1fdb72c9f14350081f3717e6a70df391fa1aa5ca938c8bd82769bc0c254c17dd

Analysis

max time kernel
99s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cdcb2aa7ed94048ce05a71cbf911b33.exe
Size

471KB
MD5

1cdcb2aa7ed94048ce05a71cbf911b33
SHA1

2f5d084011b7a7942bd0c90a6557397ce87f730b
SHA256

1fdb72c9f14350081f3717e6a70df391fa1aa5ca938c8bd82769bc0c254c17dd
SHA512

5f55cb852349f775cb7dcdcf5de4294c549e7b4a0d44e37f03580b91c5b4175f21c005446c16fc48fab718ac6baf46ee7b4b20236d92ef5ad772561ea91b1263
SSDEEP

6144:/1XacXavNFEoNkqPg5I0KVTHyPWOYMI6dn0z76fcCEmi/id6mmtCv1HC:/1Xa02H2KV+WKI6V0ZCEmi/i8m4Cg

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1628	Csrtss.exe
2784	Csrtss.exe
2788	Csrtss.exe
2720	Csrtss.exe
2752	Csrtss.exe
2608	Csrtss.exe
1988	Csrtss.exe
2572	Csrtss.exe
2656	Csrtss.exe
2916	Csrtss.exe
2628	Csrtss.exe
1692	Csrtss.exe
1756	Csrtss.exe
2524	Csrtss.exe
1196	Csrtss.exe
608	Csrtss.exe
2540	Csrtss.exe
1332	Csrtss.exe
2384	Csrtss.exe
1784	Csrtss.exe
1360	Csrtss.exe
704	Csrtss.exe
2296	Csrtss.exe
2440	Csrtss.exe
2320	Csrtss.exe
2452	Csrtss.exe
880	Csrtss.exe
2428	Csrtss.exe
1132	Csrtss.exe
1768	Csrtss.exe
1540	Csrtss.exe
1340	Csrtss.exe
1816	Csrtss.exe
1776	Csrtss.exe
916	Csrtss.exe
2028	Csrtss.exe
1724	Csrtss.exe
2832	Csrtss.exe
1164	Csrtss.exe
1804	Csrtss.exe
1744	Csrtss.exe
2460	Csrtss.exe
1588	Csrtss.exe
2132	Csrtss.exe
2948	Csrtss.exe
2072	Csrtss.exe
2728	Csrtss.exe
2812	Csrtss.exe
2784	Csrtss.exe
1796	Csrtss.exe
2856	Csrtss.exe
2596	Csrtss.exe
2648	Csrtss.exe
2620	Csrtss.exe
2640	Csrtss.exe
3044	Csrtss.exe
1652	Csrtss.exe
1916	Csrtss.exe
2676	Csrtss.exe
1020	Csrtss.exe
1904	Csrtss.exe
2916	Csrtss.exe
1032	Csrtss.exe
1428	Csrtss.exe

