chinese_generic_botnet | 3678158c73850cefbb39893957b895827f5c30d7b03ec20010b91d7ddb433440

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2022, 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3678158c73850cefbb39893957b895827f5c30d7b03ec20010b91d7ddb433440.exe
Size

3.4MB
MD5

d9f897cefc1b3a353fadffc3929a7edf
SHA1

bf640502544049b5bf7dfb8904ceb28a4cde2cff
SHA256

3678158c73850cefbb39893957b895827f5c30d7b03ec20010b91d7ddb433440
SHA512

67a4077090c8cebdadd3031ab496ad115f4f4a878f26db77362947940fa4628f47745921f5f30510cca182bc5c689c7eab461b90bc035f0a26cbf94595aae30c
SSDEEP

49152:q7lJVUUHd1wDhlMWmBU0iXYlyY4nT20kdCMNDR9QtBnADEJSIibvw+:q7lJVfgDhlMWmBU0VQ9KHIu0vKEJMw+

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 3 IoCs

botnet

resource	yara_rule
behavioral2/memory/4204-140-0x0000000010000000-0x0000000010027000-memory.dmp	unk_chinese_botnet
behavioral2/memory/4748-148-0x0000000010000000-0x0000000010027000-memory.dmp	unk_chinese_botnet
behavioral2/memory/2600-156-0x0000000010000000-0x0000000010027000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file

Executes dropped EXE 40 IoCs

pid	Process
4748	Windowsfig.exe
2600	Windowsfig.exe
4704	Windowsfig.exe
4236	Windowsfig.exe
1764	Windowsfig.exe
3056	Windowsfig.exe
2496	Windowsfig.exe
3464	Windowsfig.exe
1400	Windowsfig.exe
4468	Windowsfig.exe
2888	Windowsfig.exe
212	Windowsfig.exe
4680	Windowsfig.exe
604	Windowsfig.exe
1320	Windowsfig.exe
4192	Windowsfig.exe
4648	Windowsfig.exe
2676	Windowsfig.exe
3976	Windowsfig.exe
3000	Windowsfig.exe
4496	Windowsfig.exe
4652	Windowsfig.exe
1020	Windowsfig.exe
4932	Windowsfig.exe
3768	Windowsfig.exe
2576	Windowsfig.exe
1740	Windowsfig.exe
3428	Windowsfig.exe
3900	Windowsfig.exe
3440	Windowsfig.exe
2220	Windowsfig.exe
608	Windowsfig.exe
1596	Windowsfig.exe
1516	Windowsfig.exe
1676	Windowsfig.exe
1480	Windowsfig.exe
1900	Windowsfig.exe
2388	Windowsfig.exe
1344	Windowsfig.exe
1048	Windowsfig.exe

Checks computer location settings 2 TTPs 40 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	3678158c73850cefbb39893957b895827f5c30d7b03ec20010b91d7ddb433440.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Windowsfig.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	Windowsfig.exe
File opened (read-only)	\??\M:	Windowsfig.exe
File opened (read-only)	\??\R:	Windowsfig.exe
File opened (read-only)	\??\B:	Windowsfig.exe
File opened (read-only)	\??\N:	Windowsfig.exe
File opened (read-only)	\??\T:	Windowsfig.exe
File opened (read-only)	\??\U:	Windowsfig.exe
File opened (read-only)	\??\X:	Windowsfig.exe
File opened (read-only)	\??\Z:	Windowsfig.exe
File opened (read-only)	\??\E:	Windowsfig.exe
File opened (read-only)	\??\Q:	Windowsfig.exe
File opened (read-only)	\??\S:	Windowsfig.exe
File opened (read-only)	\??\W:	Windowsfig.exe
File opened (read-only)	\??\O:	Windowsfig.exe
File opened (read-only)	\??\P:	Windowsfig.exe
File opened (read-only)	\??\F:	Windowsfig.exe
File opened (read-only)	\??\G:	Windowsfig.exe
File opened (read-only)	\??\I:	Windowsfig.exe
File opened (read-only)	\??\J:	Windowsfig.exe
File opened (read-only)	\??\K:	Windowsfig.exe
File opened (read-only)	\??\L:	Windowsfig.exe
File opened (read-only)	\??\V:	Windowsfig.exe
File opened (read-only)	\??\Y:	Windowsfig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Windowsfig.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Windowsfig.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4748	Windowsfig.exe
4748	Windowsfig.exe

