

Download
memory/1820-340-0x00000000029A0000-0x00000000029D0000-memory.dmp

Filesize
192KB

Download
memory/1820-401-0x0000000003110000-0x0000000003140000-memory.dmp

Filesize
192KB

Download
memory/1820-38-0x0000000000BC0000-0x0000000000BF0000-memory.dmp

Filesize
192KB

Download
memory/1820-147-0x0000000003110000-0x0000000003140000-memory.dmp

Filesize
192KB

Download
memory/1820-431-0x0000000003210000-0x0000000003240000-memory.dmp

Filesize
192KB

Download
memory/1820-20-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/1820-169-0x0000000003210000-0x0000000003240000-memory.dmp

Filesize
192KB

Download
memory/1820-475-0x0000000004F00000-0x0000000004F30000-memory.dmp

Filesize
192KB

Download
memory/1820-67-0x00000000029A0000-0x00000000029D0000-memory.dmp

Filesize
192KB

Download
memory/1820-184-0x00000000031E0000-0x0000000003210000-memory.dmp

Filesize
192KB

Download
memory/1820-402-0x0000000004C60000-0x0000000004C90000-memory.dmp

Filesize
192KB

Download
memory/1820-83-0x0000000002AB0000-0x0000000002AE0000-memory.dmp

Filesize
192KB

Download
memory/1820-357-0x0000000004AA0000-0x0000000004AD0000-memory.dmp

Filesize
192KB

Download
memory/1820-477-0x00000000046F0000-0x0000000004720000-memory.dmp

Filesize
192KB

Download
memory/1820-270-0x00000000048B0000-0x00000000048E0000-memory.dmp

Filesize
192KB

Download
memory/1820-202-0x00000000046F0000-0x0000000004720000-memory.dmp

Filesize
192KB

Download
memory/1820-508-0x0000000004810000-0x0000000004840000-memory.dmp

Filesize
192KB

Download
memory/1820-535-0x00000000048B0000-0x00000000048E0000-memory.dmp

Filesize
192KB

Download
memory/1820-229-0x0000000004810000-0x0000000004840000-memory.dmp

Filesize
192KB

Download
memory/1820-534-0x00000000050B0000-0x00000000050E0000-memory.dmp

Filesize
192KB

Download
memory/1820-564-0x0000000005190000-0x00000000051C0000-memory.dmp

Filesize
192KB

Download
memory/1820-313-0x0000000002780000-0x00000000027B0000-memory.dmp

Filesize
192KB

Download
memory/1824-315-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1824-271-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1836-536-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1904-135-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2072-187-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2072-152-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2076-387-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2236-405-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2236-445-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2308-68-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2388-201-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2400-27-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-9-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-7-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-2-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-3-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-11-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-244-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2400-288-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2400-10-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2400-5-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2400-25-0x0000000003690000-0x00000000036C0000-memory.dmp

Filesize
192KB

Download
memory/2400-4-0x0000000000C80000-0x0000000000C96000-memory.dmp

Filesize
88KB

Download
memory/2508-171-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2516-273-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2528-403-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2592-272-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2592-39-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2592-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2592-316-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2604-35-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2632-186-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2684-22-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2684-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2684-1-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2700-215-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2700-185-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2804-284-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2840-107-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2928-358-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3028-170-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3048-362-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3128-504-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3328-461-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3328-446-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3440-505-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3468-549-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3472-462-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3504-479-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3516-563-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3572-575-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3788-506-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3788-476-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3836-507-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3836-478-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4044-562-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4044-578-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4072-533-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download