Analysis
-
max time kernel
120s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/09/2024, 10:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d739f4efb51845569c9b2bbcc326e790N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
d739f4efb51845569c9b2bbcc326e790N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
d739f4efb51845569c9b2bbcc326e790N.exe
-
Size
78KB
-
MD5
d739f4efb51845569c9b2bbcc326e790
-
SHA1
e28418f4b269cb975cb233aa5ce49cdd37a53613
-
SHA256
d4fddfecb0cf861dbe4a40ef1cac8e2d9594bc0eb818aaff88cfa333afd437e3
-
SHA512
9f0a4c470aae7afcd15de9e8e5b1a1487ed6439f3b04778ba1995f208d42cf1645950ed957433ae048d64e241d59d244823426c0ba89197d2fc3c0682d8cc60d
-
SSDEEP
1536:mXKqLKaq6OmYus/zqgUgyvVbc7xlIeyVr/p++r93zs6qJsgcYz3:m6MKn58gWvVo7xlIeyNv93Ysgr
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1936 csrss.exe 2092 csrss.exe 3504 csrss.exe 552 csrss.exe 4580 csrss.exe 1084 csrss.exe 512 csrss.exe 768 csrss.exe 2244 csrss.exe 1592 csrss.exe 1420 csrss.exe 4968 csrss.exe 3000 csrss.exe 3352 csrss.exe 648 csrss.exe 1832 csrss.exe 1060 csrss.exe 5052 csrss.exe 3900 csrss.exe 1556 csrss.exe 2772 csrss.exe 4868 csrss.exe 3116 csrss.exe 2504 csrss.exe 3664 csrss.exe 968 csrss.exe 1304 csrss.exe 4756 csrss.exe 3656 csrss.exe 2072 csrss.exe 4640 csrss.exe 4636 csrss.exe 3108 csrss.exe 524 csrss.exe 2948 csrss.exe 4792 csrss.exe 1560 csrss.exe 1380 csrss.exe 5076 csrss.exe 3520 csrss.exe 4484 csrss.exe 3724 csrss.exe 1136 csrss.exe 4724 csrss.exe 3952 csrss.exe 1756 csrss.exe 1160 csrss.exe 1668 csrss.exe 4412 csrss.exe 3488 csrss.exe 3984 csrss.exe 2276 csrss.exe 2372 csrss.exe 3320 csrss.exe 4292 csrss.exe 4120 csrss.exe 2392 csrss.exe 2708 csrss.exe 4332 csrss.exe 5000 csrss.exe 3544 csrss.exe 3188 csrss.exe 740 csrss.exe 672 csrss.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ikrwck Process not Found File opened for modification C:\Windows\SysWOW64\egagvqkzpa\csrss.exe csrss.exe File created C:\Windows\SysWOW64\hajidun\csrss.exe csrss.exe File created C:\Windows\SysWOW64\hoejnex\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\puenump csrss.exe File created C:\Windows\SysWOW64\foztez\csrss.exe Process not Found File created C:\Windows\SysWOW64\abklcfovwo\csrss.exe Process not Found File created C:\Windows\SysWOW64\sfqwmf\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\jvyqhj\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\fnydelfsy\csrss.exe Process not Found File created C:\Windows\SysWOW64\wsbxluwtjg\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\tsgpifhicp Process not Found File created C:\Windows\SysWOW64\aciqowo\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\dklfapw\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\rynuuxfp csrss.exe File opened for modification C:\Windows\SysWOW64\evracvt\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\pesmvh Process not Found File opened for modification C:\Windows\SysWOW64\nwfofrvaf\csrss.exe Process not Found File created C:\Windows\SysWOW64\tdkqsot\csrss.exe Process not Found File created C:\Windows\SysWOW64\ckwnkujy\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\ffczqgnp Process not Found File created