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
4204	3678158c73850cefbb39893957b895827f5c30d7b03ec20010b91d7ddb433440.exe
4748	Windowsfig.exe
2600	Windowsfig.exe
4704	Windowsfig.exe
4236	Windowsfig.exe
1764	Windowsfig.exe
3056	Windowsfig.exe
2496	Windowsfig.exe
3464	Windowsfig.exe
1400	Windowsfig.exe
4468	Windowsfig.exe
2888	Windowsfig.exe
212	Windowsfig.exe
4680	Windowsfig.exe
604	Windowsfig.exe
1320	Windowsfig.exe
4192	Windowsfig.exe
4648	Windowsfig.exe
2676	Windowsfig.exe
3976	Windowsfig.exe
3000	Windowsfig.exe
4496	Windowsfig.exe
4652	Windowsfig.exe
1020	Windowsfig.exe
4932	Windowsfig.exe
3768	Windowsfig.exe
2576	Windowsfig.exe
1740	Windowsfig.exe
3428	Windowsfig.exe
3900	Windowsfig.exe
3440	Windowsfig.exe
2220	Windowsfig.exe
608	Windowsfig.exe
1596	Windowsfig.exe
1516	Windowsfig.exe
1676	Windowsfig.exe
1480	Windowsfig.exe
1900	Windowsfig.exe
2388	Windowsfig.exe
1344	Windowsfig.exe
1048	Windowsfig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4748	4204	3678158c73850cefbb39893957b895827f5c30d7b03ec20010b91d7ddb433440.exe	83
PID 4204 wrote to memory of 4748	4204	3678158c73850cefbb39893957b895827f5c30d7b03ec20010b91d7ddb433440.exe	83
PID 4204 wrote to memory of 4748	4204	3678158c73850cefbb39893957b895827f5c30d7b03ec20010b91d7ddb433440.exe	83
PID 4204 wrote to memory of 532	4204	3678158c73850cefbb39893957b895827f5c30d7b03ec20010b91d7ddb433440.exe	86
PID 4204 wrote to memory of 532	4204	3678158c73850cefbb39893957b895827f5c30d7b03ec20010b91d7ddb433440.exe	86
PID 4204 wrote to memory of 532	4204	3678158c73850cefbb39893957b895827f5c30d7b03ec20010b91d7ddb433440.exe	86
PID 4748 wrote to memory of 2600	4748	Windowsfig.exe	88
PID 4748 wrote to memory of 2600	4748	Windowsfig.exe	88
PID 4748 wrote to memory of 2600	4748	Windowsfig.exe	88
PID 4748 wrote to memory of 4516	4748	Windowsfig.exe	90
PID 4748 wrote to memory of 4516	4748	Windowsfig.exe	90
PID 4748 wrote to memory of 4516	4748	Windowsfig.exe	90
PID 2600 wrote to memory of 4704	2600	Windowsfig.exe	93
PID 2600 wrote to memory of 4704	2600	Windowsfig.exe	93
PID 2600 wrote to memory of 4704	2600	Windowsfig.exe	93
PID 2600 wrote to memory of 1432	2600	Windowsfig.exe	94
PID 2600 wrote to memory of 1432	2600	Windowsfig.exe	94
PID 2600 wrote to memory of 1432	2600	Windowsfig.exe	94
PID 4704 wrote to memory of 4236	4704	Windowsfig.exe	97
PID 4704 wrote to memory of 4236	4704	Windowsfig.exe	97
PID 4704 wrote to memory of 4236	4704	Windowsfig.exe	97
PID 4704 wrote to memory of 1304	4704	Windowsfig.exe	98
PID 4704 wrote to memory of 1304	4704	Windowsfig.exe	98
PID 4704 wrote to memory of 1304	4704	Windowsfig.exe	98
PID 4236 wrote to memory of 1764	4236	Windowsfig.exe	100
PID 4236 wrote to memory of 1764	4236	Windowsfig.exe	100
PID 4236 wrote to memory of 1764	4236	Windowsfig.exe	100
PID 4236 wrote to memory of 2460	4236	Windowsfig.exe	101
PID 4236 wrote to memory of 2460	4236	Windowsfig.exe	101
PID 4236 wrote to memory of 2460	4236	Windowsfig.exe	101
PID 1764 wrote to memory of 3056	1764	Windowsfig.exe	103
PID 1764 wrote to memory of 3056	1764	Windowsfig.exe	103
PID 1764 wrote to memory of 3056	1764	Windowsfig.exe	103
PID 1764 wrote to memory of 4140	1764	Windowsfig.exe	104
PID 1764 wrote to memory of 4140	1764	Windowsfig.exe	104
PID 1764 wrote to memory of 4140	1764	Windowsfig.exe	104
PID 3056 wrote to memory of 2496	3056	Windowsfig.exe	106
PID 3056 wrote to memory of 2496	3056	Windowsfig.exe	106
PID 3056 wrote to memory of 2496	3056	Windowsfig.exe	106
PID 3056 wrote to memory of 2752	3056	Windowsfig.exe	107
PID 3056 wrote to memory of 2752	3056	Windowsfig.exe	107
PID 3056 wrote to memory of 2752	3056	Windowsfig.exe	107
PID 2496 wrote to memory of 3464	2496	Windowsfig.exe	109
PID 2496 wrote to memory of 3464	2496	Windowsfig.exe	109
PID 2496 wrote to memory of 3464	2496	Windowsfig.exe	109
PID 2496 wrote to memory of 2392	2496	Windowsfig.exe	110
PID 2496 wrote to memory of 2392	2496	Windowsfig.exe	110
PID 2496 wrote to memory of 2392	2496	Windowsfig.exe	110
PID 3464 wrote to memory of 1400	3464	Windowsfig.exe	112
PID 3464 wrote to memory of 1400	3464	Windowsfig.exe	112
PID 3464 wrote to memory of 1400	3464	Windowsfig.exe	112
PID 3464 wrote to memory of 5052	3464	Windowsfig.exe	113
PID 3464 wrote to memory of 5052	3464	Windowsfig.exe	113
PID 3464 wrote to memory of 5052	3464	Windowsfig.exe	113
PID 1400 wrote to memory of 4468	1400	Windowsfig.exe	115
PID 1400 wrote to memory of 4468	1400	Windowsfig.exe	115
PID 1400 wrote to memory of 4468	1400	Windowsfig.exe	115
PID 1400 wrote to memory of 3236	1400	Windowsfig.exe	116
PID 1400 wrote to memory of 3236	1400	Windowsfig.exe	116
PID 1400 wrote to memory of 3236	1400	Windowsfig.exe	116
PID 4468 wrote to memory of 2888	4468	Windowsfig.exe	118
PID 4468 wrote to memory of 2888	4468	Windowsfig.exe	118
PID 4468 wrote to memory of 2888	4468	Windowsfig.exe	118
PID 4468 wrote to memory of 4088	4468	Windowsfig.exe	119