Loads dropped DLL 64 IoCs

pid	Process
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1628	Csrtss.exe
1628	Csrtss.exe
2784	Csrtss.exe
2784	Csrtss.exe
2788	Csrtss.exe
2788	Csrtss.exe
2720	Csrtss.exe
2720	Csrtss.exe
2752	Csrtss.exe
2752	Csrtss.exe
2608	Csrtss.exe
2608	Csrtss.exe
1988	Csrtss.exe
1988	Csrtss.exe
2572	Csrtss.exe
2572	Csrtss.exe
2656	Csrtss.exe
2656	Csrtss.exe
2916	Csrtss.exe
2916	Csrtss.exe
2628	Csrtss.exe
2628	Csrtss.exe
1692	Csrtss.exe
1692	Csrtss.exe
1756	Csrtss.exe
1756	Csrtss.exe
2524	Csrtss.exe
2524	Csrtss.exe
1196	Csrtss.exe
1196	Csrtss.exe
608	Csrtss.exe
608	Csrtss.exe
2540	Csrtss.exe
2540	Csrtss.exe
1332	Csrtss.exe
1332	Csrtss.exe
2384	Csrtss.exe
2384	Csrtss.exe
1784	Csrtss.exe
1784	Csrtss.exe
1360	Csrtss.exe
1360	Csrtss.exe
704	Csrtss.exe
704	Csrtss.exe
2296	Csrtss.exe
2296	Csrtss.exe
2440	Csrtss.exe
2440	Csrtss.exe
2320	Csrtss.exe
2320	Csrtss.exe
2452	Csrtss.exe
2452	Csrtss.exe
880	Csrtss.exe
880	Csrtss.exe
2428	Csrtss.exe
2428	Csrtss.exe
1132	Csrtss.exe
1132	Csrtss.exe
1768	Csrtss.exe
1768	Csrtss.exe
1540	Csrtss.exe
1540	Csrtss.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
Token: SeDebugPrivilege	2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe
Token: SeDebugPrivilege	1628	Csrtss.exe
Token: SeDebugPrivilege	1628	Csrtss.exe
Token: SeDebugPrivilege	2784	Csrtss.exe
Token: SeDebugPrivilege	2784	Csrtss.exe
Token: SeDebugPrivilege	2788	Csrtss.exe
Token: SeDebugPrivilege	2788	Csrtss.exe
Token: SeDebugPrivilege	2720	Csrtss.exe
Token: SeDebugPrivilege	2720	Csrtss.exe
Token: SeDebugPrivilege	2752	Csrtss.exe
Token: SeDebugPrivilege	2752	Csrtss.exe
Token: SeDebugPrivilege	2608	Csrtss.exe
Token: SeDebugPrivilege	2608	Csrtss.exe
Token: SeDebugPrivilege	1988	Csrtss.exe
Token: SeDebugPrivilege	1988	Csrtss.exe
Token: SeDebugPrivilege	2572	Csrtss.exe
Token: SeDebugPrivilege	2572	Csrtss.exe
Token: SeDebugPrivilege	2656	Csrtss.exe
Token: SeDebugPrivilege	2656	Csrtss.exe
Token: SeDebugPrivilege	2916	Csrtss.exe
Token: SeDebugPrivilege	2916	Csrtss.exe
Token: SeDebugPrivilege	2628	Csrtss.exe
Token: SeDebugPrivilege	2628	Csrtss.exe
Token: SeDebugPrivilege	1692	Csrtss.exe
Token: SeDebugPrivilege	1692	Csrtss.exe
Token: SeDebugPrivilege	1756	Csrtss.exe
Token: SeDebugPrivilege	1756	Csrtss.exe
Token: SeDebugPrivilege	2524	Csrtss.exe
Token: SeDebugPrivilege	2524	Csrtss.exe
Token: SeDebugPrivilege	1196	Csrtss.exe
Token: SeDebugPrivilege	1196	Csrtss.exe
Token: SeDebugPrivilege	608	Csrtss.exe
Token: SeDebugPrivilege	608	Csrtss.exe
Token: SeDebugPrivilege	2540	Csrtss.exe
Token: SeDebugPrivilege	2540	Csrtss.exe
Token: SeDebugPrivilege	1332	Csrtss.exe
Token: SeDebugPrivilege	1332	Csrtss.exe
Token: SeDebugPrivilege	2384	Csrtss.exe
Token: SeDebugPrivilege	2384	Csrtss.exe
Token: SeDebugPrivilege	1784	Csrtss.exe
Token: SeDebugPrivilege	1784	Csrtss.exe
Token: SeDebugPrivilege	1360	Csrtss.exe
Token: SeDebugPrivilege	1360	Csrtss.exe
Token: SeDebugPrivilege	704	Csrtss.exe
Token: SeDebugPrivilege	704	Csrtss.exe
Token: SeDebugPrivilege	2296	Csrtss.exe
Token: SeDebugPrivilege	2296	Csrtss.exe
Token: SeDebugPrivilege	2440	Csrtss.exe
Token: SeDebugPrivilege	2440	Csrtss.exe
Token: SeDebugPrivilege	2320	Csrtss.exe
Token: SeDebugPrivilege	2320	Csrtss.exe
Token: SeDebugPrivilege	2452	Csrtss.exe
Token: SeDebugPrivilege	2452	Csrtss.exe
Token: SeDebugPrivilege	880	Csrtss.exe
Token: SeDebugPrivilege	880	Csrtss.exe
Token: SeDebugPrivilege	2428	Csrtss.exe
Token: SeDebugPrivilege	2428	Csrtss.exe
Token: SeDebugPrivilege	1132	Csrtss.exe
Token: SeDebugPrivilege	1132	Csrtss.exe
Token: SeDebugPrivilege	1768	Csrtss.exe
Token: SeDebugPrivilege	1768	Csrtss.exe
Token: SeDebugPrivilege	1540	Csrtss.exe
Token: SeDebugPrivilege	1540	Csrtss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 1628	2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe	28
PID 2072 wrote to memory of 1628	2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe	28
PID 2072 wrote to memory of 1628	2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe	28
PID 2072 wrote to memory of 1628	2072	1cdcb2aa7ed94048ce05a71cbf911b33.exe	28
PID 1628 wrote to memory of 2784	1628	Csrtss.exe	29
PID 1628 wrote to memory of 2784	1628	Csrtss.exe	29
PID 1628 wrote to memory of 2784	1628	Csrtss.exe	29
PID 1628 wrote to memory of 2784	1628	Csrtss.exe	29
PID 2784 wrote to memory of 2788	2784	Csrtss.exe	30
PID 2784 wrote to memory of 2788	2784	Csrtss.exe	30
PID 2784 wrote to memory of 2788	2784	Csrtss.exe	30
PID 2784 wrote to memory of 2788	2784	Csrtss.exe	30
PID 2788 wrote to memory of 2720	2788	Csrtss.exe	31
PID 2788 wrote to memory of 2720	2788	Csrtss.exe	31
PID 2788 wrote to memory of 2720	2788	Csrtss.exe	31
PID 2788 wrote to memory of 2720	2788	Csrtss.exe	31
PID 2720 wrote to memory of 2752	2720	Csrtss.exe	32
PID 2720 wrote to memory of 2752	2720	Csrtss.exe	32
PID 2720 wrote to memory of 2752	2720	Csrtss.exe	32
PID 2720 wrote to memory of 2752	2720	Csrtss.exe	32
PID 2752 wrote to memory of 2608	2752	Csrtss.exe	33
PID 2752 wrote to memory of 2608	2752	Csrtss.exe	33
PID 2752 wrote to memory of 2608	2752	Csrtss.exe	33
PID 2752 wrote to memory of 2608	2752	Csrtss.exe	33
PID 2608 wrote to memory of 1988	2608	Csrtss.exe	34
PID 2608 wrote to memory of 1988	2608	Csrtss.exe	34
PID 2608 wrote to memory of 1988	2608	Csrtss.exe	34
PID 2608 wrote to memory of 1988	2608	Csrtss.exe	34
PID 1988 wrote to memory of 2572	1988	Csrtss.exe	35
PID 1988 wrote to memory of 2572	1988	Csrtss.exe	35
PID 1988 wrote to memory of 2572	1988	Csrtss.exe	35
PID 1988 wrote to memory of 2572	1988	Csrtss.exe	35
PID 2572 wrote to memory of 2656	2572	Csrtss.exe	36
PID 2572 wrote to memory of 2656	2572	Csrtss.exe	36
PID 2572 wrote to memory of 2656	2572	Csrtss.exe	36
PID 2572 wrote to memory of 2656	2572	Csrtss.exe	36
PID 2656 wrote to memory of 2916	2656	Csrtss.exe	37
PID 2656 wrote to memory of 2916	2656	Csrtss.exe	37
PID 2656 wrote to memory of 2916	2656	Csrtss.exe	37
PID 2656 wrote to memory of 2916	2656	Csrtss.exe	37
PID 2916 wrote to memory of 2628	2916	Csrtss.exe	38
PID 2916 wrote to memory of 2628	2916	Csrtss.exe	38
PID 2916 wrote to memory of 2628	2916	Csrtss.exe	38
PID 2916 wrote to memory of 2628	2916	Csrtss.exe	38
PID 2628 wrote to memory of 1692	2628	Csrtss.exe	39
PID 2628 wrote to memory of 1692	2628	Csrtss.exe	39
PID 2628 wrote to memory of 1692	2628	Csrtss.exe	39
PID 2628 wrote to memory of 1692	2628	Csrtss.exe	39
PID 1692 wrote to memory of 1756	1692	Csrtss.exe	40
PID 1692 wrote to memory of 1756	1692	Csrtss.exe	40
PID 1692 wrote to memory of 1756	1692	Csrtss.exe	40
PID 1692 wrote to memory of 1756	1692	Csrtss.exe	40
PID 1756 wrote to memory of 2524	1756	Csrtss.exe	41
PID 1756 wrote to memory of 2524	1756	Csrtss.exe	41
PID 1756 wrote to memory of 2524	1756	Csrtss.exe	41
PID 1756 wrote to memory of 2524	1756	Csrtss.exe	41
PID 2524 wrote to memory of 1196	2524	Csrtss.exe	42
PID 2524 wrote to memory of 1196	2524	Csrtss.exe	42
PID 2524 wrote to memory of 1196	2524	Csrtss.exe	42
PID 2524 wrote to memory of 1196	2524	Csrtss.exe	42
PID 1196 wrote to memory of 608	1196	Csrtss.exe	43
PID 1196 wrote to memory of 608	1196	Csrtss.exe	43
PID 1196 wrote to memory of 608	1196	Csrtss.exe	43
PID 1196 wrote to memory of 608	1196	Csrtss.exe	43

C:\Users\Admin\AppData\Local\Temp\1cdcb2aa7ed94048ce05a71cbf911b33.exe
"C:\Users\Admin\AppData\Local\Temp\1cdcb2aa7ed94048ce05a71cbf911b33.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\Csrtss.exe
  "C:\Windows\system32\Csrtss.exe" "C:\Users\Admin\AppData\Local\Temp\1cdcb2aa7ed94048ce05a71cbf911b33.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\SysWOW64\Csrtss.exe
    "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\Csrtss.exe
      "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        33⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        34⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1776
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        36⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        37⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        38⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        39⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        40⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        41⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        42⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1744
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        43⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1588
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        45⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        46⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2072
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        49⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2812
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        51⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2856
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        53⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        54⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        55⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2620
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        56⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        59⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        60⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        61⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        62⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        63⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        64⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1032
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        65⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1428
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        66⤵
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        67⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        68⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        69⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        70⤵
        
        PID:268
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        71⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        72⤵
        
        PID:848
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        73⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        74⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        75⤵
        Adds Run key to start application
        
        PID:1228
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        76⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        77⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        78⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        79⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        80⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        81⤵
        Adds Run key to start application
        
        PID:572
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        82⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        83⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        84⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        85⤵
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        86⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        87⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        88⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        89⤵
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        90⤵
        Adds Run key to start application
        
        PID:1340
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        91⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        92⤵
        Drops file in System32 directory
        
        PID:564
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        93⤵
        Adds Run key to start application
        
        PID:2336
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        94⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        95⤵
        Drops file in System32 directory
        
        PID:1044
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        96⤵
        Adds Run key to start application
        
        PID:2472
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        97⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        98⤵
        Drops file in System32 directory
        
        PID:2108
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        99⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        100⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        101⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        102⤵
        Adds Run key to start application
        
        PID:2964
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        103⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2872
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        104⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        105⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        106⤵
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        107⤵
        Drops file in System32 directory
        
        PID:3028
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        108⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        109⤵
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        110⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        111⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        112⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        113⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        114⤵
        Adds Run key to start application
        
        PID:2668
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        115⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        116⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        117⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        118⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        119⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        120⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        121⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        122⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        123⤵
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        124⤵
        
        PID:268
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        125⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        126⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        127⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        128⤵
        Drops file in System32 directory
        
        PID:1260
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        129⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        130⤵
        Adds Run key to start application
        
        PID:1496
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        131⤵
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        132⤵
        
        PID:736
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        133⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        134⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        135⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        136⤵
        
        PID:548
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        137⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        138⤵
        Drops file in System32 directory
        
        PID:2172
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        139⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        140⤵
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        141⤵
        
        PID:804
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        142⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        143⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        144⤵
        Adds Run key to start application
        
        PID:1572
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        145⤵
        Adds Run key to start application
        
        PID:1860
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        146⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        147⤵
        Adds Run key to start application
        
        PID:1776
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        148⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        149⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        150⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        151⤵
        Drops file in System32 directory
        
        PID:296
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        152⤵
        Drops file in System32 directory
        
        PID:868
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        153⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        154⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        155⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        156⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        157⤵
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        158⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        159⤵
        Adds Run key to start application
        
        PID:2860
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        160⤵
        Adds Run key to start application
        
        PID:2772
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        161⤵
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        162⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        163⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        164⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        165⤵
        Adds Run key to start application
        
        PID:2664
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        166⤵
        Adds Run key to start application
        
        PID:2568
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        167⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        168⤵
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        169⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        170⤵
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        171⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        172⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        173⤵
        Adds Run key to start application
        
        PID:2564
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        174⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        175⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        176⤵
        Adds Run key to start application
        
        PID:1912
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        177⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        178⤵
        
        PID:364
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        179⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:668
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        180⤵
        
        PID:608
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        181⤵
        Drops file in System32 directory
        
        PID:268
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        182⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        183⤵
        Adds Run key to start application
        
        PID:1716
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        184⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        185⤵
        
        PID:976
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        186⤵
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        187⤵
        
        PID:704
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        188⤵
        Adds Run key to start application
        
        PID:2260
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        189⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1632
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        190⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        191⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        192⤵
        Adds Run key to start application
        
        PID:1268
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        193⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        194⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        195⤵
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        196⤵
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        197⤵
        Adds Run key to start application
        
        PID:1608
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        198⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        199⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        200⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        201⤵
        Drops file in System32 directory
        
        PID:1340
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        202⤵
        Adds Run key to start application
        
        PID:2448
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        203⤵
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        204⤵
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        205⤵
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        206⤵
        Adds Run key to start application
        
        PID:1724
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        207⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        208⤵
        Adds Run key to start application
        
        PID:864
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        209⤵
        Drops file in System32 directory
        
        PID:1960
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        210⤵
        Adds Run key to start application
        
        PID:2736
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        211⤵
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        212⤵
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        213⤵
        
        PID:828
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        214⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        215⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        216⤵
        Adds Run key to start application
        
        PID:2792
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        217⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        218⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        219⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        220⤵
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        221⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        222⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        223⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        224⤵
        Adds Run key to start application
        
        PID:2824
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        225⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        226⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        227⤵
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        228⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        229⤵
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        230⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        231⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        232⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        233⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        234⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        235⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        236⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        237⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        238⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        239⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        240⤵
        
        PID:820
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        241⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        242⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        243⤵
        
        PID:860
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        244⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        245⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        246⤵
        Adds Run key to start application
        
        PID:704
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        247⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        248⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        249⤵
        
        PID:572
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        250⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        251⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        252⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        253⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        254⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        255⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        256⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        257⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        258⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        259⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        260⤵
        
        PID:896
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        261⤵
        
        PID:564
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        262⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        263⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        264⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        265⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        266⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        267⤵
        
        PID:868
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        268⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        269⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        270⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        271⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        272⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        273⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        274⤵
        Adds Run key to start application
        
        PID:828
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        275⤵
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        276⤵
        Adds Run key to start application
        
        PID:2944
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        277⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        278⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        279⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        280⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        281⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        282⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        283⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        284⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        285⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        286⤵
        
        PID:292
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        287⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        288⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        289⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        290⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        291⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        292⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        293⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        294⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        295⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        296⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        297⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        298⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        299⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        300⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        301⤵
        
        PID:824
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        302⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        303⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        304⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        305⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        306⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        307⤵
        
        PID:912
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        308⤵
        
        PID:704
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        309⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        310⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        311⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        312⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        313⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        314⤵
        
        PID:880
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        315⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        316⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        317⤵
        
        PID:832
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        318⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        319⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        320⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        321⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        322⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        323⤵
        
        PID:564
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        324⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        325⤵
        
        PID:916
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        326⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        327⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        328⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        329⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        330⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        331⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        332⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        333⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        334⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        335⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        336⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        337⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        338⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        339⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        340⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        341⤵
        
        PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Csrtss.exe

Filesize
464KB

MD5
395465a3d059cb8a6c22514d1fa1b430

SHA1
c78f803c7b0d943744ac001564dabe206fd63bf2

SHA256
8813b40c98a82c2b6bf57d30351c5cb4728393226999a21ec39ae6f3f933fba3

SHA512
2d4517ebcb23b021691c5df51fcf203080e890a68d45cc8ffc2fba3f4bc49877178bbd3ac8908518e436f03f401829a7c193c3fd1779f2b8cef041fd77a525a1

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
364KB

MD5
1067f5b43b4c1bcad7f3f6935f7f81b0

SHA1
802569b256ed2b05af858a9424fe95f258e7f1b4

SHA256
aea5ce78ace51a7281f7f9db0a882b8da5a1cb7cb69bd7611a591334cde08218

SHA512
ade37305b9610eee278a4cca955d85a7f9239c93356fa54fd110c9585f121ed4d74ed37fabff65f3e1ad6f2d654e57fc36a2e3d74712964f35bb47e1a0e830d8

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
147KB

MD5
a98fb538591c90889b8e199d69c5467f

SHA1
f7613a3e997031dead5aca0eace31ee088d04a62

SHA256
b90744c340a54ff3e8cdfccc3bd4bafdb9a3c6d87459880b8c3268b3ce229eb4

SHA512
068e742666338024953bd98c2b724f8823d4cf3ab5c5c33b185abb4b5aa719904b3980d68bb97f23298b18b48d3df6fe5a6643d5cd2d450e470cdca4c18c62dd

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
60KB

MD5
644cf2da5763472256ed3ecd1b8b5ad8

SHA1
dec2a621cfce94932558fc0b404dc74bdde2f31b

SHA256
6dc7eb7f03df6f05bf54f754b78e9be8cc60419fe6d4fc0bc7e34b84270fdea3

SHA512
7cadccd4ec79db9084750dc147a0af5b534d7565707496b521c99fca395c5923c71eb82c20e5b7739d470ff4394ce55d831f35e55f82a0e9074c3b11150edda5

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
268KB

MD5
1e40592ba0ea09529a4c927d8bfa9d30

SHA1
26a4f154d28a59ca87f8049fe1fdb033ccc8d90c

SHA256
ee45103a70d88fbee640a78a41ef850ae3c7dd3f1891e65be65f6ff35645dd3d

SHA512
2f43c0a8fd7bfe5508e4ff1f2c1ef248cbf36dcd18c392920d5709206954dd5fb9b3ee329650bcef9f28934e2502b30a8d6d17cc9227fb19526d113a200ab123

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
202KB

MD5
65db407856ad2969f2beba0731c26505

SHA1
2155b2163a76dd92caaefc6a1f32dffa46a15765

SHA256
417796091b431821a49217a250be45f54a11831101efc01f0598b3de18b9cb17

SHA512
627b0387154db87dd150891738cee83769db724c43ab9562839d074a4ef6364ad90eb68af076b2a842ec1be8a9e17206fe3d12d01667174804676a187a9c5cea

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
107KB

MD5
b377100b1cb0860bef06d101153d357c

SHA1
aaf7505975bf20106df1572d3c6bf9cd682bac79

SHA256
b7deebe3a5dec89d062e6b25ed2c8863d0604112778b0ef9ef990eb25f53a027

SHA512
cffa6f2fa464ea2d08f8e6e0c5587468f2235e922a9872c5d323efc704ddcb0240bc995a46d13ad781deb0d2601968e2661bb00a191f095fd3a239eefc7e421f

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
23KB

MD5
5a766bac5c0645e8ab4a441a4e387f20

SHA1
d6b6a25c38f3f04aa1c4520ef01f19ef57b7ff62

SHA256
3bd754b006bb978514522e7375007c58ff2f75561a87afd80d7fa4749ae2a3f9

SHA512
3dc5b6dd18ddf7b10d37b59711b96d80c5e5fd9793aad6d58d32bbed2e13956000d272d11d03c9424a1ebabeba0e7cc2e39cd10144752a4ed7daadae72b89ea0

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
409KB

MD5
bd8493639ed2de46228416600f3b84ca

SHA1
39ec32107191299c4b29fc55119371d7df11b763

SHA256
ad5893288cfb4b3dfc915a952308d8c475a39c53b7139faefa7472a4f68a2af9

SHA512
989d3cd24fb409baefbf22f434f9868447a95a7b1c18d84b7e6240e2bb3bed76b4ceb4057e2d578b406abaff2a0670483394bfe0d8cf389219e01f146570c8ab

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
384KB

MD5
4cee809c748882d6a1106a25e071a7c9

SHA1
59d85b69f41890037dfde178dc13ec3788581197

SHA256
417c6d9a6cdec3c9955e9d5c7c1b10af2ce06b87be3b7f23328350abad35eae2

SHA512
4f55d819d0c612083c48722672e1d7b01dfec9ea83fbabd6cfe319aed21d9e23a390a4837685f0f59fa1c501953c2bcd500cb41ab8e757c775d394ec94183402

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
139KB

MD5
3e8ff2ccedf77151b1ff5eb386e340f5

SHA1
020b5008b2e28c439d024818024cfcc27d08a081

SHA256
229c3cdf6ebd2e5d483ee48c2f5e99a04ede005264545b2bcfdb1a2361c6f02f

SHA512
6be175f02dd8703e78ac87060c8f8f4a9994f7a489a1aec9ac84089f53859323368b0f27e21c4b22ffef7e8cb9081f74105a8c599a437bf853655efd40933dab

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
281KB

MD5
5fe4c7b3e7595286b2a5b8cf992694c8

SHA1
e480e2ac65474db29d20ca6ba0c425bf140cca55

SHA256
64c50c1ec2769b2131e7d83d753cfc631367b8b220fa540f4703218acb6a4099

SHA512
8ffc2614b32e8a9fa20d1af675507aa8d9aec627b7ae0c3efd47f29a0665c03ad00777a8141a9422dda74090ea8c8834171c48dbd127c5634fa67ffc2b4d1c5f

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
267KB

MD5
5af6c0f7083e94acffb611c45e12848c

SHA1
9ac0a059d8864b112d6834913e388a97e61841a2

SHA256
6ac4d5fc28abae552a7d65f4d26ce39587a99df277e784054a2520c2ce193df7

SHA512
c80ce8bf934c0634659a055a4822224fd695bec990f278efe79529cf2cc33d11ed33c5559a2cac2594753abefc6ac4e25c0ecebe68c3441c7ab463a3d5b77ac5

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
237KB

MD5
41f78f04c0f2ed7f789dcb4bb6235b94

SHA1
da84fc31a459033b593348b265c0a07b5af0d30f

SHA256
63d7b7695153293b5f7a5e89ba6d57ed84ad6e6d98cb7f5930d1f108ef9f0f6d

SHA512
27c9076a4b71b78ff27a8635989831606f39e70d25fcc622ba4271a4a2f566e6e228d67209825cf749b700eb6ed14edb987eb14c514f3d70563f4d51c629755c

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
132KB

MD5
9f5b9b0ca7bcccdc09da4af1bbe069fe

SHA1
c250c425b4d24beaf43f85abdabc59eab72a2e6a

SHA256
f6bb81868da2136ed2b3608b010007d7736745ae90f4fd41170c84001dd536e4

SHA512
0e1f7a65e0ab0f853f9b2f81c8b688ebc6425ea25f0a77e48643b277501765295e42e5ca77980f25390c169c0d801d7e1e9752ffb0e51f3011fd495942ab43d6

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
40KB

MD5
c3ecdf49b899cea0db1e831c44f05604

SHA1
3199de0c45de9fceec2f5e4e241c9ea5e0b45c8d

SHA256
dda3e40cacef05441b542f4c043476e02377b7cd53cb9af25192b553ba45bc07

SHA512
3cefba4409db138e394fb694f2b7df5294731362507284ebb4d36e83449a5fcb1866437c901a105181def910cfd0ef138e9357063f5d7bd62fb1b64075e0bf3d

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
34KB

MD5
3186025a05443af90ab37a63a0d573ed

SHA1
cc69331406318e3202826baee28fd632a1f90cb8

SHA256
159d28ca1837f907c99f78749e6446e7e496b5efbfb1a6d66693ef88858fadb3

SHA512
1e4c0c0b6495113627606e28469f9aed69bdd64d728df7f42f07f9a9fb3e7c1ccbf2faa1dd1468af5eadf5d6d0ffcc1f541a367da6d01072b24e31395330ada5

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
329KB

MD5
0de826be7371f200c1931cf5c3a45d76

SHA1
9054b4037b0eaab711313d57acd5213d9449ca79

SHA256
46a4dae58e0d79015ba6e17776f92450d1a4d1d60bbb6010caa68631182ed7dd

SHA512
aa17580aedeecadce33e504e5f08961bf3c97b64becdfca61ced6ac9b642dfeb574bd48c5871e269eb99be9baf6af60e1d378fb11b300ca22a62f07373f5943e

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
254KB

MD5
b5668f0620114cad3cc7d2d8b7eb4785

SHA1
d39a9f008ba4c81d9875c52de54889c04b15fe76

SHA256
cc1f6aa6e6c5d5d9ddf126ce58f041b168e2ceb29f409ed7e6e6d0374c925324

SHA512
8d4bea8c55975b9dd0679087f68007f903bab3c9c62fb2b0db7040148572235a51ee3a3d2e5e46485db8c86fff765a480f179b11da25d708a3d558e373318fed

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
123KB

MD5
fbc0c92991356687116873453d813eb3

SHA1
c3308397ecf824f18facb6fec9b23fac06a9f5e4

SHA256
5cba46ddcb7646b146d6254ad2896deb1c69e3432d1294054303739533718366

SHA512
0533c2f459dab42d95f5e74f2e1dc51ef8d906074b974268a7a10ad01c3f6370869076d5fbd792f85f3cf3d5e5e3592accafe6dfabc848ab6f35e0c6e03cb9ab

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
219KB

MD5
78b47ee1b4cfbdfe162d0bfd93dd30fb

SHA1
314d20fa84960aa76e44578114ddcae4612805d2

SHA256
b12deb7634551ca8c401760244a0567eeec6f02e5650ac6b07f6791a39a76e7c

SHA512
873536a96d5d5dbf4b774ec4b2a743a673758c4b13ded0e4adb13dc97d251ddbf4ea116d28147032cc6b23fecceacf2143b1a75d571efd7220d7a4a2b7288579

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
57KB

MD5
b8e45b82656ca6058712237e54b0e2d2

SHA1
1ac18efe3a951ef66afe00bd0a09a6428356a428

SHA256
3d8c12b5c08986f22ac1db7d3f1e886e3fd7e784e454a8fda7ffdfaed50ba777

SHA512
ab51be7f532e951d148801873e7b428727ca8f4e9affb4d170e2282dc7c6a1f03c644fbcbd4f754ff0e517eb20ecb6c060177f241fdb7663c56ea717604dd174

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
64KB

MD5
a3315ae5b27ac68a4a9cbdb427ed3157

SHA1
3ae1438ca538bf45f115cdca97ce17cd8ba11030

SHA256
6cc490220250af6ecb369e4cc68aac6235b282177c3fd836fe28432dfa3424ac

SHA512
76f95ce5ff131c376a352fae031f07d1ac058dbcfb71dc0b2470c834b0f8ab631c8d257e22aa5ca81bbe29ca7050adb95f5d0d1af07418e2fbbf65900c3c54cc

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
435KB

MD5
21ec73950c98029ce2a67cc7291369c1

SHA1
fbc119e928971c6aeaf79281418c6f4b628b46f8

SHA256
75cc171853d3e3f60e4a30ddc8bd040aafe827d4865a0aa2825fbadfee044d20

SHA512
10c23fbce0203e21eef5024f3c6b7554f83431798e70e70dc6733a72664610c14c76ca10069f5d42201d6fdd34b0e4523cfa8538a86ac5dd521c8346b9fc6ec3

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
383KB

MD5
84e56d042effa831117c5d08f96a96d5

SHA1
daa16ec5f5a2b86c1645737d0a2878735bd2b09a

SHA256
ba234d8ea19981041e551b883ac37e9adff66e8a2a4ec4d1ec1f90ad06ce11f7

SHA512
bfcb934406c732c4d1e68cd6e78fa41b503da743b445981acd18ad130d33566e512b388c473f5aeb50f321a036911ad300b1e734813402262f895cc85b182d52

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
225KB

MD5
35f9bf75ec7ff2ce2ac4598d6fdfdba6

SHA1
0f57cc2aa04c5947ee8421bdab4e224c038b4a92

SHA256
8e85ec3747f5a72302dffacacef79e8a5c563bfaed24c06f09b72aca2efa854f

SHA512
44e79ce254d660267f83ce0c0e901ac06caca2fd311fadd684b4eb87a6c421cd862a8e61729114181c7fd78d9126117c4ab905b2953c12005a700c68b35ad3c6

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
471KB

MD5
1cdcb2aa7ed94048ce05a71cbf911b33

SHA1
2f5d084011b7a7942bd0c90a6557397ce87f730b

SHA256
1fdb72c9f14350081f3717e6a70df391fa1aa5ca938c8bd82769bc0c254c17dd

SHA512
5f55cb852349f775cb7dcdcf5de4294c549e7b4a0d44e37f03580b91c5b4175f21c005446c16fc48fab718ac6baf46ee7b4b20236d92ef5ad772561ea91b1263

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
274KB

MD5
4894c503476878c484f0242964b2cdf9

SHA1
43735af6c50bcfdad28b99e55479aac841d57399

SHA256
6feeb0751119276ac39c6442daf4d3a284860430879fc9a3c6dc5c3c065c6c26

SHA512
4a4e2a27d23032ce343af5149d900b1cbdd609391e6c9a9784e871734cbcd6ebd7db556d399f9d7aedf3275a9f40e37d60fa58fc4e1359ec56be7482ce0c1287

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
110KB

MD5
1ff1bda6f6fff9d758271ab2f7cf4ed6

SHA1
22b32512d548255fc94aa4180bb1e14e6a7e08d7

SHA256
57d3f69e601269bee937e616a6a4438b53cda63c7f8d819d2670646a51bea3e6

SHA512
8c026643f2a69894caeeb1dd4426fbccda0d4faa710aa7fc1c058cd7c58f7de1c87f25e562138700b424d7d0e756c431d2f853865b94e5d835ca5bc8ae5f5731

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
162KB

MD5
0aaeba4a9d8c8745a83a45261e7fd6ab

SHA1
a6b5ac682a18163bbca2a2ad769acb204ab63535

SHA256
cd3905db9bd9dbeb141092f7aaa8552aaa2a27a8b9540bb34be9548c67bf0119

SHA512
63a4d314a6cc22558805b07606f76ad9c2d2b9e886caa2f8b94fbb050fc40c582171a35ccc375dbab68da3bb272dd3c9b5694dede4e1f8872f055a01329474d5

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
99KB

MD5
22a08ff990dfc7070f4d6008d7b8ff35

SHA1
913611bce8c4e23544b50a348a4f79da7af906ea

SHA256
e1535b0706b3c80b74185dbeba49d5564c0ed9af6aec4bf73c3b4c31df4c8abf

SHA512
db67668e370571f7416c25b95a530eca1cd8b59d7b2641df2c858369157ffd686b5df778d0a77f7e103785f4d3fbee9a4e61a0890e7f1168aac6cf5435b7484f

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
19KB

MD5
7ba54a84bc774da70ce1da9637035e0f

SHA1
15588b82d64203fa18e5aab6026b2686d0fa827d

SHA256
07249d257188394c69f1e152aaf4e3ede15d7008887a7fc01ba1126a93b7f8b9

SHA512
1379d35efe0c3fc5d2ef3b507745be8b7d6d249bd53cc6aa792018750388b26d1f238e0bfa0905f34dd9a93e926e5e82242ffeedaacc2e5c059b78324bcc6a5c

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
364KB

MD5
e4df41420013afb2827dcf768bf494b6

SHA1
954f3975eec489c1ac990c7228e0a2cfe4433833

SHA256
849ff1f743afe3c4238e5ddca678b4f8370dad0d522212c1446609ee04b8505c

SHA512
2d54ecf78a16a0816862c40659eeef8476dec7c83ab07368da26b809f4a44eeb580635cd63084d84150605b089f5dce78e0cf29926c336e80f6f079bd270f98a

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
157KB

MD5
bd0e6c0ca4a2dc3fa011e25e6486ff25

SHA1
0a9a513ee861a7ee3bdb7bf732ccea50b631a0d4

SHA256
00116b1a9c7304b61677127f46c6feaa5710d0c8672bb0e046b6c30501bb739f

SHA512
4a525787e86a1be9ba5e4be2f07bfce46e52629dc67f7db3349f440eaa700646f135e67f67e672441c741cea827ba124cf09c3ae7909d0250108675664c93a36

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
308KB

MD5
f67840b7f24d312f2a4b08675df4f6fb

SHA1
c3d66d52ea472a8e8621ae2d33b73eafd7a216ad

SHA256
bfdbda6ef37c04ea0984f07eeeb8c197992a02b2ccf45e9ca12e982b2c563d17

SHA512
9502da4902049d4cd4388404e2940bfb999f4f2d5741fa484b00fc5b41647481bfebd512f6975bcda27242c7afdc63aa5ad55aea558d20df8b4e4eae9050cd69

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
211KB

MD5
3ebe4c903a1c367cc3ef81ef5312d6d7

SHA1
97b462d0530f312824eba516901555364e2718b4

SHA256
0ea62016f6430bc9f137dfeec4b98187ae887ea58be4035b4deb8c97ed78aa6c

SHA512
ba973fe59d678409a68615c309e6e13b7ae89e4ad037986677d0567d212c71beab00dcf068fa77c54b5bdb9d953e1fa9963cca34fad2bcb4c698dbf81aab7953

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
182KB

MD5
ff7c5b3620a84afcc09f4f7cebbfca03

SHA1
d2db90b95153a39354135fb5ec380612975a7d88

SHA256
7259793c70e3783a284df15f5538b4827e8864efd22128bc640804023ac8dda3

SHA512
d233ece9a9719c7e7b84aee35a4ab0815822151198840e3b11894751ee56a817525699ce5a0653476dad7468d684f33bce0837032ec51e3f1bc3524cb0f2434a

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
254KB

MD5
c83e9a2c22ebd57d4de21ca4d7d7f40e

SHA1
ec1e99f438cb71dd66fd9613a1527f077c731734

SHA256
b08e5f3d39b4deca60a1ff0f09726304bcabca72193df2bdef509947ee8ca91b

SHA512
45f60c2a294ba6adf82b3ca4f37213bf436063cdc71c8956056ee1dbe5dfe2b01de165efd56d0ecc02124024ac3d0f22493998e93524b6c839b96cb7325e72e8

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
308KB

MD5
41fcae3ca683838e1c3667eb6eaec002

SHA1
567ba5338873953f003cca1b5db1908c97ee1ee8

SHA256
7ce586e7668bffabf0ef03c10d5c23d2f5ae611827655565fe34c60183c35c61

SHA512
007a8e5f1573a4481235c9b5ba67884c7302de322ec6c7447ee12af2b4f9a603d19bec0669362af19908c7ff62ac587696073956dc2ded8a7ac28d8a13451070

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
382KB

MD5
8c7aa7b8b6c36249205f147de43de1cf

SHA1
4f7426bd888f2b7e86fe2c90c0812ba34ecc982e

SHA256
975aa76799f3563835107e3dc60dbc63a86a6ca3d2599a23622d025fe3888368

SHA512
0845afe70847ea2e5cc5d03a3eaaafc15e78a0189e4b4ad59c07a4ebc595751ed0da716ec90720c048ffb2454d16c90e5f2e361ac714677dee18054c35440545