C:\Windows\SysWOW64\fqhwkknbv\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\tgadkaue\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\wmpsrjk\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\oxvpofks Process not Found File opened for modification C:\Windows\SysWOW64\czflvqh\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\ypbsnexcjh\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\fefrok csrss.exe File created C:\Windows\SysWOW64\hofhvf\csrss.exe Process not Found File created C:\Windows\SysWOW64\qobasdmdx\csrss.exe Process not Found File created C:\Windows\SysWOW64\ukwwnyfced\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\rwsfnrw\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\jtnthhkxv Process not Found File opened for modification C:\Windows\SysWOW64\tjacqd csrss.exe File opened for modification C:\Windows\SysWOW64\vccbhovej Process not Found File created C:\Windows\SysWOW64\eqrqouud\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\iorhorli\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\bfcwesroqn\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\xlhtfwou\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\ejhomtqh\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\jivruxbih Process not Found File created C:\Windows\SysWOW64\zkxhhhji\csrss.exe Process not Found File created C:\Windows\SysWOW64\cmebmf\csrss.exe Process not Found File created C:\Windows\SysWOW64\hpbrqucn\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\aqependrxz csrss.exe File opened for modification C:\Windows\SysWOW64\fvhiwru Process not Found File created C:\Windows\SysWOW64\mdayni\csrss.exe csrss.exe File created C:\Windows\SysWOW64\aecimabilw\csrss.exe csrss.exe File created C:\Windows\SysWOW64\qhsufkiib\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\lmhkkymrm Process not Found File opened for modification C:\Windows\SysWOW64\jbmgsjal Process not Found File created C:\Windows\SysWOW64\xgqmrejeqa\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\zkygluu Process not Found File created C:\Windows\SysWOW64\zwfsltab\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\lnbjrqtrc\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\fncjhqg\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\neesjzkzpz\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\vnkjrhqnf Process not Found File opened for modification C:\Windows\SysWOW64\qshmbe Process not Found File opened for modification C:\Windows\SysWOW64\dyzyvfujos csrss.exe File opened for modification C:\Windows\SysWOW64\bytjimtgo\csrss.exe csrss.exe File opened for modification C:\Windows\SysWOW64\xcipyuize\csrss.exe Process not Found File opened for modification C:\Windows\SysWOW64\ozcdsk Process not Found File opened for modification C:\Windows\SysWOW64\kuxylkdr\csrss.exe Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 7644 PING.EXE 5116 PING.EXE 7380 PING.EXE 7952 PING.EXE 4872 PING.EXE 6184 PING.EXE 5124 PING.EXE 5176 PING.EXE 8084 PING.EXE 4004 PING.EXE 4736 PING.EXE 2708 PING.EXE 7304 PING.EXE 5296 PING.EXE 5032 PING.EXE 2392 PING.EXE 7824 PING.EXE 2052 PING.EXE 6060 PING.EXE 8000 PING.EXE 1224 PING.EXE 5720 PING.EXE 6112 PING.EXE 632 PING.EXE 3676 PING.EXE 4440 PING.EXE 916 PING.EXE 8100 PING.EXE 8188 PING.EXE 7484 PING.EXE 2036 PING.EXE 5968 PING.EXE 7708 PING.EXE 7060 PING.EXE 5688 PING.EXE 3256 PING.EXE 7416 PING.EXE 3528 PING.EXE 760 PING.EXE 7160 PING.EXE 7656 PING.EXE 7504 PING.EXE 208 PING.EXE 7296 PING.EXE 4636 PING.EXE 3272 PING.EXE 7672 PING.EXE 8040 PING.EXE 7920 PING.EXE 3624 PING.EXE 7328 PING.EXE 7856 PING.EXE 3900 PING.EXE 2300 PING.EXE 4120 PING.EXE 7724 PING.EXE 6444 PING.EXE 7300 PING.EXE 6188 PING.EXE 4140 PING.EXE 1452 PING.EXE 6260 PING.EXE 1180 PING.EXE 2152 PING.EXE -
