Analysis
-
max time kernel
150s -
max time network
176s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
03-12-2022 04:46
General
-
Target
cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840.exe
-
Size
543KB
-
MD5
96c7d1e48dc8c187d14614fcfcc4539f
-
SHA1
bb561c67ec5e79391986661244d5ea295576c2cd
-
SHA256
cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
-
SHA512
442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
SSDEEP
12288:cXEA70jUjmjPqVK+fACmOrOhJjSwf5Y+lAsMn:NVjPML4CmOrOuo5DAs
Malware Config
Signatures
-
Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
-
Modifies WinLogon for persistence 2 TTPs 59 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 50 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 59 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 64 IoCs
-
Drops file in System32 directory 64 IoCs
-
Suspicious use of SetThreadContext 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 59 IoCs
-
Modifies Internet Explorer settings 1 TTPs 39 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 20 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840.exe"C:\Users\Admin\AppData\Local\Temp\cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840.exe"C:\Users\Admin\AppData\Local\Temp\cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=explorer.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.06⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1276 CREDAT:275457 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1276 CREDAT:603139 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1276 CREDAT:3290120 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1276 CREDAT:3290129 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1276 CREDAT:668692 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"7⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"7⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"8⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"9⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"9⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"10⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"11⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"11⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=explorer.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.012⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"12⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"13⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"13⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"14⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"15⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"15⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"16⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"17⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"17⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"18⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"19⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"19⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"20⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"21⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"21⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"22⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"23⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"23⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"24⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"25⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"25⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"26⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"27⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"27⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"28⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"29⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"29⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"30⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"31⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"31⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"32⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"33⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"33⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"34⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"35⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"35⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"36⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"37⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"37⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"38⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"39⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"39⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"39⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"40⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"41⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"41⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"42⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"43⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"43⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"44⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"45⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"45⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"45⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"46⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"47⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"47⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"47⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"48⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"49⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"49⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"49⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"50⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"51⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"51⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"51⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"52⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"53⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"53⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"53⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"54⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"55⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"55⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"55⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"56⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"57⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"57⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"57⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"58⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"59⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"59⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"59⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"60⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"61⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"61⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"61⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"62⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"63⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"63⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"63⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"64⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"65⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"65⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"65⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"66⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"67⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"67⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"67⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"68⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"69⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"69⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"69⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"70⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"71⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"71⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"71⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"72⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"73⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"73⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"73⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"74⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"75⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"75⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"75⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"76⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"77⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"77⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"77⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"78⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"79⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"79⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"79⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"80⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"81⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"81⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"81⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"82⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"83⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"83⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"83⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"84⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"85⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"85⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"85⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"86⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"87⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"87⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"87⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"88⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"89⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"89⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"89⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"90⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"91⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"91⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"91⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"92⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"93⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"93⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"93⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"94⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"95⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"95⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"95⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"96⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"97⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"97⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"97⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"98⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"99⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"99⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"99⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"100⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"101⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"101⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"101⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"102⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"103⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"103⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"103⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"104⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"105⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"105⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"105⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"106⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"107⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"107⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"107⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"108⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"109⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"109⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"109⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"110⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"111⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"111⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"111⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"112⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"113⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"113⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"113⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"114⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"115⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"115⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"115⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"116⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"117⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"117⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\system32\winlogon.exe"117⤵
-
C:\Windows\SysWOW64\winlogon.exe"C:\Windows\SysWOW64\winlogon.exe"118⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"C:\Users\Admin\AppData\Local\Temp\CSGO.EXE"119⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
C:\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
C:\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Users\Admin\AppData\Local\Temp\CSGO.EXEFilesize
74KB
MD53807bb9af3e33923af05eefd1c3f7836
SHA19c94c98027eeaa175dae186995a06ee94d234b1b
SHA2566d4904e3d0a17c9f04ce3929b37cb010f510818decdd82288a3874af358db6ee
SHA51252da18ef33f5a806d5ee702ca3522978d942b075a013cb2a368d58f55e78d3aed03d316b2324eaadac7a3b1705bdab7cf2d90b0019a5ffa045a20387a2497e84
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
\Windows\SysWOW64\winlogon.exeFilesize
543KB
MD596c7d1e48dc8c187d14614fcfcc4539f
SHA1bb561c67ec5e79391986661244d5ea295576c2cd
SHA256cc6a4024deaf0dfe208fdd40e7280ded9927436b69b0ef81f478d4662818b840
SHA512442c3c40cfec89bb5b2761e6caf566a61355e3c96954fde1aa7b46b36b382f93d0a17056129c844d126de5023acabf475b0457ef56e8ceb473de41a1d74f8a1d
-
memory/564-107-0x0000000000000000-mapping.dmp
-
memory/564-231-0x0000000071F00000-0x00000000724AB000-memory.dmpFilesize
5.7MB
-
memory/564-115-0x0000000072BE0000-0x000000007318B000-memory.dmpFilesize
5.7MB
-
memory/564-223-0x0000000000000000-mapping.dmp
-
memory/612-203-0x0000000071D10000-0x00000000722BB000-memory.dmpFilesize
5.7MB
-
memory/612-197-0x0000000071D10000-0x00000000722BB000-memory.dmpFilesize
5.7MB
-
memory/612-193-0x0000000000000000-mapping.dmp
-
memory/804-243-0x0000000022409A1E-mapping.dmp
-
memory/828-293-0x0000000000000000-mapping.dmp
-
memory/912-73-0x00000000223F0000-0x000000002247E000-memory.dmpFilesize
568KB
-
memory/912-68-0x00000000223F0000-0x000000002247E000-memory.dmpFilesize
568KB
-
memory/912-75-0x00000000223F0000-0x000000002247E000-memory.dmpFilesize
568KB
-
memory/912-70-0x00000000223F0000-0x000000002247E000-memory.dmpFilesize
568KB
-
memory/912-71-0x0000000022409A1E-mapping.dmp
