ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890.exe
Size

1.3MB
MD5

bf038a5d89d10a8c54f9173ae6f1218d
SHA1

56f40b2d1c24973dfc2797041b415adb889498b9
SHA256

ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890
SHA512

00391375cce1812d3f2118c9316c504232943924a60d49bd0a6cbb36d171222d686009d20468f6985328bf97dde59822174b4aa70a84013b6249ca927c218664
SSDEEP

24576:VqDEvCTbMWu7rQYlBQcBiT6rprG8agY86JDHZpZxXNGf8PA9kZKbv:VTvC/MTQYxsWR7agIJrZpfdGfsO

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.vbs	csrss.exe

Executes dropped EXE 64 IoCs

pid	Process
2656	csrss.exe
3068	csrss.exe
2552	csrss.exe
2572	csrss.exe
3012	csrss.exe
2972	csrss.exe
1932	csrss.exe
544	csrss.exe
1328	csrss.exe
2824	csrss.exe
1876	csrss.exe
2176	csrss.exe
2104	csrss.exe
412	csrss.exe
2300	csrss.exe
1316	csrss.exe
2304	csrss.exe
2084	csrss.exe
1008	csrss.exe
2260	csrss.exe
3028	csrss.exe
1632	csrss.exe
2692	csrss.exe
2724	csrss.exe
2512	csrss.exe
2540	csrss.exe
2508	csrss.exe
2964	csrss.exe
2844	csrss.exe
1780	csrss.exe
2088	csrss.exe
300	csrss.exe
1004	csrss.exe
264	csrss.exe
1420	csrss.exe
2348	csrss.exe
1364	csrss.exe
2328	csrss.exe
2312	csrss.exe
1820	csrss.exe
304	csrss.exe
1388	csrss.exe
2912	csrss.exe
2012	csrss.exe
1360	csrss.exe
996	csrss.exe
552	csrss.exe
2160	csrss.exe
2892	csrss.exe
2748	csrss.exe
2680	csrss.exe
1556	csrss.exe
2952	csrss.exe
2072	csrss.exe
2040	csrss.exe
1600	csrss.exe
2004	csrss.exe
1156	csrss.exe
2344	csrss.exe
2460	csrss.exe
1580	csrss.exe
2464	csrss.exe
1764	csrss.exe
1532	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
1988	ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890.exe
2656	csrss.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0007000000016d56-13.dat	autoit_exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1988	ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890.exe
1988	ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890.exe
2656	csrss.exe
2656	csrss.exe
3068	csrss.exe
3068	csrss.exe
2552	csrss.exe
2552	csrss.exe
2572	csrss.exe
2572	csrss.exe
3012	csrss.exe
3012	csrss.exe
2972	csrss.exe
2972	csrss.exe
1932	csrss.exe
1932	csrss.exe
544	csrss.exe
544	csrss.exe
1328	csrss.exe
1328	csrss.exe
2824	csrss.exe
2824	csrss.exe
1876	csrss.exe
1876	csrss.exe
2176	csrss.exe
2176	csrss.exe
2104	csrss.exe
2104	csrss.exe
412	csrss.exe
412	csrss.exe
2300	csrss.exe
2300	csrss.exe
1316	csrss.exe
1316	csrss.exe
2304	csrss.exe
2304	csrss.exe
2084	csrss.exe
2084	csrss.exe
1008	csrss.exe
1008	csrss.exe
2260	csrss.exe
2260	csrss.exe
3028	csrss.exe
3028	csrss.exe
1632	csrss.exe
1632	csrss.exe
2692	csrss.exe
2692	csrss.exe
2724	csrss.exe
2724	csrss.exe
2512	csrss.exe
2512	csrss.exe
2540	csrss.exe
2540	csrss.exe
2508	csrss.exe
2508	csrss.exe
2964	csrss.exe
2964	csrss.exe
2844	csrss.exe
2844	csrss.exe
1780	csrss.exe
1780	csrss.exe
2088	csrss.exe
2088	csrss.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1988	ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890.exe
1988	ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890.exe
2656	csrss.exe
2656	csrss.exe
3068	csrss.exe
3068	csrss.exe
2552	csrss.exe
2552	csrss.exe
2572	csrss.exe
2572	csrss.exe
3012	csrss.exe
3012	csrss.exe
2972	csrss.exe
2972	csrss.exe
1932	csrss.exe
1932	csrss.exe
544	csrss.exe
544	csrss.exe
1328	csrss.exe
1328	csrss.exe
2824	csrss.exe
2824	csrss.exe
1876	csrss.exe
1876	csrss.exe
2176	csrss.exe
2176	csrss.exe
2104	csrss.exe
2104	csrss.exe
412	csrss.exe
412	csrss.exe
2300	csrss.exe
2300	csrss.exe
1316	csrss.exe
1316	csrss.exe
2304	csrss.exe
2304	csrss.exe
2084	csrss.exe
2084	csrss.exe
1008	csrss.exe
1008	csrss.exe
2260	csrss.exe
2260	csrss.exe
3028	csrss.exe
3028	csrss.exe
1632	csrss.exe
1632	csrss.exe
2692	csrss.exe
2692	csrss.exe