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
259KB

MD5
be13c36d4dea046ab3dbe1784df09dc3

SHA1
f70693a4a12998e41dd860f595c1858cb2544042

SHA256
c9853df816f49f19a1143754380b28c5abbb4c993f944bc993496006a49909a2

SHA512
105177d8f867a45c6f589b7a8e8afabdc50113419a408b560aef8ae8e6d290048c109774a806154944faf0460cf0959bf8152f3f24ff2876aa13fd27ca55eab2

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
148KB

MD5
db17645a77c0db4f7d9533a72e75664c

SHA1
f33f5d5e0a2fb860dada3c5e44c23199fa701cbc

SHA256
8f940917176e051d4b33450b6af47c5a4c011f2d0e72ce9ec9251ca60519eaf6

SHA512
7cde6b222334410050d675c108f0c26803ad3f97a94b810607a2d455c550ab6ec6a486a917cae931bc7afa26e8470b1319f766a7aab815256511f9b7a8d55918

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
396KB

MD5
3fbb9e7b6c155ba97f7e7894fb529c74

SHA1
8ec3f949ac9d9a8d1a75dc5be4813c08b666be68

SHA256
75c90890d34b8b78d9fa7a99bc3d35398b16f99dba264d611a45674d2c6aa778

SHA512
f62e0c0cd404b4e4277673346f5b1ae8fa493eeb0f78719e5e98a409259c6eef9d8adba05801144f6836db7958697b50f4e2ac103aed151256343e5a4e6ee46d

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
369KB

MD5
b843b1d7cd2681586d1189b53d63aa13

SHA1
b4aae4c76645801a1677725107d49996215e84ea

SHA256
f8e5791ea346ac5d4923a339c80c9de292444fdee8e447f799668f7dd00b9e70

SHA512
f614e79e21ed866b521e7c36816616a231cfa2c79ac5eacda8d730b73ac18313c480247225bcaa2a1b4eb9669596896906b8b4062e1d0b4ca26e3a1f9b38277d

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
233KB

MD5
068891786653dfd65812bae90b65b1ec

SHA1
cc751ae66df236f7e9361e95c2d4527e1ad1d13a

SHA256
25e241feecced91149da75e2a5f96ad82d09fc315c425866587f568b046ae88a

SHA512
d60ac8a46fd22b42cb66312bb365988c6d30aa8b511cd3decc3aa78158574e77ac59877886228dc2d886c3f1409556e7208e2adaaff191014cce8104ec807ed8

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
265KB

MD5
6735ca99bfa9302faffcb31561bbe0b3

SHA1
88ec979c341acd0d8a854f4cf47c820b5d392a4a

SHA256
cdd5eab223c943c293f128a57ecc96bfb1678d4fd09391ff3140ada5a77b9655

SHA512
85e7c90fea137c101a97fdf7d27f97c9f775d5c67a9df91368c566aab3f25124af32d355189fdcf14c05ba742147cceb33b27453f97e9033765854873234ce53

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
82KB

MD5
172b26d5c1d0e65de16e6206175f41eb

SHA1
aa60e4f0fcfcae3c3f0fec21fae882aa7c15fd0f

SHA256
ff04a8b7786c0b5b52b3f33d14cd312fc31ea183f4d8bd5c29c97af76566d647

SHA512
0005abc95f0a2a4afdad91706c0a779de49a3302846c440afe22350721bb5c71e5d827bdbb925a88206ff80b1ceb72cf8b5ac80c6d02682ee9237f6bb32c403a

Download Submit
\Windows\SysWOW64\Csrtss.exe

Filesize
136KB

MD5
0f2fa27102e5dcdaf6e770f7a4eb1ed1

SHA1
780a98a4a4b886155684877687f1dc93463e854b

SHA256
32c353597dbdbe0a55f7f51796e24293dceceeeec211e8862490ce5f7c71b0df

SHA512
e08adf4aa7186e3fce5e42aadf44f49042ccffb196a009a25bcd46cb24e156e97614574b9ed9092c0f6a985fbb3b0c24a5930830a3b2fd8352c74c05fdaeea64

Download Submit
memory/268-199-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/608-90-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/704-112-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/704-111-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/848-203-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/880-122-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/880-121-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/916-136-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/916-137-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1020-183-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1032-187-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1032-189-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1132-125-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1132-126-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1164-144-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1164-143-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1196-85-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1196-82-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1228-208-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1332-95-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1332-99-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1340-130-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1340-131-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1360-110-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1360-109-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1428-190-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1436-197-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1488-195-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1540-128-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1540-129-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1576-201-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1588-150-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1628-12-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1628-17-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1652-178-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1652-177-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1692-72-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1692-68-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1716-205-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1724-141-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1724-140-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1744-147-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1744-148-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1756-76-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1768-127-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1776-135-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1776-134-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1784-108-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1796-163-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1796-164-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1804-145-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1804-146-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1816-133-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1816-132-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1904-185-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1904-184-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1916-179-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/1916-180-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1988-46-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1988-43-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2028-138-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2028-139-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2072-157-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2072-0-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2072-155-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2072-11-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2132-153-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2132-151-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2136-193-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2296-113-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2296-114-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2320-118-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2320-117-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2384-104-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2384-100-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2428-124-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2428-123-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2440-116-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2440-115-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2452-119-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2452-120-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2460-149-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2524-81-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2524-77-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2540-94-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2572-48-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2572-52-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2596-168-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2596-167-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2608-42-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2608-38-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2620-172-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2620-171-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2628-63-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2628-67-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2640-174-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2640-173-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2648-170-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2648-169-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2656-53-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2656-57-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2676-182-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2676-181-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2720-28-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2720-32-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2728-156-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2728-158-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2752-33-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2752-36-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2784-162-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2784-161-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2784-18-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2784-22-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2788-23-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2788-27-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2812-159-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2812-160-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2832-142-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2856-166-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2856-165-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2916-58-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2916-62-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2916-188-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2916-186-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2948-152-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2948-154-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3044-175-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/3044-176-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download