-
memory/932-298-0x0000000022409A1E-mapping.dmp
-
memory/960-65-0x0000000000000000-mapping.dmp
-
memory/1000-94-0x0000000000000000-mapping.dmp
-
memory/1008-239-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1008-266-0x0000000000000000-mapping.dmp
-
memory/1008-253-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1008-228-0x00000000004C5290-mapping.dmp
-
memory/1020-181-0x0000000000000000-mapping.dmp
-
memory/1028-211-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1028-225-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1028-199-0x00000000004C5290-mapping.dmp
-
memory/1040-186-0x0000000022409A1E-mapping.dmp
-
memory/1104-153-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1104-146-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1104-87-0x0000000073420000-0x00000000739CB000-memory.dmpFilesize
5.7MB
-
memory/1104-141-0x00000000004C5290-mapping.dmp
-
memory/1104-167-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1104-78-0x0000000000000000-mapping.dmp
-
memory/1104-147-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1284-119-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1284-112-0x00000000004C5290-mapping.dmp
-
memory/1284-118-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1284-124-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1284-138-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1288-100-0x0000000022409A1E-mapping.dmp
-
memory/1344-157-0x0000000022409A1E-mapping.dmp
-
memory/1364-272-0x0000000022409A1E-mapping.dmp
-
memory/1380-446-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1380-436-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1380-429-0x00000000004C5290-mapping.dmp
-
memory/1428-54-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/1428-59-0x0000000074C00000-0x00000000751AB000-memory.dmpFilesize
5.7MB
-
memory/1428-55-0x0000000074C00000-0x00000000751AB000-memory.dmpFilesize
5.7MB
-
memory/1556-209-0x0000000000000000-mapping.dmp
-
memory/1576-215-0x0000000022409A1E-mapping.dmp
-
memory/1584-61-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1584-58-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1584-81-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1584-62-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1584-56-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1584-57-0x00000000004C5290-mapping.dmp
-
memory/1584-67-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1592-89-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1592-110-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1592-84-0x00000000004C5290-mapping.dmp
-
memory/1592-90-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1592-96-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1600-237-0x0000000000000000-mapping.dmp
-
memory/1624-122-0x0000000000000000-mapping.dmp
-
memory/1636-262-0x0000000071A00000-0x0000000071FAB000-memory.dmpFilesize
5.7MB
-
memory/1636-259-0x0000000071A00000-0x0000000071FAB000-memory.dmpFilesize
5.7MB
-
memory/1636-248-0x0000000000000000-mapping.dmp
-
memory/1732-255-0x00000000004C5290-mapping.dmp
-
memory/1732-171-0x00000000004C5290-mapping.dmp
-
memory/1732-268-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1732-175-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1732-195-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1732-176-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1732-281-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1732-178-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1784-284-0x00000000004C5290-mapping.dmp
-
memory/1784-400-0x0000000022409A1E-mapping.dmp
-
memory/1784-294-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1784-304-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1812-128-0x0000000022409A1E-mapping.dmp
-
memory/1828-151-0x0000000000000000-mapping.dmp
-
memory/1936-165-0x0000000000000000-mapping.dmp
-
memory/1936-177-0x0000000071950000-0x0000000071EFB000-memory.dmpFilesize
5.7MB
-
memory/1960-288-0x0000000071450000-0x00000000719FB000-memory.dmpFilesize
5.7MB
-
memory/1960-279-0x0000000000000000-mapping.dmp
-
memory/2028-396-0x0000000000000000-mapping.dmp
-
memory/2036-148-0x0000000071F00000-0x00000000724AB000-memory.dmpFilesize
5.7MB
-
memory/2036-136-0x0000000000000000-mapping.dmp
-
memory/2036-145-0x0000000071F00000-0x00000000724AB000-memory.dmpFilesize
5.7MB
-
memory/2064-414-0x0000000071A00000-0x0000000071FAB000-memory.dmpFilesize
5.7MB
-
memory/2064-406-0x0000000000000000-mapping.dmp
-
memory/2064-310-0x00000000719C0000-0x0000000071F6B000-memory.dmpFilesize
5.7MB
-
memory/2064-303-0x0000000000000000-mapping.dmp
-
memory/2084-495-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2084-487-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2100-319-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2100-307-0x00000000004C5290-mapping.dmp
-
memory/2180-313-0x0000000000000000-mapping.dmp
-
memory/2192-317-0x0000000022409A1E-mapping.dmp
-
memory/2200-409-0x00000000004C5290-mapping.dmp
-
memory/2200-416-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2200-426-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2204-503-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2204-511-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2236-415-0x0000000000000000-mapping.dmp
-
memory/2252-323-0x0000000000000000-mapping.dmp
-
memory/2252-328-0x0000000071A00000-0x0000000071FAB000-memory.dmpFilesize
5.7MB
-
memory/2284-344-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2284-333-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2284-326-0x00000000004C5290-mapping.dmp
-
memory/2308-420-0x0000000022409A1E-mapping.dmp
-
memory/2328-501-0x0000000071450000-0x00000000719FB000-memory.dmpFilesize
5.7MB
-
memory/2332-425-0x0000000000000000-mapping.dmp
-
memory/2332-434-0x0000000071450000-0x00000000719FB000-memory.dmpFilesize
5.7MB
-
memory/2352-332-0x0000000000000000-mapping.dmp
-
memory/2436-338-0x0000000022409A1E-mapping.dmp
-
memory/2480-435-0x0000000000000000-mapping.dmp
-
memory/2528-440-0x0000000022409A1E-mapping.dmp
-
memory/2544-343-0x0000000000000000-mapping.dmp
-
memory/2544-347-0x00000000719C0000-0x0000000071F6B000-memory.dmpFilesize
5.7MB
-
memory/2544-352-0x00000000719C0000-0x0000000071F6B000-memory.dmpFilesize
5.7MB
-
memory/2596-348-0x00000000004C5290-mapping.dmp
-
memory/2596-355-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2596-365-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2636-445-0x0000000000000000-mapping.dmp
-
memory/2636-451-0x0000000071870000-0x0000000071E1B000-memory.dmpFilesize
5.7MB
-
memory/2684-354-0x0000000000000000-mapping.dmp
-
memory/2728-463-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2728-454-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2732-359-0x0000000022409A1E-mapping.dmp
-
memory/2784-373-0x0000000071A00000-0x0000000071FAB000-memory.dmpFilesize
5.7MB
-
memory/2784-364-0x0000000000000000-mapping.dmp
-
memory/2804-467-0x0000000071960000-0x0000000071F0B000-memory.dmpFilesize
5.7MB
-
memory/2820-375-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2820-368-0x00000000004C5290-mapping.dmp
-
memory/2820-385-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2892-374-0x0000000000000000-mapping.dmp
-
memory/2900-470-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2900-480-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/2916-379-0x0000000022409A1E-mapping.dmp
-
memory/2968-384-0x0000000000000000-mapping.dmp
-
memory/2968-391-0x0000000071450000-0x00000000719FB000-memory.dmpFilesize
5.7MB
-
memory/2968-395-0x0000000071450000-0x00000000719FB000-memory.dmpFilesize
5.7MB
-
memory/3028-404-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/3028-389-0x00000000004C5290-mapping.dmp
-
memory/3056-486-0x0000000071A00000-0x0000000071FAB000-memory.dmpFilesize
5.7MB