23f16ca0b6940c985acb63424e055ca758dbf55eafc5ccf75012cb5930f641c0

Analysis

max time kernel
152s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f850c4be0da9c064158b08123469bc0_NeikiAnalytics.exe
Size

51KB
MD5

2f850c4be0da9c064158b08123469bc0
SHA1

5f1c678f1eb2aa9c4767b94ca4ceb0e88e79ae8e
SHA256

23f16ca0b6940c985acb63424e055ca758dbf55eafc5ccf75012cb5930f641c0
SHA512

5e7305643be94cd09b762f4f02b9a2167b57d627a758082dbce9c840ad0014d630ef83fafbf044033c59aa87df16c06cbac4aeb86eaeb5c2db84d5611319f02e
SSDEEP

768:nNAGAkIo/juokwoL7627d9rIiClJAxiFkJT22euOiya6lHOYxY0x0KS32:nNJb/HkwoLe29UjQ4wqQOLIMVnS32

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\userinit.exe"	userinit.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	userinit.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\drivers\taskmgr.exe	userinit.exe
File opened for modification	\??\c:\windows\SysWOW64\drivers\csrss.exe	taskmgr.exe
File opened for modification	C:\Windows\SysWOW64\drivers\udsys.exe	userinit.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\mrkl.exe MR"	userinit.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
5300	userinit.exe
1856	taskmgr.exe
2760	csrss.exe
5048	userinit.exe
5416	taskmgr.exe
5572	csrss.exe
5632	userinit.exe
5364	taskmgr.exe
5408	csrss.exe
4532	userinit.exe
3384	taskmgr.exe
3176	csrss.exe
5924	userinit.exe
5932	taskmgr.exe
5988	csrss.exe
6020	userinit.exe
2188	taskmgr.exe
2704	csrss.exe
5476	userinit.exe
712	taskmgr.exe
4256	csrss.exe
4344	userinit.exe
432	taskmgr.exe
1768	csrss.exe
2160	userinit.exe
116	taskmgr.exe
6036	csrss.exe
6032	userinit.exe
2840	taskmgr.exe
1996	csrss.exe
3624	userinit.exe
2008	taskmgr.exe
4448	csrss.exe
2328	userinit.exe
4824	taskmgr.exe
2932	csrss.exe
5180	userinit.exe
3952	taskmgr.exe
3816	csrss.exe
784	userinit.exe
3192	taskmgr.exe
864	csrss.exe
1104	userinit.exe
4088	taskmgr.exe
2812	csrss.exe
3948	userinit.exe
4392	taskmgr.exe
3536	csrss.exe
972	userinit.exe
3504	taskmgr.exe
5612	csrss.exe
2244	userinit.exe
5404	taskmgr.exe
5416	csrss.exe
6116	userinit.exe
5408	taskmgr.exe
4860	csrss.exe
3080	userinit.exe
5940	taskmgr.exe
2532	csrss.exe
5988	userinit.exe
5536	taskmgr.exe
3284	csrss.exe
3732	userinit.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3296-0-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/files/0x0009000000023267-6.dat	upx
behavioral2/memory/3296-7-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5300-9-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/files/0x000900000002326a-13.dat	upx
behavioral2/files/0x000800000002326c-22.dat	upx
behavioral2/memory/5048-30-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1856-35-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2760-36-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3296-38-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5632-49-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5572-51-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5416-53-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4532-64-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5408-66-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5364-68-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5300-71-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3384-70-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5924-81-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3176-85-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3384-84-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/6020-96-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5988-98-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5932-100-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5476-110-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2704-112-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2188-114-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4344-125-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4256-127-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/712-129-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2160-140-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/432-144-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1768-143-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/6032-155-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/6036-157-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/116-159-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3624-170-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2840-174-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1996-173-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2328-186-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4448-190-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2008-189-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5180-201-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4824-203-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/784-214-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3816-216-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3952-218-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1104-229-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3192-233-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/864-232-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2812-247-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4088-246-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3948-244-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/972-258-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3536-260-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4392-261-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/2244-272-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5612-274-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3504-276-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/6116-287-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5416-289-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/5404-291-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/3080-302-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/4860-304-0x0000000000400000-0x0000000000426000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\userinit = "c:\\windows\\system\\userinit.exe RO"	userinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\csrss = "c:\\windows\\system32\\drivers\\csrss.exe RO"	userinit.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system\userinit.exe	2f850c4be0da9c064158b08123469bc0_NeikiAnalytics.exe
File opened for modification	\??\c:\windows\system\userinit.exe	userinit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3296	2f850c4be0da9c064158b08123469bc0_NeikiAnalytics.exe
3296	2f850c4be0da9c064158b08123469bc0_NeikiAnalytics.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe
5300	userinit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5300	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3296	2f850c4be0da9c064158b08123469bc0_NeikiAnalytics.exe
5300	userinit.exe
1856	taskmgr.exe
2760	csrss.exe
5048	userinit.exe
5300	userinit.exe
5416	taskmgr.exe
5572	csrss.exe
5632	userinit.exe
5364	taskmgr.exe
5408	csrss.exe
4532	userinit.exe
3384	taskmgr.exe
3176	csrss.exe
5924	userinit.exe
5932	taskmgr.exe
5988	csrss.exe
6020	userinit.exe
2188	taskmgr.exe
2704	csrss.exe
5476	userinit.exe
712	taskmgr.exe
4256	csrss.exe
4344	userinit.exe
432	taskmgr.exe
1768	csrss.exe
2160	userinit.exe
116	taskmgr.exe
6036	csrss.exe
6032	userinit.exe
2840	taskmgr.exe
1996	csrss.exe
3624	userinit.exe
2008	taskmgr.exe
4448	csrss.exe
2328	userinit.exe
4824	taskmgr.exe
2932	csrss.exe
5180	userinit.exe
3952	taskmgr.exe
3816	csrss.exe
784	userinit.exe
3192	taskmgr.exe
864	csrss.exe
1104	userinit.exe
4088	taskmgr.exe
2812	csrss.exe
3948	userinit.exe
4392	taskmgr.exe
3536	csrss.exe
972	userinit.exe
3504	taskmgr.exe
5612	csrss.exe
2244	userinit.exe
5404	taskmgr.exe
5416	csrss.exe
6116	userinit.exe
5408	taskmgr.exe
4860	csrss.exe
3080	userinit.exe
5940	taskmgr.exe
2532	csrss.exe
5988	userinit.exe
5536	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3296 wrote to memory of 5300	3296	2f850c4be0da9c064158b08123469bc0_NeikiAnalytics.exe	91
PID 3296 wrote to memory of 5300	3296	2f850c4be0da9c064158b08123469bc0_NeikiAnalytics.exe	91
PID 3296 wrote to memory of 5300	3296	2f850c4be0da9c064158b08123469bc0_NeikiAnalytics.exe	91
PID 5300 wrote to memory of 1856	5300	userinit.exe	92
PID 5300 wrote to memory of 1856	5300	userinit.exe	92
PID 5300 wrote to memory of 1856	5300	userinit.exe	92
PID 1856 wrote to memory of 2760	1856	taskmgr.exe	93
PID 1856 wrote to memory of 2760	1856	taskmgr.exe	93
PID 1856 wrote to memory of 2760	1856	taskmgr.exe	93
PID 2760 wrote to memory of 5048	2760	csrss.exe	94
PID 2760 wrote to memory of 5048	2760	csrss.exe	94
PID 2760 wrote to memory of 5048	2760	csrss.exe	94
PID 5300 wrote to memory of 5416	5300	userinit.exe	95
PID 5300 wrote to memory of 5416	5300	userinit.exe	95
PID 5300 wrote to memory of 5416	5300	userinit.exe	95
PID 5416 wrote to memory of 5572	5416	taskmgr.exe	96
PID 5416 wrote to memory of 5572	5416	taskmgr.exe	96
PID 5416 wrote to memory of 5572	5416	taskmgr.exe	96
PID 5572 wrote to memory of 5632	5572	csrss.exe	97
PID 5572 wrote to memory of 5632	5572	csrss.exe	97
PID 5572 wrote to memory of 5632	5572	csrss.exe	97
PID 5300 wrote to memory of 5364	5300	userinit.exe	98
PID 5300 wrote to memory of 5364	5300	userinit.exe	98
PID 5300 wrote to memory of 5364	5300	userinit.exe	98
PID 5364 wrote to memory of 5408	5364	taskmgr.exe	99
PID 5364 wrote to memory of 5408	5364	taskmgr.exe	99
PID 5364 wrote to memory of 5408	5364	taskmgr.exe	99
PID 5408 wrote to memory of 4532	5408	csrss.exe	100
PID 5408 wrote to memory of 4532	5408	csrss.exe	100
PID 5408 wrote to memory of 4532	5408	csrss.exe	100
PID 5300 wrote to memory of 3384	5300	userinit.exe	101
PID 5300 wrote to memory of 3384	5300	userinit.exe	101
PID 5300 wrote to memory of 3384	5300	userinit.exe	101
PID 3384 wrote to memory of 3176	3384	taskmgr.exe	102
PID 3384 wrote to memory of 3176	3384	taskmgr.exe	102
PID 3384 wrote to memory of 3176	3384	taskmgr.exe	102
PID 3176 wrote to memory of 5924	3176	csrss.exe	103
PID 3176 wrote to memory of 5924	3176	csrss.exe	103
PID 3176 wrote to memory of 5924	3176	csrss.exe	103
PID 5300 wrote to memory of 5932	5300	userinit.exe	104
PID 5300 wrote to memory of 5932	5300	userinit.exe	104
PID 5300 wrote to memory of 5932	5300	userinit.exe	104
PID 5932 wrote to memory of 5988	5932	taskmgr.exe	105
PID 5932 wrote to memory of 5988	5932	taskmgr.exe	105
PID 5932 wrote to memory of 5988	5932	taskmgr.exe	105
PID 5988 wrote to memory of 6020	5988	csrss.exe	106
PID 5988 wrote to memory of 6020	5988	csrss.exe	106
PID 5988 wrote to memory of 6020	5988	csrss.exe	106
PID 5300 wrote to memory of 2188	5300	userinit.exe	107
PID 5300 wrote to memory of 2188	5300	userinit.exe	107
PID 5300 wrote to memory of 2188	5300	userinit.exe	107
PID 2188 wrote to memory of 2704	2188	taskmgr.exe	108
PID 2188 wrote to memory of 2704	2188	taskmgr.exe	108
PID 2188 wrote to memory of 2704	2188	taskmgr.exe	108
PID 2704 wrote to memory of 5476	2704	csrss.exe	109
PID 2704 wrote to memory of 5476	2704	csrss.exe	109
PID 2704 wrote to memory of 5476	2704	csrss.exe	109
PID 5300 wrote to memory of 712	5300	userinit.exe	110
PID 5300 wrote to memory of 712	5300	userinit.exe	110
PID 5300 wrote to memory of 712	5300	userinit.exe	110
PID 712 wrote to memory of 4256	712	taskmgr.exe	111
PID 712 wrote to memory of 4256	712	taskmgr.exe	111
PID 712 wrote to memory of 4256	712	taskmgr.exe	111
PID 4256 wrote to memory of 4344	4256	csrss.exe	112

C:\Users\Admin\AppData\Local\Temp\2f850c4be0da9c064158b08123469bc0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f850c4be0da9c064158b08123469bc0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3296
- \??\c:\windows\system\userinit.exe
  c:\windows\system\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visiblity of hidden/system files in Explorer
  - Drops file in Drivers directory
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5300
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1856
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2760
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5048
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5416
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5572
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5632
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5364
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5408
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4532
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3384
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3176
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5924
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5932
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5988
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6020
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2704
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5476
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:712
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4256
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4344
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:432
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1768
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2160
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:116
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:6036
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6032
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2840
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1996
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3624
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2008
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4448
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2328
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4824
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2932
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5180
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3952
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3816
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:784
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3192
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:864
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1104
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4088
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2812
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3948
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4392
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3536
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:972
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3504
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5612
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2244
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5404
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5416
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6116
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5408
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4860
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3080
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5940
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2532
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5988
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5536
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      PID:3284
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        Executes dropped EXE
        
        PID:3732
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4588
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1620
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5116
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5876
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5840
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:6068
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:228
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6024
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1280
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3976
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1972
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1540
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4492
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3304
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5220
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3396
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2996
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2932
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:440
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6056
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3816
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4356
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1616
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4684
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1604
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3208
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4540
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3876
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3180
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4480
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5604
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4040
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5776
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5616
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2224
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5372
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3596
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5388
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5516
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5936
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2196
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3144
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5888
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5988
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5520
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2512
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1152
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1600
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5496
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4584
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5116
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4004
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6068
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1768
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:988
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4892
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3936
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2036
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3768
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2960
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4568
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2008
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5088
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2200
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2912
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4128
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3120
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5144
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1988
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3816
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1312
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:440
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4108
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4468
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3540
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2088
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:404
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:6008
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4480
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1080
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4260
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4548
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5584
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4392
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1860
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3504
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5616
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5316
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5364
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4360
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5960
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5916
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5928
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3016
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5500
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5940
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5888
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2188
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1600
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3216
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6124
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4344
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4584
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5536
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5156
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5876
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4036
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4160
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5000
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1852
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3624
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3768
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5052
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3332
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1652
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4188
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3748
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1480
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6048
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2932
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4672
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5180
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3232
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1312
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6128
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4356
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5080
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1648
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5016
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1052
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3760
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4372
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3876
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1964
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3040
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5004
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2852
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4392
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4608
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5372
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5404
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:6116
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5364
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4916
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3080
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4544
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5560
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5520
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5500
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3016
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5896
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1584
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5492
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5808
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5600
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5544
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1768
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3884
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4256
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:6024
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:228
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4004
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1900
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5796
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2840
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4492
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5008
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:496
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2776
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4764
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2588
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2192
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3532
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1480
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3944
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2264
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:6056
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5084
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6128
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1312
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5136
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4664
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3400
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2220
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4540
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3948
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4040
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2260
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3180
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3988
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2556
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5584
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5352
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5340
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1716
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5772
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1960
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3496
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:6000
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4544
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5508
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2704
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2316
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5532
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5348
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1584
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3460
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2512
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5844
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5544
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4508
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4776
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:556
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3792
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3752
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2120
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1540
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3936
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5208
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2328
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3332
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3392
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5784
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3300
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4188
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:784
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5196
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2200
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1988
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4672
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5312
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1588
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4832
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1604
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4196
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6008
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3940
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5540
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4812
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1052
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5344
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1376
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3984
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2412
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5612
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1936
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1128
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5756
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3504
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5352
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3144
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5388
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5904
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5984
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:6016
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3592
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5992
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2984
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5880
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5900
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5328
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1620
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2428
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:6068
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4520
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5400
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2560
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3388
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5968
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1608
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4004
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3792
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4308
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2960
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4568
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:496
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2328
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6052
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1720
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5192
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3728
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2692
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2996
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1104
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4836
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5096
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2548
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5040
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4620
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5100
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4664
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4684
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:748
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4540
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5572
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2220
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4996
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3536
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4120
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2836
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4168
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2224
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5404
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5420
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5928
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4916
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4676
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5932
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3496
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4528
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5916
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:6000
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4612
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3460
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4344
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3620
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5036
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5892
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4036
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1896
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5876
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3976
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6024
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3476
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5088
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:712
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5204
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3956
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:216
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4952
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:6088
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5124
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3744
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4188
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3188
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5360
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2692
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2040
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4964
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3128
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:412
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4564
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5080
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1648
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:528
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4620
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2456
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1508
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4224
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5424
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1964
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2260
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5004
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4284
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3272
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4392
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5628
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3772
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5584
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5396
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5948
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5376
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4488
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5940
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3016
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:220
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3260
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4476
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5452
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5772
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4252
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2164
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4380
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3284
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3468
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2512
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5116
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5156
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2560
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4816
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3568
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2016
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3480
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:6024
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4820
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3792
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4404
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3404
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2832
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1516
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2720
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4448
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4764
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1864
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1480
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:6080
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2192
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3944
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2644
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5180
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2280
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4356
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4072
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6008
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3208
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5016
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3972
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3760
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5748
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4196
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4968
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3400
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5324
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3040
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5572
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4548
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4284
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5524
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3132
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4712
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4692
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3988
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5396
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4640
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6036
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1960
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2992
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5472
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4544
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5528
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4956
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5452
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5132
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6104
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5328
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3468
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3284
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1620
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3884
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5116
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5356
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2816
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:6032
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4520
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4788
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:228
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3388
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1400
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3920
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4404
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3604
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4320
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4248
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1440
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4128
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5164
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:6120
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4568
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1104
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5444
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1416
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3816
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4564
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4964
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4356
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1312
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:924
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3208
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4812
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5236
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4092
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:3544
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4440
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:1732
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4224
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4468
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4608
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4420
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2592
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2836
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4972
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:2160
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4712
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5316
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5012
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4168
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5948
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:5976
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4916
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4676
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3860
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:4476
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4528
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3732
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:3176
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:4988
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:4344
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5328
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:1452
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1016
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:5036
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:5544
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:1580
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:888
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:768
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:3752
    - - \??\c:\windows\system\userinit.exe
        
        c:\windows\system\userinit.exe
        5⤵
        
        PID:2816
- - \??\c:\windows\SysWOW64\drivers\taskmgr.exe
    c:\windows\system32\drivers\taskmgr.exe SE
    3⤵
    PID:2016
  - - \??\c:\windows\SysWOW64\drivers\csrss.exe
      c:\windows\system32\drivers\csrss.exe
      4⤵
      PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\csrss.exe

Filesize
51KB

MD5
70dd8267e06e08c9f5e91092893a9f33

SHA1
f4cad9a24f1b04cacda8713896086dd73ba45404

SHA256
30ad02b13a55867049df5ea666856e17386349a805c9467811201738ab03d3fe

SHA512
f0956c2269d1b3997713b6aa164e3ccaa5627031a24516ec8a800aada1b744c1cc3108287284a3c4b08ce1ea515fb94397a66b17436b14dfc1d79050149442d8

Download Submit
C:\Windows\SysWOW64\drivers\taskmgr.exe

Filesize
51KB

MD5
877ee6a3f106465acdeafce96bdbf650

SHA1
b1d80f3bae3f6304fa2af412cce9a6bb03920173

SHA256
283fad58d54f93729829487d9eb7932ec6e5e25f66182894c2ddca8fa21c2e59

SHA512
1fefd462331d57a59cc0ff4c70f101f0a0f4d5417c691666de74d5d763b68745f032f8f03a7f826460c5ef4b7dddf1a2af334ac1bf2a32bdea3ac995e7e74cc2

Download Submit
C:\Windows\System\userinit.exe

Filesize
51KB

MD5
f9cd11ef45891bfbb4c74f6e7ce6a45d

SHA1
159be28f4f8ea3436c44bb8fc8eccd2f4fab3123

SHA256
36c521726d18b604d0b8715d3aa73329cc2ea5391e9426b83e2532e4a56b2eb9

SHA512
2519857108b0c3a40294fd2306a7a9e114de8204e30dcbb25ec1e3afab929bc10ac981e72f742f01e6ae8771df7a9edc84a8b460cb25b69c92c5563192e047d3

Download Submit
memory/116-159-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/228-367-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/432-144-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/440-412-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/712-129-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/784-214-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/864-232-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/972-258-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1104-229-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1280-364-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1540-375-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1604-435-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1768-143-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1856-35-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1996-173-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2008-189-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2160-140-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2188-114-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2224-470-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2244-272-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2328-186-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2704-112-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2760-36-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2812-247-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2840-174-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2932-398-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3080-302-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3144-492-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3176-85-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3180-445-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3192-233-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3208-433-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3284-330-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3296-38-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3296-7-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3296-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3304-388-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3384-84-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3384-70-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3396-401-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3504-276-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3536-260-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3596-484-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3624-170-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3732-328-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3816-216-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3816-409-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3876-447-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3948-244-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3952-218-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3976-378-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4040-457-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4088-246-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4256-127-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4344-125-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4356-423-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4392-261-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4448-190-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4480-443-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4492-390-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4532-64-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4540-431-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4588-344-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4684-420-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4824-203-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/4860-304-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5048-30-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5116-341-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5180-201-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5220-386-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5300-9-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5300-71-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5364-68-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5372-468-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5388-482-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5404-291-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5408-306-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5408-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5416-53-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5416-289-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5476-110-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5516-480-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5536-332-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5572-51-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5604-459-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5612-274-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5616-472-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5632-49-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5776-455-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5840-354-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5876-356-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5924-81-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5932-100-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5940-320-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5988-317-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/5988-98-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6020-96-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6032-155-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6036-157-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6068-352-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/6116-287-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download