blackshades | a611c1bec8d50566e197729e18ceea02a20ddba87edec04cbd0b07138e5c981a

Analysis

max time kernel
147s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 19:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Size

420KB
MD5

952be0d1dd3dd95b61bcbdcf933edba7
SHA1

5d2940886752297967a037e30d2408119141209d
SHA256

a611c1bec8d50566e197729e18ceea02a20ddba87edec04cbd0b07138e5c981a
SHA512

412393fc8ae75e4a82da8fc2df2d4335cb24fa072f4e6bec36320b403e3e931900a199924e08159273579c27266efbb13b1443a598c9fd626f73a681dd12dc7f
SSDEEP

6144:TK3HTNGVvHI2zBHng5HaVsbZgRnyR4mULJhkHM6jI7H1D7puVSC:W3HcVvo21ga0aQ4HLJhkHM6jI7VD7wj

Score

10^/10

blackshades defense_evasion discovery persistence rat

Malware Config

Signatures

Blackshades
Blackshades is a remote access trojan with various capabilities.
rat blackshades
Blackshades family
blackshades

Blackshades payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000024168-10.dat	family_blackshades
behavioral2/memory/2380-38-0x0000000076E20000-0x0000000076F10000-memory.dmp	family_blackshades

Modifies firewall policy service 3 TTPs 10 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\\wingraphic.exe:*:Enabled:Windows Messanger"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\wingraphic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\\wingraphic.exe"	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2DAFDAF-3DA3-9204-900E-D5EFEDCE3CDC}	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2DAFDAF-3DA3-9204-900E-D5EFEDCE3CDC}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\\wingraphic.exe"	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Key created	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{A2DAFDAF-3DA3-9204-900E-D5EFEDCE3CDC}	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{A2DAFDAF-3DA3-9204-900E-D5EFEDCE3CDC}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\\wingraphic.exe"	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe

Executes dropped EXE 64 IoCs

pid	Process
3820	wingraphic.exe
4116	wingraphic.exe
5348	wingraphic.exe
5272	wingraphic.exe
2600	wingraphic.exe
5596	wingraphic.exe
1716	wingraphic.exe
5904	wingraphic.exe
672	wingraphic.exe
5580	wingraphic.exe
2780	wingraphic.exe
4784	wingraphic.exe
5060	wingraphic.exe
5012	wingraphic.exe
1576	wingraphic.exe
1668	wingraphic.exe
4856	wingraphic.exe
2988	wingraphic.exe
208	wingraphic.exe
3636	wingraphic.exe
380	wingraphic.exe
540	wingraphic.exe
756	wingraphic.exe
5124	wingraphic.exe
3004	wingraphic.exe
1816	wingraphic.exe
1856	wingraphic.exe
532	wingraphic.exe
3548	wingraphic.exe
3116	wingraphic.exe
5460	wingraphic.exe
5568	wingraphic.exe
5692	wingraphic.exe
5908	wingraphic.exe
712	wingraphic.exe
2264	wingraphic.exe
2592	wingraphic.exe
1828	wingraphic.exe
4708	wingraphic.exe
4892	wingraphic.exe
3380	wingraphic.exe
3620	wingraphic.exe
1992	wingraphic.exe
4272	wingraphic.exe
2784	wingraphic.exe
4048	wingraphic.exe
2800	wingraphic.exe
2332	wingraphic.exe
2444	wingraphic.exe
2240	wingraphic.exe
6092	wingraphic.exe
696	wingraphic.exe
5672	wingraphic.exe
5460	wingraphic.exe
4640	wingraphic.exe
4856	wingraphic.exe
1928	wingraphic.exe
5184	wingraphic.exe
5756	wingraphic.exe
6108	wingraphic.exe
5760	wingraphic.exe
4872	wingraphic.exe
4548	wingraphic.exe
4708	wingraphic.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wingraphic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\\wingraphic.exe"	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wingraphic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\\wingraphic.exe"	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wingraphic.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
3120	reg.exe
3592	reg.exe
4868	reg.exe
5840	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeCreateTokenPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeAssignPrimaryTokenPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeLockMemoryPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeIncreaseQuotaPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeMachineAccountPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeTcbPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeSecurityPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeTakeOwnershipPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeLoadDriverPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeSystemProfilePrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeSystemtimePrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeProfSingleProcessPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeIncBasePriorityPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeCreatePagefilePrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeCreatePermanentPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeBackupPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeRestorePrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeShutdownPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeDebugPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeAuditPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeSystemEnvironmentPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeChangeNotifyPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeRemoteShutdownPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeUndockPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeSyncAgentPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeEnableDelegationPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeManageVolumePrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeImpersonatePrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeCreateGlobalPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: 31	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: 32	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: 33	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: 34	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: 35	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
Token: SeDebugPrivilege	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
4116	wingraphic.exe
3820	wingraphic.exe
4116	wingraphic.exe
3820	wingraphic.exe
5272	wingraphic.exe
5348	wingraphic.exe
5272	wingraphic.exe
5348	wingraphic.exe
2600	wingraphic.exe
2600	wingraphic.exe
5596	wingraphic.exe
5596	wingraphic.exe
5904	wingraphic.exe
1716	wingraphic.exe
5904	wingraphic.exe
1716	wingraphic.exe
672	wingraphic.exe
5580	wingraphic.exe
5580	wingraphic.exe
672	wingraphic.exe
2780	wingraphic.exe
2780	wingraphic.exe
4784	wingraphic.exe
4784	wingraphic.exe
5060	wingraphic.exe
5012	wingraphic.exe
5060	wingraphic.exe
5012	wingraphic.exe
1576	wingraphic.exe
1576	wingraphic.exe
1668	wingraphic.exe
1668	wingraphic.exe
4856	wingraphic.exe
4856	wingraphic.exe
2988	wingraphic.exe
2988	wingraphic.exe
3636	wingraphic.exe
208	wingraphic.exe
3636	wingraphic.exe
208	wingraphic.exe
380	wingraphic.exe
540	wingraphic.exe
380	wingraphic.exe
540	wingraphic.exe
5124	wingraphic.exe
5124	wingraphic.exe
756	wingraphic.exe
756	wingraphic.exe
1816	wingraphic.exe
3004	wingraphic.exe
1816	wingraphic.exe
3004	wingraphic.exe
1856	wingraphic.exe
532	wingraphic.exe
1856	wingraphic.exe
532	wingraphic.exe
3548	wingraphic.exe
3116	wingraphic.exe
3116	wingraphic.exe
3548	wingraphic.exe
5460	wingraphic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 5952	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe	87
PID 2380 wrote to memory of 5952	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe	87
PID 2380 wrote to memory of 5952	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe	87
PID 2380 wrote to memory of 2564	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe	88
PID 2380 wrote to memory of 2564	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe	88
PID 2380 wrote to memory of 2564	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe	88
PID 2380 wrote to memory of 2468	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe	89
PID 2380 wrote to memory of 2468	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe	89
PID 2380 wrote to memory of 2468	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe	89
PID 2380 wrote to memory of 2592	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe	90
PID 2380 wrote to memory of 2592	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe	90
PID 2380 wrote to memory of 2592	2380	JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe	90
PID 2564 wrote to memory of 3120	2564	cmd.exe	99
PID 2564 wrote to memory of 3120	2564	cmd.exe	99
PID 2564 wrote to memory of 3120	2564	cmd.exe	99
PID 228 wrote to memory of 3820	228	cmd.exe	100
PID 228 wrote to memory of 3820	228	cmd.exe	100
PID 228 wrote to memory of 3820	228	cmd.exe	100
PID 5952 wrote to memory of 3592	5952	cmd.exe	101
PID 5952 wrote to memory of 3592	5952	cmd.exe	101
PID 5952 wrote to memory of 3592	5952	cmd.exe	101
PID 2468 wrote to memory of 4868	2468	cmd.exe	102
PID 2468 wrote to memory of 4868	2468	cmd.exe	102
PID 2468 wrote to memory of 4868	2468	cmd.exe	102
PID 224 wrote to memory of 4116	224	cmd.exe	103
PID 224 wrote to memory of 4116	224	cmd.exe	103
PID 224 wrote to memory of 4116	224	cmd.exe	103
PID 2592 wrote to memory of 5840	2592	cmd.exe	104
PID 2592 wrote to memory of 5840	2592	cmd.exe	104
PID 2592 wrote to memory of 5840	2592	cmd.exe	104
PID 1620 wrote to memory of 5348	1620	cmd.exe	116
PID 1620 wrote to memory of 5348	1620	cmd.exe	116
PID 1620 wrote to memory of 5348	1620	cmd.exe	116
PID 3384 wrote to memory of 5272	3384	cmd.exe	117
PID 3384 wrote to memory of 5272	3384	cmd.exe	117
PID 3384 wrote to memory of 5272	3384	cmd.exe	117
PID 1524 wrote to memory of 2600	1524	cmd.exe	123
PID 1524 wrote to memory of 2600	1524	cmd.exe	123
PID 1524 wrote to memory of 2600	1524	cmd.exe	123
PID 3832 wrote to memory of 5596	3832	cmd.exe	124
PID 3832 wrote to memory of 5596	3832	cmd.exe	124
PID 3832 wrote to memory of 5596	3832	cmd.exe	124
PID 372 wrote to memory of 1716	372	cmd.exe	131
PID 372 wrote to memory of 1716	372	cmd.exe	131
PID 372 wrote to memory of 1716	372	cmd.exe	131
PID 1092 wrote to memory of 5904	1092	cmd.exe	132
PID 1092 wrote to memory of 5904	1092	cmd.exe	132
PID 1092 wrote to memory of 5904	1092	cmd.exe	132
PID 3000 wrote to memory of 672	3000	cmd.exe	137
PID 3000 wrote to memory of 672	3000	cmd.exe	137
PID 3000 wrote to memory of 672	3000	cmd.exe	137
PID 3484 wrote to memory of 5580	3484	cmd.exe	138
PID 3484 wrote to memory of 5580	3484	cmd.exe	138
PID 3484 wrote to memory of 5580	3484	cmd.exe	138
PID 544 wrote to memory of 2780	544	cmd.exe	143
PID 544 wrote to memory of 2780	544	cmd.exe	143
PID 544 wrote to memory of 2780	544	cmd.exe	143
PID 5992 wrote to memory of 4784	5992	cmd.exe	144
PID 5992 wrote to memory of 4784	5992	cmd.exe	144
PID 5992 wrote to memory of 4784	5992	cmd.exe	144
PID 2504 wrote to memory of 5060	2504	cmd.exe	149
PID 2504 wrote to memory of 5060	2504	cmd.exe	149
PID 2504 wrote to memory of 5060	2504	cmd.exe	149
PID 5016 wrote to memory of 5012	5016	cmd.exe	150

