chinese_generic_botnet | 5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

Analysis

max time kernel
151s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
16-10-2022 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
Size

976KB
MD5

960e271e42a03c8398952411d604effe
SHA1

0edbd4619b2971182567877b6c05033a7782f0e5
SHA256

5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61
SHA512

e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d
SSDEEP

6144:rYC/9GCx9syJZHZ6u8YUphxWHlygHR4f87Re7QeUC5Uxe9siOinsB8g+9:rY6GCxLZj8YUphxWHUgHeCRe7Vbf

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 1 IoCs

botnet

Processes:

resource	yara_rule
behavioral1/memory/1808-68-0x0000000010000000-0x0000000010027000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file

Executes dropped EXE 35 IoCs

Processes:

Windowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exe

pid	process
772	Windowsfig.exe
1012	Windowsfig.exe
1384	Windowsfig.exe
1364	Windowsfig.exe
1344	Windowsfig.exe
1636	Windowsfig.exe
876	Windowsfig.exe
1480	Windowsfig.exe
1800	Windowsfig.exe
1140	Windowsfig.exe
1328	Windowsfig.exe
916	Windowsfig.exe
1708	Windowsfig.exe
1976	Windowsfig.exe
1556	Windowsfig.exe
856	Windowsfig.exe
992	Windowsfig.exe
1692	Windowsfig.exe
688	Windowsfig.exe
684	Windowsfig.exe
1600	Windowsfig.exe
1672	Windowsfig.exe
972	Windowsfig.exe
1172	Windowsfig.exe
1532	Windowsfig.exe
836	Windowsfig.exe
1120	Windowsfig.exe
1596	Windowsfig.exe
1168	Windowsfig.exe
1292	Windowsfig.exe
1524	Windowsfig.exe
1764	Windowsfig.exe
836	Windowsfig.exe
324	Windowsfig.exe
1140	Windowsfig.exe

Loads dropped DLL 2 IoCs

Processes:

5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe

pid	process
1808	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
1808	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe

description	ioc	process
File opened (read-only)	\??\F:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\G:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\K:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\P:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\T:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\V:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\X:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\I:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\J:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\Q:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\R:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\W:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\O:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\U:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\Y:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\B:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\E:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\H:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\L:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\M:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\N:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\S:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\Z:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe

pid process

1808 5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe

Suspicious use of SetWindowsHookEx 35 IoCs

Processes:

5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exe

pid	process
1808	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
772	Windowsfig.exe
1012	Windowsfig.exe
1384	Windowsfig.exe
1364	Windowsfig.exe
1344	Windowsfig.exe
1636	Windowsfig.exe
876	Windowsfig.exe
1480	Windowsfig.exe
1800	Windowsfig.exe
1140	Windowsfig.exe
1328	Windowsfig.exe
916	Windowsfig.exe
1708	Windowsfig.exe
1976	Windowsfig.exe
1556	Windowsfig.exe
856	Windowsfig.exe
992	Windowsfig.exe
688	Windowsfig.exe
684	Windowsfig.exe
1600	Windowsfig.exe
1672	Windowsfig.exe
972	Windowsfig.exe
1172	Windowsfig.exe
1532	Windowsfig.exe
836	Windowsfig.exe
1120	Windowsfig.exe
1596	Windowsfig.exe
1168	Windowsfig.exe
1292	Windowsfig.exe
1524	Windowsfig.exe
1764	Windowsfig.exe
836	Windowsfig.exe
324	Windowsfig.exe
1140	Windowsfig.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exeWindowsfig.exe

description	pid	process	target process
PID 1808 wrote to memory of 772	1808	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	Windowsfig.exe
PID 1808 wrote to memory of 772	1808	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	Windowsfig.exe
PID 1808 wrote to memory of 772	1808	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	Windowsfig.exe
PID 1808 wrote to memory of 772	1808	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	Windowsfig.exe
PID 1808 wrote to memory of 768	1808	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	cmd.exe
PID 1808 wrote to memory of 768	1808	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	cmd.exe
PID 1808 wrote to memory of 768	1808	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	cmd.exe
PID 1808 wrote to memory of 768	1808	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	cmd.exe
PID 772 wrote to memory of 1012	772	Windowsfig.exe	Windowsfig.exe
PID 772 wrote to memory of 1012	772	Windowsfig.exe	Windowsfig.exe
PID 772 wrote to memory of 1012	772	Windowsfig.exe	Windowsfig.exe
PID 772 wrote to memory of 1012	772	Windowsfig.exe	Windowsfig.exe
PID 772 wrote to memory of 1652	772	Windowsfig.exe	cmd.exe
PID 772 wrote to memory of 1652	772	Windowsfig.exe	cmd.exe
PID 772 wrote to memory of 1652	772	Windowsfig.exe	cmd.exe
PID 772 wrote to memory of 1652	772	Windowsfig.exe	cmd.exe
PID 1012 wrote to memory of 1384	1012	Windowsfig.exe	Windowsfig.exe
PID 1012 wrote to memory of 1384	1012	Windowsfig.exe	Windowsfig.exe
PID 1012 wrote to memory of 1384	1012	Windowsfig.exe	Windowsfig.exe
PID 1012 wrote to memory of 1384	1012	Windowsfig.exe	Windowsfig.exe
PID 1012 wrote to memory of 1532	1012	Windowsfig.exe	cmd.exe
PID 1012 wrote to memory of 1532	1012	Windowsfig.exe	cmd.exe
PID 1012 wrote to memory of 1532	1012	Windowsfig.exe	cmd.exe
PID 1012 wrote to memory of 1532	1012	Windowsfig.exe	cmd.exe
PID 1384 wrote to memory of 1364	1384	Windowsfig.exe	Windowsfig.exe
PID 1384 wrote to memory of 1364	1384	Windowsfig.exe	Windowsfig.exe
PID 1384 wrote to memory of 1364	1384	Windowsfig.exe	Windowsfig.exe
PID 1384 wrote to memory of 1364	1384	Windowsfig.exe	Windowsfig.exe
PID 1384 wrote to memory of 1136	1384	Windowsfig.exe	cmd.exe
PID 1384 wrote to memory of 1136	1384	Windowsfig.exe	cmd.exe
PID 1384 wrote to memory of 1136	1384	Windowsfig.exe	cmd.exe
PID 1384 wrote to memory of 1136	1384	Windowsfig.exe	cmd.exe
PID 1364 wrote to memory of 1344	1364	Windowsfig.exe	Windowsfig.exe
PID 1364 wrote to memory of 1344	1364	Windowsfig.exe	Windowsfig.exe
PID 1364 wrote to memory of 1344	1364	Windowsfig.exe	Windowsfig.exe
PID 1364 wrote to memory of 1344	1364	Windowsfig.exe	Windowsfig.exe
PID 1364 wrote to memory of 1880	1364	Windowsfig.exe	cmd.exe
PID 1364 wrote to memory of 1880	1364	Windowsfig.exe	cmd.exe
PID 1364 wrote to memory of 1880	1364	Windowsfig.exe	cmd.exe
PID 1364 wrote to memory of 1880	1364	Windowsfig.exe	cmd.exe
PID 1344 wrote to memory of 1636	1344	Windowsfig.exe	Windowsfig.exe
PID 1344 wrote to memory of 1636	1344	Windowsfig.exe	Windowsfig.exe
PID 1344 wrote to memory of 1636	1344	Windowsfig.exe	Windowsfig.exe
PID 1344 wrote to memory of 1636	1344	Windowsfig.exe	Windowsfig.exe
PID 1344 wrote to memory of 1064	1344	Windowsfig.exe	cmd.exe
PID 1344 wrote to memory of 1064	1344	Windowsfig.exe	cmd.exe
PID 1344 wrote to memory of 1064	1344	Windowsfig.exe	cmd.exe
PID 1344 wrote to memory of 1064	1344	Windowsfig.exe	cmd.exe
PID 1636 wrote to memory of 876	1636	Windowsfig.exe	Windowsfig.exe
PID 1636 wrote to memory of 876	1636	Windowsfig.exe	Windowsfig.exe
PID 1636 wrote to memory of 876	1636	Windowsfig.exe	Windowsfig.exe
PID 1636 wrote to memory of 876	1636	Windowsfig.exe	Windowsfig.exe
PID 1636 wrote to memory of 1284	1636	Windowsfig.exe	cmd.exe
PID 1636 wrote to memory of 1284	1636	Windowsfig.exe	cmd.exe
PID 1636 wrote to memory of 1284	1636	Windowsfig.exe	cmd.exe
PID 1636 wrote to memory of 1284	1636	Windowsfig.exe	cmd.exe
PID 876 wrote to memory of 1480	876	Windowsfig.exe	Windowsfig.exe
PID 876 wrote to memory of 1480	876	Windowsfig.exe	Windowsfig.exe
PID 876 wrote to memory of 1480	876	Windowsfig.exe	Windowsfig.exe
PID 876 wrote to memory of 1480	876	Windowsfig.exe	Windowsfig.exe
PID 876 wrote to memory of 1228	876	Windowsfig.exe	cmd.exe
PID 876 wrote to memory of 1228	876	Windowsfig.exe	cmd.exe
PID 876 wrote to memory of 1228	876	Windowsfig.exe	cmd.exe
PID 876 wrote to memory of 1228	876	Windowsfig.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
"C:\Users\Admin\AppData\Local\Temp\5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1808

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:772

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1012

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1384

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1364

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1636

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1480

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1800

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1140

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1328

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:916

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1708

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1976

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
16⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1556

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:856

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
18⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:992

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
19⤵
- Executes dropped EXE
PID:1692

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
20⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:684

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
22⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1600

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1672

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
24⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:972

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1172

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
26⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1532

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:836

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
28⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1120

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1596

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
30⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1168

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1292

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
32⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1764

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
34⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:836

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:324

C:\ProgramData\Windowsfig.exe
"C:\ProgramData\Windowsfig.exe"
36⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1140

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
35⤵
PID:1608

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
34⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
33⤵
PID:456

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
32⤵
PID:1576

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
31⤵
PID:536

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
30⤵
PID:1760

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
29⤵
PID:576

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
28⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
27⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
26⤵
PID:600

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
25⤵
PID:596

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
24⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
23⤵
PID:456

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
22⤵
PID:932

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
21⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
20⤵
PID:896

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
19⤵
PID:1764

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
18⤵
PID:1120

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
17⤵
PID:1372

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
16⤵
PID:688

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
15⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
14⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
13⤵
PID:924

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
12⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
11⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
10⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
9⤵
PID:1228

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
8⤵
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
7⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
6⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
5⤵
PID:1136

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
4⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
3⤵
PID:1652

C:\Windows\SysWOW64\cmd.exe
cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
2⤵
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
3e170464041417402f0bd148c74dcac5

SHA1
761dc158aade35c948ee559394fe73c14c33f930

SHA256
380eafc1217c93e7be3bfcc52d9e0b068ffb3a988f435cbec2932f834da4cdce

SHA512
fc3b2a3b3145d40c3dec7313afa98d88d9df72aac519f2dfd8a95118b4ec1c0daa39ece4cd4b0fba163e6c81c630d1d02ac96bb5d42ad2798a1491d1fa2cad5e

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
a3656cc6b471f55780ab711bd2baad1f

SHA1
2ccde0719f7e3e1a6f785a019380842a8721e841

SHA256
7da8c91efc9ca4222da92901a8c5d034dc62d43fd5c0d01ce82a256b9f3a0700

SHA512
3c1999c111d0e69ceae460ef2bcbf61988a150e1ac9926910c9ebc2c80517b9f1ca943ed268868b3816e288dcf67b731cf7c9439bcd68fb4895055e77f0787ca

Download Submit
C:\ProgramData\Winconfig.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
bf14616b2f3cec7cc3ad0adc41cc3edd

SHA1
ae7751067605379ef3cf4c1b0586a2b02d1a4175

SHA256
068575049400752c36857cbefe2b4d1e519127bdc067e13e93c3f7275d3f0439

SHA512
17b252c3a1ebb56997aad0974f821b1359b7f41f93a4c1b75035c0ecbd41c3851a554ca7e67ad7eaeb7909a86f53cd3b4a38bedff0f4de0d64052eb51242aad8

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
3e170464041417402f0bd148c74dcac5

SHA1
761dc158aade35c948ee559394fe73c14c33f930

SHA256
380eafc1217c93e7be3bfcc52d9e0b068ffb3a988f435cbec2932f834da4cdce

SHA512
fc3b2a3b3145d40c3dec7313afa98d88d9df72aac519f2dfd8a95118b4ec1c0daa39ece4cd4b0fba163e6c81c630d1d02ac96bb5d42ad2798a1491d1fa2cad5e

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
12d384f34fbf200332913d2e283b54c0

SHA1
2558f6cd4e8079b11796190f3a11e69420550a2c

SHA256
4ad3452326fbb1e9c42981fb10dd87cc4312c9b8a0b12988ded5809d89bed09d

SHA512
3e45087fd47091b7deaaf6478c9d3bacf9b1c0abc8ff22b1524502c903ee8b44be5cfdbe0fcd822f696e9921c75acc49230eab5fde050e9b18ce021d2fba3fb7

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe
Filesize
976KB

MD5
3e170464041417402f0bd148c74dcac5

SHA1
761dc158aade35c948ee559394fe73c14c33f930

SHA256
380eafc1217c93e7be3bfcc52d9e0b068ffb3a988f435cbec2932f834da4cdce

SHA512
fc3b2a3b3145d40c3dec7313afa98d88d9df72aac519f2dfd8a95118b4ec1c0daa39ece4cd4b0fba163e6c81c630d1d02ac96bb5d42ad2798a1491d1fa2cad5e

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BG9XQTG0\Windowsfig[1].exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
\ProgramData\Windowsfig.exe
Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
memory/456-331-0x0000000000000000-mapping.dmp

Download
memory/456-244-0x0000000000000000-mapping.dmp

Download
memory/536-316-0x0000000000000000-mapping.dmp

Download
memory/576-298-0x0000000000000000-mapping.dmp

Download
memory/596-262-0x0000000000000000-mapping.dmp

Download
memory/600-271-0x0000000000000000-mapping.dmp

Download
memory/684-222-0x0000000000000000-mapping.dmp

Download
memory/688-189-0x0000000000000000-mapping.dmp

Download
memory/768-63-0x0000000000000000-mapping.dmp

Download
memory/772-253-0x0000000000000000-mapping.dmp

Download
memory/772-57-0x0000000000000000-mapping.dmp

Download
memory/772-338-0x0000000000000000-mapping.dmp

Download
memory/836-272-0x0000000000000000-mapping.dmp

Download
memory/836-332-0x0000000000000000-mapping.dmp

Download
memory/856-190-0x0000000000000000-mapping.dmp

Download
memory/876-109-0x0000000000000000-mapping.dmp

Download
memory/916-154-0x0000000000000000-mapping.dmp

Download
memory/924-162-0x0000000000000000-mapping.dmp

Download
memory/932-235-0x0000000000000000-mapping.dmp

Download
memory/972-245-0x0000000000000000-mapping.dmp

Download
memory/992-199-0x0000000000000000-mapping.dmp

Download
memory/1012-64-0x0000000000000000-mapping.dmp

Download
memory/1064-108-0x0000000000000000-mapping.dmp

Download
memory/1120-281-0x0000000000000000-mapping.dmp

Download
memory/1120-207-0x0000000000000000-mapping.dmp

Download
memory/1136-90-0x0000000000000000-mapping.dmp

Download
memory/1140-136-0x0000000000000000-mapping.dmp

Download
memory/1168-299-0x0000000000000000-mapping.dmp

Download
memory/1172-254-0x0000000000000000-mapping.dmp

Download
memory/1228-126-0x0000000000000000-mapping.dmp

Download
memory/1284-117-0x0000000000000000-mapping.dmp

Download
memory/1292-308-0x0000000000000000-mapping.dmp

Download
memory/1292-171-0x0000000000000000-mapping.dmp

Download
memory/1328-145-0x0000000000000000-mapping.dmp

Download
memory/1344-280-0x0000000000000000-mapping.dmp

Download
memory/1344-91-0x0000000000000000-mapping.dmp

Download
memory/1364-82-0x0000000000000000-mapping.dmp

Download
memory/1372-198-0x0000000000000000-mapping.dmp

Download
memory/1384-73-0x0000000000000000-mapping.dmp

Download
memory/1480-118-0x0000000000000000-mapping.dmp

Download
memory/1524-317-0x0000000000000000-mapping.dmp

Download
memory/1524-180-0x0000000000000000-mapping.dmp

Download
memory/1532-263-0x0000000000000000-mapping.dmp

Download
memory/1532-81-0x0000000000000000-mapping.dmp

Download
memory/1556-181-0x0000000000000000-mapping.dmp

Download
memory/1576-324-0x0000000000000000-mapping.dmp

Download
memory/1580-144-0x0000000000000000-mapping.dmp

Download
memory/1596-290-0x0000000000000000-mapping.dmp

Download
memory/1600-227-0x0000000000000000-mapping.dmp

Download
memory/1624-289-0x0000000000000000-mapping.dmp

Download
memory/1636-100-0x0000000000000000-mapping.dmp

Download
memory/1652-72-0x0000000000000000-mapping.dmp

Download
memory/1672-236-0x0000000000000000-mapping.dmp

Download
memory/1692-208-0x0000000000000000-mapping.dmp

Download
memory/1708-163-0x0000000000000000-mapping.dmp

Download
memory/1760-307-0x0000000000000000-mapping.dmp

Download
memory/1764-325-0x0000000000000000-mapping.dmp

Download
memory/1764-214-0x0000000000000000-mapping.dmp

Download
memory/1792-226-0x0000000000000000-mapping.dmp

Download
memory/1800-127-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1808-68-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download
memory/1844-135-0x0000000000000000-mapping.dmp

Download
memory/1880-99-0x0000000000000000-mapping.dmp

Download
memory/1976-172-0x0000000000000000-mapping.dmp

Download
memory/2044-153-0x0000000000000000-mapping.dmp

Download