2724	csrss.exe
2724	csrss.exe
2512	csrss.exe
2512	csrss.exe
2540	csrss.exe
2540	csrss.exe
2508	csrss.exe
2508	csrss.exe
2964	csrss.exe
2964	csrss.exe
2844	csrss.exe
2844	csrss.exe
1780	csrss.exe
1780	csrss.exe
2088	csrss.exe
2088	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2656	1988	ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890.exe	30
PID 1988 wrote to memory of 2656	1988	ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890.exe	30
PID 1988 wrote to memory of 2656	1988	ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890.exe	30
PID 1988 wrote to memory of 2656	1988	ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890.exe	30
PID 2656 wrote to memory of 3068	2656	csrss.exe	31
PID 2656 wrote to memory of 3068	2656	csrss.exe	31
PID 2656 wrote to memory of 3068	2656	csrss.exe	31
PID 2656 wrote to memory of 3068	2656	csrss.exe	31
PID 3068 wrote to memory of 2552	3068	csrss.exe	32
PID 3068 wrote to memory of 2552	3068	csrss.exe	32
PID 3068 wrote to memory of 2552	3068	csrss.exe	32
PID 3068 wrote to memory of 2552	3068	csrss.exe	32
PID 2552 wrote to memory of 2572	2552	csrss.exe	33
PID 2552 wrote to memory of 2572	2552	csrss.exe	33
PID 2552 wrote to memory of 2572	2552	csrss.exe	33
PID 2552 wrote to memory of 2572	2552	csrss.exe	33
PID 2572 wrote to memory of 3012	2572	csrss.exe	34
PID 2572 wrote to memory of 3012	2572	csrss.exe	34
PID 2572 wrote to memory of 3012	2572	csrss.exe	34
PID 2572 wrote to memory of 3012	2572	csrss.exe	34
PID 3012 wrote to memory of 2972	3012	csrss.exe	35
PID 3012 wrote to memory of 2972	3012	csrss.exe	35
PID 3012 wrote to memory of 2972	3012	csrss.exe	35
PID 3012 wrote to memory of 2972	3012	csrss.exe	35
PID 2972 wrote to memory of 1932	2972	csrss.exe	36
PID 2972 wrote to memory of 1932	2972	csrss.exe	36
PID 2972 wrote to memory of 1932	2972	csrss.exe	36
PID 2972 wrote to memory of 1932	2972	csrss.exe	36
PID 1932 wrote to memory of 544	1932	csrss.exe	37
PID 1932 wrote to memory of 544	1932	csrss.exe	37
PID 1932 wrote to memory of 544	1932	csrss.exe	37
PID 1932 wrote to memory of 544	1932	csrss.exe	37
PID 544 wrote to memory of 1328	544	csrss.exe	38
PID 544 wrote to memory of 1328	544	csrss.exe	38
PID 544 wrote to memory of 1328	544	csrss.exe	38
PID 544 wrote to memory of 1328	544	csrss.exe	38
PID 1328 wrote to memory of 2824	1328	csrss.exe	39
PID 1328 wrote to memory of 2824	1328	csrss.exe	39
PID 1328 wrote to memory of 2824	1328	csrss.exe	39
PID 1328 wrote to memory of 2824	1328	csrss.exe	39
PID 2824 wrote to memory of 1876	2824	csrss.exe	40
PID 2824 wrote to memory of 1876	2824	csrss.exe	40
PID 2824 wrote to memory of 1876	2824	csrss.exe	40
PID 2824 wrote to memory of 1876	2824	csrss.exe	40
PID 1876 wrote to memory of 2176	1876	csrss.exe	41
PID 1876 wrote to memory of 2176	1876	csrss.exe	41
PID 1876 wrote to memory of 2176	1876	csrss.exe	41
PID 1876 wrote to memory of 2176	1876	csrss.exe	41
PID 2176 wrote to memory of 2104	2176	csrss.exe	42
PID 2176 wrote to memory of 2104	2176	csrss.exe	42
PID 2176 wrote to memory of 2104	2176	csrss.exe	42
PID 2176 wrote to memory of 2104	2176	csrss.exe	42
PID 2104 wrote to memory of 412	2104	csrss.exe	43
PID 2104 wrote to memory of 412	2104	csrss.exe	43
PID 2104 wrote to memory of 412	2104	csrss.exe	43
PID 2104 wrote to memory of 412	2104	csrss.exe	43
PID 412 wrote to memory of 2300	412	csrss.exe	44
PID 412 wrote to memory of 2300	412	csrss.exe	44
PID 412 wrote to memory of 2300	412	csrss.exe	44
PID 412 wrote to memory of 2300	412	csrss.exe	44
PID 2300 wrote to memory of 1316	2300	csrss.exe	45
PID 2300 wrote to memory of 1316	2300	csrss.exe	45
PID 2300 wrote to memory of 1316	2300	csrss.exe	45
PID 2300 wrote to memory of 1316	2300	csrss.exe	45