Runs ping.exe 1 TTPs 64 IoCs
pid Process 1224 PING.EXE 3256 PING.EXE 5968 PING.EXE 7676 PING.EXE 3656 PING.EXE 7944 PING.EXE 4736 PING.EXE 1452 PING.EXE 4440 PING.EXE 6304 PING.EXE 7328 PING.EXE 4084 PING.EXE 7756 PING.EXE 5720 PING.EXE 6184 PING.EXE 7480 PING.EXE 7756 PING.EXE 4308 PING.EXE 3516 PING.EXE 8000 PING.EXE 448 PING.EXE 4496 PING.EXE 6960 PING.EXE 2052 PING.EXE 6580 PING.EXE 7928 PING.EXE 7472 PING.EXE 4872 PING.EXE 1624 PING.EXE 7784 PING.EXE 2816 PING.EXE 4120 PING.EXE 7988 PING.EXE 8100 PING.EXE 7484 PING.EXE 2036 PING.EXE 632 PING.EXE 6284 PING.EXE 800 PING.EXE 2708 PING.EXE 1452 PING.EXE 7724 PING.EXE 8160 PING.EXE 672 PING.EXE 6948 PING.EXE 6232 PING.EXE 3900 PING.EXE 7300 PING.EXE 7504 PING.EXE 6188 PING.EXE 5688 PING.EXE 6444 PING.EXE 7408 PING.EXE 7196 PING.EXE 208 PING.EXE 4004 PING.EXE 8164 PING.EXE 5032 PING.EXE 7608 PING.EXE 8188 PING.EXE 2300 PING.EXE 7296 PING.EXE 5520 PING.EXE 6628 PING.EXE -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 3296 d739f4efb51845569c9b2bbcc326e790N.exe 1936 csrss.exe 2092 csrss.exe 3504 csrss.exe 552 csrss.exe 4580 csrss.exe 1084 csrss.exe 512 csrss.exe 768 csrss.exe 2244 csrss.exe 1592 csrss.exe 1420 csrss.exe 4968 csrss.exe 3000 csrss.exe 3352 csrss.exe 648 csrss.exe 1832 csrss.exe 1060 csrss.exe 5052 csrss.exe 3900 csrss.exe 1556 csrss.exe 2772 csrss.exe 4868 csrss.exe 3116 csrss.exe 2504 csrss.exe 3664 csrss.exe 968 csrss.exe 1304 csrss.exe 4756 csrss.exe 3656 csrss.exe 2072 csrss.exe 4640 csrss.exe 4636 csrss.exe 3108 csrss.exe 524 csrss.exe 2948 csrss.exe 4792 csrss.exe 1560 csrss.exe 1380 csrss.exe 5076 csrss.exe 3520 csrss.exe 4484 csrss.exe 3724 csrss.exe 1136 csrss.exe 4724 csrss.exe 3952 csrss.exe 1756 csrss.exe 1160 csrss.exe 1668 csrss.exe 4412 csrss.exe 3488 csrss.exe 3984 csrss.exe 2276 csrss.exe 2372 csrss.exe 3320 csrss.exe 4292 csrss.exe 4120 csrss.exe 2392 csrss.exe 2708 csrss.exe 4332 csrss.exe 5000 csrss.exe 3544 csrss.exe 3188 csrss.exe 740 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3296 wrote to memory of 1936 3296 d739f4efb51845569c9b2bbcc326e790N.exe 83 PID 3296 wrote to memory of 1936 3296 d739f4efb51845569c9b2bbcc326e790N.exe 83 PID 3296 wrote to memory of 1936 3296 d739f4efb51845569c9b2bbcc326e790N.exe 83 PID 1936 wrote to memory of 2092 1936 csrss.exe 84 PID 1936 wrote to memory of 2092 1936 csrss.exe 84 PID 1936 wrote to memory of 2092 1936 csrss.exe 84 PID 2092 wrote to memory of 3504 2092 csrss.exe 86 PID 2092 wrote to memory of 3504 2092 csrss.exe 86 PID 2092 wrote to memory of 3504 2092 csrss.exe 86 PID 3504 wrote to memory of 552 3504 csrss.exe 87 PID 3504 wrote to memory of 552 3504 csrss.exe 87 PID 3504 wrote to memory of 552 3504 csrss.exe 87 PID 552 wrote to memory of 4580 552 csrss.exe 88 PID 552 wrote to memory of 4580 552 csrss.exe 88 PID 552 wrote to memory of 4580 552 csrss.exe 88 PID 4580 wrote to memory of 1084 4580 csrss.exe 89 PID 4580 wrote to memory of 1084 4580 csrss.exe 89 PID 4580 wrote to memory of 1084 4580 csrss.exe 89 PID 1084 wrote to memory of 512 1084 csrss.exe 90 PID 1084 wrote to memory of 512 1084 csrss.exe 90 PID 1084 wrote to memory of 512 1084 csrss.exe 90 PID 512 wrote to memory of 768 512 csrss.exe 92 PID 512 wrote to memory of 768 512 csrss.exe 92 PID 512 wrote to memory of 768 512 csrss.exe 92 PID 768 wrote to memory of 2244 768 csrss.exe 93 PID 768 wrote to memory of 2244 768 csrss.exe 93 PID 768 wrote to memory of 2244 768 csrss.exe 93 PID 2244 wrote to memory of 1592 2244 csrss.exe 94 PID 2244 wrote to memory of 1592 2244 csrss.exe 94 PID 2244 wrote to memory of 1592 2244 csrss.exe 94 PID 1592 wrote to memory of 1420 1592 csrss.exe 95 PID 1592 wrote to memory of 1420 1592 csrss.exe 95 PID 1592 wrote to memory of 1420 1592 csrss.exe 95 PID 1420 wrote to memory of 4968 1420 csrss.exe 96 PID 1420 wrote to memory of 4968 1420 csrss.exe 96 PID 1420 wrote to memory of 4968 1420 csrss.exe 96 PID 4968 wrote to memory of 3000 4968 csrss.exe 97 PID 4968 wrote to memory of 3000 4968 csrss.exe 97 PID 4968 wrote to memory of 3000 4968 csrss.exe 97 PID 3000 wrote to memory of 3352 3000 csrss.exe 98 PID 3000 wrote to memory of 3352 3000 csrss.exe 98 PID 3000 wrote to memory of 3352 3000 csrss.exe 98 PID 3352 wrote to memory of 648 3352 csrss.exe 99 PID 3352 wrote to memory of 648 3352 csrss.exe 99 PID 3352 wrote to memory of 648 3352 csrss.exe 99 PID 648 wrote to memory of 1832 648 csrss.exe 100 PID 648 wrote to memory of 1832 648 csrss.exe 100 PID 648 wrote to memory of 1832 648 csrss.exe 100 PID 1832 wrote to memory of 1060 1832 csrss.exe 101 PID 1832 wrote to memory of 1060 1832 csrss.exe 101 PID 1832 wrote to memory of 1060 1832 csrss.exe 101 PID 1060 wrote to memory of 5052 1060 csrss.exe 103 PID 1060 wrote to memory of 5052 1060 csrss.exe 103 PID 1060 wrote to memory of 5052 1060 csrss.exe 103 PID 5052 wrote to memory of 3900 5052 csrss.exe 105 PID 5052 wrote to memory of 3900 5052 csrss.exe 105 PID 5052 wrote to memory of 3900 5052 csrss.exe 105 PID 3900 wrote to memory of 1556 3900 csrss.exe 106 PID 3900 wrote to memory of 1556 3900 csrss.exe 106 PID 3900 wrote to memory of 1556 3900 csrss.exe 106 PID 1556 wrote to memory of 2772 1556 csrss.exe 107 PID 1556 wrote to memory of 2772 1556 csrss.exe 107 PID 1556 wrote to memory of 2772 1556 csrss.exe 107 PID 2772 wrote to memory of 4868 2772 csrss.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\d739f4efb51845569c9b2bbcc326e790N.exe"C:\Users\Admin\AppData\Local\Temp\d739f4efb51845569c9b2bbcc326e790N.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\ythfqye\csrss.exeC:\Windows\system32\ythfqye\csrss.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\ygfvhn\csrss.exeC:\Windows\system32\ygfvhn\csrss.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\eqtldd\csrss.exeC:\Windows\system32\eqtldd\csrss.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\lljeaa\csrss.exeC:\Windows\system32\lljeaa\csrss.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\rwuaduon\csrss.exeC:\Windows\system32\rwuaduon\csrss.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\yrltbrz\csrss.exeC:\Windows\system32\yrltbrz\csrss.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\yfkjsg\csrss.exeC:\Windows\system32\yfkjsg\csrss.exe8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\foxyow\csrss.exeC:\Windows\system32\foxyow\csrss.exe9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\mknslt\csrss.exeC:\Windows\system32\mknslt\csrss.exe10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\suynonkc\csrss.exeC:\Windows\system32\suynonkc\csrss.exe11⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\zqphmku\csrss.exeC:\Windows\system32\zqphmku\csrss.exe12⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\mjpmeqky\csrss.exeC:\Windows\system32\mjpmeqky\csrss.exe13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\suahhj\csrss.exeC:\Windows\system32\suahhj\csrss.exe14⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\fnbmzp\csrss.exeC:\Windows\system32\fnbmzp\csrss.exe15⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\lxnggwfz\csrss.exeC:\Windows\system32\lxnggwfz\csrss.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Windows\SysWOW64\zdovhnaiur\csrss.exeC:\Windows\system32\zdovhnaiur\csrss.exe17⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\mxpazs\csrss.exeC:\Windows\system32\mxpazs\csrss.exe18⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\sgeknfvgv\csrss.exeC:\Windows\system32\sgeknfvgv\csrss.exe19⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\stdaetq\csrss.exeC:\Windows\system32\stdaetq\csrss.exe20⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\SysWOW64\zpttbrb\csrss.exeC:\Windows\system32\zpttbrb\csrss.exe21⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\miuytwq\csrss.exeC:\Windows\system32\miuytwq\csrss.exe22⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\tsftwqadry\csrss.exeC:\Windows\system32\tsftwqadry\csrss.exe23⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4868 -
C:\Windows\SysWOW64\gmgyov\csrss.exeC:\Windows\system32\gmgyov\csrss.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3116 -
C:\Windows\SysWOW64\nhwsltbznf\csrss.exeC:\Windows\system32\nhwsltbznf\csrss.exe25⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2504 -
C:\Windows\SysWOW64\zbudkcgq\csrss.exeC:\Windows\system32\zbudkcgq\csrss.exe26⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3664 -
C:\Windows\SysWOW64\muvicivc\csrss.exeC:\Windows\system32\muvicivc\csrss.exe27⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:968 -
C:\Windows\SysWOW64\ngylepl\csrss.exeC:\Windows\system32\ngylepl\csrss.exe28⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1304 -
C:\Windows\SysWOW64\trjhhjwszy\csrss.exeC:\Windows\system32\trjhhjwszy\csrss.exe29⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4756 -
C:\Windows\SysWOW64\amzafggcy\csrss.exeC:\Windows\system32\amzafggcy\csrss.exe30⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3656 -
C:\Windows\SysWOW64\gwnqbwbvk\csrss.exeC:\Windows\system32\gwnqbwbvk\csrss.exe31⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2072 -
C:\Windows\SysWOW64\tqlbafg\csrss.exeC:\Windows\system32\tqlbafg\csrss.exe32⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4640 -