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe"
1⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5952
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:3592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe:*:Enabled:Windows Messanger" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_952be0d1dd3dd95b61bcbdcf933edba7.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:3120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Modifies firewall policy service
    - Modifies registry key
    PID:4868
- C:\Windows\SysWOW64\cmd.exe
  cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe:*:Enabled:Windows Messanger" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Modifies firewall policy service
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:372
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5992
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:5104
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:5040
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:2712
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:2752
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:5956
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:3024
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4112
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:1832
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:2624
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4936
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4916
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:996
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:2128
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4000
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4760
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:32
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:1660
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:3852
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  PID:5908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:3676
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:732
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:224
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:5760
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:3112
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:5284
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:932
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:1004
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4568
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:1580
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:1020
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:5780
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:6076
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:408
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:5600
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:2320
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:5072
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:636
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  PID:5460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:2772
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  PID:5672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:5568
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4024
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:3852
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  PID:5184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4508
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:712
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:2020
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:5252
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:2280
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:5912
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4312
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4560
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:6116
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  PID:3512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4844
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:2888
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:2868
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4564
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  PID:3840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:1128
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:2624
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:1924
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:3916
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:1424
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  PID:3656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:5764
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:2432
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4144
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4348
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:5672
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4804
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:1948
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  PID:2392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
1⤵
PID:4268
- C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe
  2⤵
  PID:5264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\{7B1FE3BD-3AAB-FC9A-ADDD-C2FFDDBD5FBD}\wingraphic.exe

Filesize
420KB

MD5
952be0d1dd3dd95b61bcbdcf933edba7

SHA1
5d2940886752297967a037e30d2408119141209d

SHA256
a611c1bec8d50566e197729e18ceea02a20ddba87edec04cbd0b07138e5c981a

SHA512
412393fc8ae75e4a82da8fc2df2d4335cb24fa072f4e6bec36320b403e3e931900a199924e08159273579c27266efbb13b1443a598c9fd626f73a681dd12dc7f

Download Submit
memory/2380-5-0x0000000076E41000-0x0000000076E42000-memory.dmp

Filesize
4KB

Download
memory/2380-7-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/2380-6-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/2380-35-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download
memory/2380-38-0x0000000076E20000-0x0000000076F10000-memory.dmp

Filesize
960KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads