chinese_generic_botnet | 5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2022 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
Size

976KB
MD5

960e271e42a03c8398952411d604effe
SHA1

0edbd4619b2971182567877b6c05033a7782f0e5
SHA256

5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61
SHA512

e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d
SSDEEP

6144:rYC/9GCx9syJZHZ6u8YUphxWHlygHR4f87Re7QeUC5Uxe9siOinsB8g+9:rY6GCxLZj8YUphxWHUgHeCRe7Vbf

Score

10^/10

chinese_generic_botnet botnet

Malware Config

Signatures

Generic Chinese Botnet
A botnet originating from China which is currently unnamed publicly.
botnet chinese_generic_botnet

Chinese Botnet payload 2 IoCs

botnet

resource	yara_rule
behavioral2/memory/4876-141-0x0000000010000000-0x0000000010027000-memory.dmp	unk_chinese_botnet
behavioral2/memory/1764-157-0x0000000010000000-0x0000000010027000-memory.dmp	unk_chinese_botnet

Downloads MZ/PE file

Executes dropped EXE 42 IoCs

pid	Process
312	Windowsfig.exe
1764	Windowsfig.exe
4204	Windowsfig.exe
4676	Windowsfig.exe
4388	Windowsfig.exe
1476	Windowsfig.exe
3668	Windowsfig.exe
1328	Windowsfig.exe
3820	Windowsfig.exe
628	Windowsfig.exe
4332	Windowsfig.exe
4324	Windowsfig.exe
3804	Windowsfig.exe
4392	Windowsfig.exe
2952	Windowsfig.exe
4584	Windowsfig.exe
1672	Windowsfig.exe
2308	Windowsfig.exe
2708	Windowsfig.exe
1352	Windowsfig.exe
3484	Windowsfig.exe
372	Windowsfig.exe
1512	Windowsfig.exe
3548	Windowsfig.exe
440	Windowsfig.exe
4888	Windowsfig.exe
3024	Windowsfig.exe
3660	Windowsfig.exe
3260	Windowsfig.exe
5068	Windowsfig.exe
3444	Windowsfig.exe
3404	Windowsfig.exe
3788	Windowsfig.exe
2412	Windowsfig.exe
1988	Windowsfig.exe
2268	Windowsfig.exe
3324	Windowsfig.exe
3940	Windowsfig.exe
2264	Windowsfig.exe
4516	Windowsfig.exe
2332	Windowsfig.exe
4856	Windowsfig.exe

Checks computer location settings 2 TTPs 42 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Windowsfig.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\G:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\H:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\U:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\X:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\Y:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\B:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\F:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\Q:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\S:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\I:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\N:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\P:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\R:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\V:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\Z:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\J:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\K:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\L:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\M:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\O:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\T:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
File opened (read-only)	\??\W:	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4876	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
4876	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
4876	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
312	Windowsfig.exe
1764	Windowsfig.exe
4204	Windowsfig.exe
4676	Windowsfig.exe
4388	Windowsfig.exe
1476	Windowsfig.exe
3668	Windowsfig.exe
1328	Windowsfig.exe
3820	Windowsfig.exe
628	Windowsfig.exe
4332	Windowsfig.exe
4324	Windowsfig.exe
3804	Windowsfig.exe
4392	Windowsfig.exe
2952	Windowsfig.exe
4584	Windowsfig.exe
1672	Windowsfig.exe
2308	Windowsfig.exe
2708	Windowsfig.exe
1352	Windowsfig.exe
3484	Windowsfig.exe
372	Windowsfig.exe
1512	Windowsfig.exe
3548	Windowsfig.exe
440	Windowsfig.exe
4888	Windowsfig.exe
3024	Windowsfig.exe
3660	Windowsfig.exe
3260	Windowsfig.exe
5068	Windowsfig.exe
3444	Windowsfig.exe
3404	Windowsfig.exe
3788	Windowsfig.exe
2412	Windowsfig.exe
1988	Windowsfig.exe
2268	Windowsfig.exe
3324	Windowsfig.exe
3940	Windowsfig.exe
2264	Windowsfig.exe
4516	Windowsfig.exe
2332	Windowsfig.exe
4856	Windowsfig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 312	4876	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	88
PID 4876 wrote to memory of 312	4876	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	88
PID 4876 wrote to memory of 312	4876	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	88
PID 4876 wrote to memory of 4328	4876	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	89
PID 4876 wrote to memory of 4328	4876	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	89
PID 4876 wrote to memory of 4328	4876	5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe	89
PID 312 wrote to memory of 1764	312	Windowsfig.exe	91
PID 312 wrote to memory of 1764	312	Windowsfig.exe	91
PID 312 wrote to memory of 1764	312	Windowsfig.exe	91
PID 312 wrote to memory of 4368	312	Windowsfig.exe	92
PID 312 wrote to memory of 4368	312	Windowsfig.exe	92
PID 312 wrote to memory of 4368	312	Windowsfig.exe	92
PID 1764 wrote to memory of 4204	1764	Windowsfig.exe	94
PID 1764 wrote to memory of 4204	1764	Windowsfig.exe	94
PID 1764 wrote to memory of 4204	1764	Windowsfig.exe	94
PID 1764 wrote to memory of 3096	1764	Windowsfig.exe	95
PID 1764 wrote to memory of 3096	1764	Windowsfig.exe	95
PID 1764 wrote to memory of 3096	1764	Windowsfig.exe	95
PID 4204 wrote to memory of 4676	4204	Windowsfig.exe	97
PID 4204 wrote to memory of 4676	4204	Windowsfig.exe	97
PID 4204 wrote to memory of 4676	4204	Windowsfig.exe	97
PID 4204 wrote to memory of 4816	4204	Windowsfig.exe	98
PID 4204 wrote to memory of 4816	4204	Windowsfig.exe	98
PID 4204 wrote to memory of 4816	4204	Windowsfig.exe	98
PID 4676 wrote to memory of 4388	4676	Windowsfig.exe	100
PID 4676 wrote to memory of 4388	4676	Windowsfig.exe	100
PID 4676 wrote to memory of 4388	4676	Windowsfig.exe	100
PID 4676 wrote to memory of 1760	4676	Windowsfig.exe	101
PID 4676 wrote to memory of 1760	4676	Windowsfig.exe	101
PID 4676 wrote to memory of 1760	4676	Windowsfig.exe	101
PID 4388 wrote to memory of 1476	4388	Windowsfig.exe	103
PID 4388 wrote to memory of 1476	4388	Windowsfig.exe	103
PID 4388 wrote to memory of 1476	4388	Windowsfig.exe	103
PID 4388 wrote to memory of 4320	4388	Windowsfig.exe	105
PID 4388 wrote to memory of 4320	4388	Windowsfig.exe	105
PID 4388 wrote to memory of 4320	4388	Windowsfig.exe	105
PID 1476 wrote to memory of 3668	1476	Windowsfig.exe	107
PID 1476 wrote to memory of 3668	1476	Windowsfig.exe	107
PID 1476 wrote to memory of 3668	1476	Windowsfig.exe	107
PID 1476 wrote to memory of 5028	1476	Windowsfig.exe	108
PID 1476 wrote to memory of 5028	1476	Windowsfig.exe	108
PID 1476 wrote to memory of 5028	1476	Windowsfig.exe	108
PID 3668 wrote to memory of 1328	3668	Windowsfig.exe	110
PID 3668 wrote to memory of 1328	3668	Windowsfig.exe	110
PID 3668 wrote to memory of 1328	3668	Windowsfig.exe	110
PID 3668 wrote to memory of 4968	3668	Windowsfig.exe	111
PID 3668 wrote to memory of 4968	3668	Windowsfig.exe	111
PID 3668 wrote to memory of 4968	3668	Windowsfig.exe	111
PID 1328 wrote to memory of 3820	1328	Windowsfig.exe	113
PID 1328 wrote to memory of 3820	1328	Windowsfig.exe	113
PID 1328 wrote to memory of 3820	1328	Windowsfig.exe	113
PID 1328 wrote to memory of 1888	1328	Windowsfig.exe	114
PID 1328 wrote to memory of 1888	1328	Windowsfig.exe	114
PID 1328 wrote to memory of 1888	1328	Windowsfig.exe	114
PID 3820 wrote to memory of 628	3820	Windowsfig.exe	116
PID 3820 wrote to memory of 628	3820	Windowsfig.exe	116
PID 3820 wrote to memory of 628	3820	Windowsfig.exe	116
PID 3820 wrote to memory of 424	3820	Windowsfig.exe	117
PID 3820 wrote to memory of 424	3820	Windowsfig.exe	117
PID 3820 wrote to memory of 424	3820	Windowsfig.exe	117
PID 628 wrote to memory of 4332	628	Windowsfig.exe	119
PID 628 wrote to memory of 4332	628	Windowsfig.exe	119
PID 628 wrote to memory of 4332	628	Windowsfig.exe	119
PID 628 wrote to memory of 3312	628	Windowsfig.exe	120