C:\Windows\SysWOW64\amcuxdr\csrss.exeC:\Windows\system32\amcuxdr\csrss.exe33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4636 -
C:\Windows\SysWOW64\azakosmzus\csrss.exeC:\Windows\system32\azakosmzus\csrss.exe34⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3108 -
C:\Windows\SysWOW64\xwxjgeofq\csrss.exeC:\Windows\system32\xwxjgeofq\csrss.exe35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:524 -
C:\Windows\SysWOW64\dgkybujyc\csrss.exeC:\Windows\system32\dgkybujyc\csrss.exe36⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2948 -
C:\Windows\SysWOW64\dtjosiea\csrss.exeC:\Windows\system32\dtjosiea\csrss.exe37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4792 -
C:\Windows\SysWOW64\dfmsuqt\csrss.exeC:\Windows\system32\dfmsuqt\csrss.exe38⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1560 -
C:\Windows\SysWOW64\qzkdtzzjax\csrss.exeC:\Windows\system32\qzkdtzzjax\csrss.exe39⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1380 -
C:\Windows\SysWOW64\xvbwrxjtz\csrss.exeC:\Windows\system32\xvbwrxjtz\csrss.exe40⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5076 -
C:\Windows\SysWOW64\rynxmwjd\csrss.exeC:\Windows\system32\rynxmwjd\csrss.exe41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3520 -
C:\Windows\SysWOW64\esncdbzp\csrss.exeC:\Windows\system32\esncdbzp\csrss.exe42⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4484 -
C:\Windows\SysWOW64\kndvbzj\csrss.exeC:\Windows\system32\kndvbzj\csrss.exe43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3724 -
C:\Windows\SysWOW64\rypresuyix\csrss.exeC:\Windows\system32\rypresuyix\csrss.exe44⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1136 -
C:\Windows\SysWOW64\rksvgakpv\csrss.exeC:\Windows\system32\rksvgakpv\csrss.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4724 -
C:\Windows\SysWOW64\eqrqouud\csrss.exeC:\Windows\system32\eqrqouud\csrss.exe46⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3952 -
C:\Windows\SysWOW64\lmhjmsf\csrss.exeC:\Windows\system32\lmhjmsf\csrss.exe47⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1756 -
C:\Windows\SysWOW64\lzgzdg\csrss.exeC:\Windows\system32\lzgzdg\csrss.exe48⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1160 -
C:\Windows\SysWOW64\siwirtfde\csrss.exeC:\Windows\system32\siwirtfde\csrss.exe49⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1668 -
C:\Windows\SysWOW64\yfiodxuz\csrss.exeC:\Windows\system32\yfiodxuz\csrss.exe50⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4412 -
C:\Windows\SysWOW64\fpvdznps\csrss.exeC:\Windows\system32\fpvdznps\csrss.exe51⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3488 -
C:\Windows\SysWOW64\fbyhbvf\csrss.exeC:\Windows\system32\fbyhbvf\csrss.exe52⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3984 -
C:\Windows\SysWOW64\foxxsk\csrss.exeC:\Windows\system32\foxxsk\csrss.exe53⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2276 -
C:\Windows\SysWOW64\bltwjwcsu\csrss.exeC:\Windows\system32\bltwjwcsu\csrss.exe54⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2372 -
C:\Windows\SysWOW64\prvkkn\csrss.exeC:\Windows\system32\prvkkn\csrss.exe55⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3320 -
C:\Windows\SysWOW64\vohqxrnwdp\csrss.exeC:\Windows\system32\vohqxrnwdp\csrss.exe56⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4292 -
C:\Windows\SysWOW64\vakuzzdnq\csrss.exeC:\Windows\system32\vakuzzdnq\csrss.exe57⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4120 -
C:\Windows\SysWOW64\ihkphtncs\csrss.exeC:\Windows\system32\ihkphtncs\csrss.exe58⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2392 -
C:\Windows\SysWOW64\vnleikikmp\csrss.exeC:\Windows\system32\vnleikikmp\csrss.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2708 -
C:\Windows\SysWOW64\wkufewyndq\csrss.exeC:\Windows\system32\wkufewyndq\csrss.exe60⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4332 -
C:\Windows\SysWOW64\jdukvc\csrss.exeC:\Windows\system32\jdukvc\csrss.exe61⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5000 -
C:\Windows\SysWOW64\nxdoasgan\csrss.exeC:\Windows\system32\nxdoasgan\csrss.exe62⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3544 -
C:\Windows\SysWOW64\tupumxvw\csrss.exeC:\Windows\system32\tupumxvw\csrss.exe63⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3188 -
C:\Windows\SysWOW64\zecjinqp\csrss.exeC:\Windows\system32\zecjinqp\csrss.exe64⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:740 -
C:\Windows\SysWOW64\nxfisp\csrss.exeC:\Windows\system32\nxfisp\csrss.exe65⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\turnftgqvo\csrss.exeC:\Windows\system32\turnftgqvo\csrss.exe66⤵PID:3660
-
C:\Windows\SysWOW64\adedbj\csrss.exeC:\Windows\system32\adedbj\csrss.exe67⤵PID:3552
-
C:\Windows\SysWOW64\hzuwyhltgb\csrss.exeC:\Windows\system32\hzuwyhltgb\csrss.exe68⤵PID:896
-
C:\Windows\SysWOW64\njgsbaws\csrss.exeC:\Windows\system32\njgsbaws\csrss.exe69⤵PID:4816
-
C:\Windows\SysWOW64\ufwlzyg\csrss.exeC:\Windows\system32\ufwlzyg\csrss.exe70⤵PID:1632
-
C:\Windows\SysWOW64\njimuxgmsv\csrss.exeC:\Windows\system32\njimuxgmsv\csrss.exe71⤵PID:3700
-
C:\Windows\SysWOW64\ueyfrurwq\csrss.exeC:\Windows\system32\ueyfrurwq\csrss.exe72⤵PID:3924
-
C:\Windows\SysWOW64\nikfmtrg\csrss.exeC:\Windows\system32\nikfmtrg\csrss.exe73⤵PID:3284
-
C:\Windows\SysWOW64\bnnoggw\csrss.exeC:\Windows\system32\bnnoggw\csrss.exe74⤵PID:760
-
C:\Windows\SysWOW64\udcscnmkz\csrss.exeC:\Windows\system32\udcscnmkz\csrss.exe75⤵PID:4408
-
C:\Windows\SysWOW64\ohotxmmv\csrss.exeC:\Windows\system32\ohotxmmv\csrss.exe76⤵PID:3012
-
C:\Windows\SysWOW64\vcemvjx\csrss.exeC:\Windows\system32\vcemvjx\csrss.exe77⤵PID:620
-
C:\Windows\SysWOW64\vqdcmyrivp\csrss.exeC:\Windows\system32\vqdcmyrivp\csrss.exe78⤵PID:1460
-
C:\Windows\SysWOW64\ijehde\csrss.exeC:\Windows\system32\ijehde\csrss.exe79⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\egagvqkzpa\csrss.exeC:\Windows\system32\egagvqkzpa\csrss.exe80⤵PID:4032
-
C:\Windows\SysWOW64\etzwmfect\csrss.exeC:\Windows\system32\etzwmfect\csrss.exe81⤵PID:4572
-
C:\Windows\SysWOW64\ffcanmu\csrss.exeC:\Windows\system32\ffcanmu\csrss.exe82⤵PID:3308
-
C:\Windows\SysWOW64\esbqeb\csrss.exeC:\Windows\system32\esbqeb\csrss.exe83⤵PID:4588
-
C:\Windows\SysWOW64\lbqztoujo\csrss.exeC:\Windows\system32\lbqztoujo\csrss.exe84⤵PID:4220
-
C:\Windows\SysWOW64\sycffske\csrss.exeC:\Windows\system32\sycffske\csrss.exe85⤵PID:4604
-
C:\Windows\SysWOW64\skfihaa\csrss.exeC:\Windows\system32\skfihaa\csrss.exe86⤵PID:2456
-
C:\Windows\SysWOW64\syeyyp\csrss.exeC:\Windows\system32\syeyyp\csrss.exe87⤵PID:2468