C:\Users\Admin\AppData\Local\Temp\3678158c73850cefbb39893957b895827f5c30d7b03ec20010b91d7ddb433440.exe
"C:\Users\Admin\AppData\Local\Temp\3678158c73850cefbb39893957b895827f5c30d7b03ec20010b91d7ddb433440.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4204
- C:\ProgramData\Windowsfig.exe
  "C:\ProgramData\Windowsfig.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Enumerates connected drives
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\ProgramData\Windowsfig.exe
    "C:\ProgramData\Windowsfig.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\ProgramData\Windowsfig.exe
      "C:\ProgramData\Windowsfig.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:2888
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:212
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:4680
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:604
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:4192
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:4648
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3976
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:4496
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        23⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:4652
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:1020
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        25⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:4932
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        26⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3768
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        27⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:2576
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        28⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        29⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3428
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        30⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3900
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        31⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3440
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        32⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        33⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:608
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        34⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:1596
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        35⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:1516
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        36⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        37⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        38⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:1900
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        39⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        40⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:1344
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        40⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        39⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        38⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        37⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        36⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        35⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        34⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        33⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        32⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        31⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        30⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        29⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        28⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        27⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        26⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        25⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        24⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        23⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        22⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        21⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        20⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        19⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        18⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        17⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        16⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        15⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        14⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        13⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        12⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        11⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        10⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        9⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        8⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        7⤵
        
        PID:4140
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        6⤵
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        5⤵
        
        PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
      4⤵
      PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
    3⤵
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
  2⤵
  PID:532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
3e170464041417402f0bd148c74dcac5

SHA1
761dc158aade35c948ee559394fe73c14c33f930

SHA256
380eafc1217c93e7be3bfcc52d9e0b068ffb3a988f435cbec2932f834da4cdce

SHA512
fc3b2a3b3145d40c3dec7313afa98d88d9df72aac519f2dfd8a95118b4ec1c0daa39ece4cd4b0fba163e6c81c630d1d02ac96bb5d42ad2798a1491d1fa2cad5e

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DUHIRKGY\Windowsfig[1].exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
memory/2600-156-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download
memory/4204-140-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download
memory/4748-148-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download