C:\Users\Admin\AppData\Local\Temp\5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe
"C:\Users\Admin\AppData\Local\Temp\5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61.exe"
1⤵
- Checks computer location settings
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4876
- C:\ProgramData\Windowsfig.exe
  "C:\ProgramData\Windowsfig.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:312
- - C:\ProgramData\Windowsfig.exe
    "C:\ProgramData\Windowsfig.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\ProgramData\Windowsfig.exe
      "C:\ProgramData\Windowsfig.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:4332
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3804
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:4392
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:2952
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:4584
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:1672
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:2308
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:1352
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3484
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        23⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:372
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:1512
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        25⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3548
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        26⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:440
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        27⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:4888
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        28⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3024
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        29⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3660
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        30⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3260
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        31⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:5068
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        32⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3444
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        33⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3404
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        34⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3788
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        35⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:2412
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        36⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:1988
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        37⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:2268
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        38⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3324
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        39⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:3940
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        40⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:2264
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        41⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:4516
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        42⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        
        PID:2332
        
        C:\ProgramData\Windowsfig.exe
        
        "C:\ProgramData\Windowsfig.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        42⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        41⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        40⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        39⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        38⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        37⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        36⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        35⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        34⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        33⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        32⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        31⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        30⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        29⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        28⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        27⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        26⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        25⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        24⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        23⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        22⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        21⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        20⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        19⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        18⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        17⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        16⤵
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        15⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        14⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        13⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        12⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        11⤵
        
        PID:424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        10⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        9⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        8⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        7⤵
        
        PID:4320
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        6⤵
        
        PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
        5⤵
        
        PID:4816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
      4⤵
      PID:3096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
    3⤵
    PID:4368
- C:\Windows\SysWOW64\cmd.exe
  cmd /C "del /F /S /Q /A C:\ProgramData\Windowsfig.exe"
  2⤵
  PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Winconfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\ProgramData\Windowsfig.exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PREIF6EH\Windowsfig[1].exe

Filesize
976KB

MD5
960e271e42a03c8398952411d604effe

SHA1
0edbd4619b2971182567877b6c05033a7782f0e5

SHA256
5bfd4c0a1a312e001c0aad5bd7a15bfb815d91461ebe15c813723c3b9f380e61

SHA512
e5c604eacdd8d9f2d75a09ac61d498780cdeb25764c9dfbf7249bbf130563be670575cd6746c00f246d04a81b54865ff8fe2a6b1c5ca6c7ba2ab5dd7102dc30d

Download Submit
memory/1764-157-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download
memory/4876-141-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download