-
C:\Windows\SysWOW64\skiczwkqi\csrss.exeC:\Windows\system32\skiczwkqi\csrss.exe88⤵PID:2940
-
C:\Windows\SysWOW64\mntduvka\csrss.exeC:\Windows\system32\mntduvka\csrss.exe89⤵PID:5144
-
C:\Windows\SysWOW64\fckbkyl\csrss.exeC:\Windows\system32\fckbkyl\csrss.exe90⤵PID:5192
-
C:\Windows\SysWOW64\fqjran\csrss.exeC:\Windows\system32\fqjran\csrss.exe91⤵PID:5240
-
C:\Windows\SysWOW64\mzyapzlmf\csrss.exeC:\Windows\system32\mzyapzlmf\csrss.exe92⤵PID:5284
-
C:\Windows\SysWOW64\swlgbeah\csrss.exeC:\Windows\system32\swlgbeah\csrss.exe93⤵PID:5332
-
C:\Windows\SysWOW64\gbopvrg\csrss.exeC:\Windows\system32\gbopvrg\csrss.exe94⤵PID:5376
-
C:\Windows\SysWOW64\gonflg\csrss.exeC:\Windows\system32\gonflg\csrss.exe95⤵PID:5420
-
C:\Windows\SysWOW64\jiwjpxsox\csrss.exeC:\Windows\system32\jiwjpxsox\csrss.exe96⤵PID:5464
-
C:\Windows\SysWOW64\pfiocbik\csrss.exeC:\Windows\system32\pfiocbik\csrss.exe97⤵PID:5508
-
C:\Windows\SysWOW64\wpveyrdd\csrss.exeC:\Windows\system32\wpveyrdd\csrss.exe98⤵PID:5552
-
C:\Windows\SysWOW64\qfkivy\csrss.exeC:\Windows\system32\qfkivy\csrss.exe99⤵PID:5600
-
C:\Windows\SysWOW64\dyknmd\csrss.exeC:\Windows\system32\dyknmd\csrss.exe100⤵PID:5644
-
C:\Windows\SysWOW64\dknrolyhpz\csrss.exeC:\Windows\system32\dknrolyhpz\csrss.exe101⤵
- System Location Discovery: System Language Discovery
PID:5688 -
C:\Windows\SysWOW64\juzmrfig\csrss.exeC:\Windows\system32\juzmrfig\csrss.exe102⤵PID:5732
-
C:\Windows\SysWOW64\kgcqtmy\csrss.exeC:\Windows\system32\kgcqtmy\csrss.exe103⤵PID:5776
-
C:\Windows\SysWOW64\jubgkbtabt\csrss.exeC:\Windows\system32\jubgkbtabt\csrss.exe104⤵PID:5820
-
C:\Windows\SysWOW64\qprzhzeka\csrss.exeC:\Windows\system32\qprzhzeka\csrss.exe105⤵PID:5864
-
C:\Windows\SysWOW64\xzepdoydmg\csrss.exeC:\Windows\system32\xzepdoydmg\csrss.exe106⤵PID:5908
-
C:\Windows\SysWOW64\dwrvqtozc\csrss.exeC:\Windows\system32\dwrvqtozc\csrss.exe107⤵PID:5952
-
C:\Windows\SysWOW64\xygjwlj\csrss.exeC:\Windows\system32\xygjwlj\csrss.exe108⤵PID:6000
-
C:\Windows\SysWOW64\xmfzma\csrss.exeC:\Windows\system32\xmfzma\csrss.exe109⤵PID:6048
-
C:\Windows\SysWOW64\rbudjgtc\csrss.exeC:\Windows\system32\rbudjgtc\csrss.exe110⤵
- Drops file in System32 directory
PID:6096 -
C:\Windows\SysWOW64\xlhtfwou\csrss.exeC:\Windows\system32\xlhtfwou\csrss.exe111⤵PID:6140
-
C:\Windows\SysWOW64\ehymcuz\csrss.exeC:\Windows\system32\ehymcuz\csrss.exe112⤵PID:5172
-
C:\Windows\SysWOW64\euxcti\csrss.exeC:\Windows\system32\euxcti\csrss.exe113⤵PID:5232
-
C:\Windows\SysWOW64\hofgxzmjo\csrss.exeC:\Windows\system32\hofgxzmjo\csrss.exe114⤵PID:5268
-
C:\Windows\SysWOW64\hbewoogl\csrss.exeC:\Windows\system32\hbewoogl\csrss.exe115⤵PID:5340
-
C:\Windows\SysWOW64\bqvudrhh\csrss.exeC:\Windows\system32\bqvudrhh\csrss.exe116⤵PID:5416
-
C:\Windows\SysWOW64\hagqhkrgkr\csrss.exeC:\Windows\system32\hagqhkrgkr\csrss.exe117⤵PID:5488
-
C:\Windows\SysWOW64\bpxownrbhy\csrss.exeC:\Windows\system32\bpxownrbhy\csrss.exe118⤵PID:5560
-
C:\Windows\SysWOW64\haikzhca\csrss.exeC:\Windows\system32\haikzhca\csrss.exe119⤵PID:5636
-
C:\Windows\SysWOW64\ovzdxem\csrss.exeC:\Windows\system32\ovzdxem\csrss.exe120⤵PID:5716
-
C:\Windows\SysWOW64\bcyyfz\csrss.exeC:\Windows\system32\bcyyfz\csrss.exe121⤵PID:5784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-