C:\Users\Admin\AppData\Local\Temp\ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890.exe
"C:\Users\Admin\AppData\Local\Temp\ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\directory\csrss.exe
  "C:\Users\Admin\AppData\Local\Temp\ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\directory\csrss.exe
    "C:\Users\Admin\AppData\Local\directory\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Users\Admin\AppData\Local\directory\csrss.exe
      "C:\Users\Admin\AppData\Local\directory\csrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2552
    - - C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        33⤵
        Executes dropped EXE
        
        PID:300
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        35⤵
        Executes dropped EXE
        
        PID:264
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        38⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        39⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        40⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        41⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:304
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        43⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        45⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        46⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        47⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        48⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        49⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        51⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        52⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        53⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        54⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        56⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        57⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        58⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        59⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        61⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        63⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        64⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        65⤵
        Executes dropped EXE
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        68⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        73⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        74⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        76⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        77⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        78⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        80⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        83⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        84⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        85⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:648
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        87⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        89⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        90⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        92⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        93⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        95⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        96⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        97⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        98⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        100⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        101⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        102⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        103⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        104⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        105⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        107⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        109⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        110⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        112⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        113⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        114⤵
        
        PID:236
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        115⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        117⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        119⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        121⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        122⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        123⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        124⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        126⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        127⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        128⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        129⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        131⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        132⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        133⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        134⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:308
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        136⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        137⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        138⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        139⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        140⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        141⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        144⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        145⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        146⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        147⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        148⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        149⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        150⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:848
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        152⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        155⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        157⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        158⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        160⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        161⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        162⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        163⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        164⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        165⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        166⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        168⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        170⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        171⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        172⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        173⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        174⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        175⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        177⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        178⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        179⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        180⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        182⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        183⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        184⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        185⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        186⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        187⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        188⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        189⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        191⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        193⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        194⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        196⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        198⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        199⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        201⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        202⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        203⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        204⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        205⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        206⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        207⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        209⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        210⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        211⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        212⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        213⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        214⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        215⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        216⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        217⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        219⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        220⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        222⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        223⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        224⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\directory\csrss.exe
        
        "C:\Users\Admin\AppData\Local\directory\csrss.exe"
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut1EF6.tmp

Filesize
385KB

MD5
60e07ea2b1e286070466181eb103b440

SHA1
0980fa02c2851fdc7b81a9d1bc86629fb669abc7

SHA256
eb09e172e4e39735182759cd26a81f475d710e545eae283c12255a637e52ace1

SHA512
84a5ae93b4e6bd3c7a0f6a9a8138d23563b3c2cf97af71207c818f3ee8ee91c4b706b9c3c40bb9ca29bc70d42bd879a7b6408d908d51ca6c5fdbf4f79f6901d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut1F25.tmp

Filesize
42KB

MD5
2f7a894c748cc07d323363c0965002bf

SHA1
a23f199062c152bfd9e5d80bb48147c2d7d83a81

SHA256
3c253455ab8d6c9d8de187e03f6e0321568aaad6100095a162abd1443e15e677

SHA512
9f35bdb2feaf40f4273a8c25341f89ce8972de222b4fa876c12a99541861127ec76959946d6e489dda30e9bea7c90322e13fde4045ae36d617abfdc68a4af460

Download Submit
C:\Users\Admin\AppData\Local\Temp\ectosphere

Filesize
84KB

MD5
113814e3b1209175e884341b51fc0bdf

SHA1
7c83377c2c2cec1634945d155fa3e0879ee63cb6

SHA256
b935d90f9b00b0b8bb1d4b843bf286afbbec8a1216be1b067663e75d68606073

SHA512
9eea4d9335ef29e60f36a26e573c763c53d5a9f091e541471db9fce494430f890a5d0cb21ba806c06a7aeb240daf83f85d0de685ce52fc4b55bdc371c18846e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\molecast

Filesize
483KB

MD5
65d01b06462d271b0da948efc42081be

SHA1
6b8c187e6ca73d254a88c943822d1b72b3feb7f6

SHA256
f928f0fbbec309890cdb92b5f19d119afc7215894122798430f51f279b065fd0

SHA512
38b9d2aa868ec6a48f5c3bc525c36cc71e89dc378a98a5cc13ac79219b78b5ed2884ccb402e1994c5a9f53a24b11a05e3722ccc4ecd8cbab9d66b15814082d8c

Download Submit
\Users\Admin\AppData\Local\directory\csrss.exe

Filesize
1.3MB

MD5
bf038a5d89d10a8c54f9173ae6f1218d

SHA1
56f40b2d1c24973dfc2797041b415adb889498b9

SHA256
ffcfe6a6032cdcef4790afe356d82939369b5e49ba72719b3e592a4de7fd9890

SHA512
00391375cce1812d3f2118c9316c504232943924a60d49bd0a6cbb36d171222d686009d20468f6985328bf97dde59822174b4aa70a84013b6249ca927c218664

Download Submit
memory/1988-11-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download