1fdb72c9f14350081f3717e6a70df391fa1aa5ca938c8bd82769bc0c254c17dd

Analysis

max time kernel
10s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cdcb2aa7ed94048ce05a71cbf911b33.exe
Size

471KB
MD5

1cdcb2aa7ed94048ce05a71cbf911b33
SHA1

2f5d084011b7a7942bd0c90a6557397ce87f730b
SHA256

1fdb72c9f14350081f3717e6a70df391fa1aa5ca938c8bd82769bc0c254c17dd
SHA512

5f55cb852349f775cb7dcdcf5de4294c549e7b4a0d44e37f03580b91c5b4175f21c005446c16fc48fab718ac6baf46ee7b4b20236d92ef5ad772561ea91b1263
SSDEEP

6144:/1XacXavNFEoNkqPg5I0KVTHyPWOYMI6dn0z76fcCEmi/id6mmtCv1HC:/1Xa02H2KV+WKI6V0ZCEmi/i8m4Cg

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	1cdcb2aa7ed94048ce05a71cbf911b33.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	Csrtss.exe

Executes dropped EXE 17 IoCs

pid	Process
2080	Csrtss.exe
3716	Csrtss.exe
2512	Csrtss.exe
4020	Csrtss.exe
1808	Csrtss.exe
4028	Csrtss.exe
4364	Csrtss.exe
3468	Csrtss.exe
4264	Csrtss.exe
2824	Csrtss.exe
2848	Csrtss.exe
3812	Csrtss.exe
768	Csrtss.exe
2704	Csrtss.exe
2528	Csrtss.exe
4992	Csrtss.exe
4356	Csrtss.exe

Adds Run key to start application 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	1cdcb2aa7ed94048ce05a71cbf911b33.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System132 = "C:\\Windows\\system32\\Csrtss.exe"	Csrtss.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	1cdcb2aa7ed94048ce05a71cbf911b33.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	1cdcb2aa7ed94048ce05a71cbf911b33.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File opened for modification	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe
File created	C:\Windows\SysWOW64\Csrtss.exe	Csrtss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
Token: SeDebugPrivilege	1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe
Token: SeDebugPrivilege	2080	Csrtss.exe
Token: SeDebugPrivilege	2080	Csrtss.exe
Token: SeDebugPrivilege	3716	Csrtss.exe
Token: SeDebugPrivilege	3716	Csrtss.exe
Token: SeDebugPrivilege	2512	Csrtss.exe
Token: SeDebugPrivilege	2512	Csrtss.exe
Token: SeDebugPrivilege	4020	Csrtss.exe
Token: SeDebugPrivilege	4020	Csrtss.exe
Token: SeDebugPrivilege	1808	Csrtss.exe
Token: SeDebugPrivilege	1808	Csrtss.exe
Token: SeDebugPrivilege	4028	Csrtss.exe
Token: SeDebugPrivilege	4028	Csrtss.exe
Token: SeDebugPrivilege	4364	Csrtss.exe
Token: SeDebugPrivilege	4364	Csrtss.exe
Token: SeDebugPrivilege	3468	Csrtss.exe
Token: SeDebugPrivilege	3468	Csrtss.exe
Token: SeDebugPrivilege	4264	Csrtss.exe
Token: SeDebugPrivilege	4264	Csrtss.exe
Token: SeDebugPrivilege	2824	Csrtss.exe
Token: SeDebugPrivilege	2824	Csrtss.exe
Token: SeDebugPrivilege	2848	Csrtss.exe
Token: SeDebugPrivilege	2848	Csrtss.exe
Token: SeDebugPrivilege	3812	Csrtss.exe
Token: SeDebugPrivilege	3812	Csrtss.exe
Token: SeDebugPrivilege	768	Csrtss.exe
Token: SeDebugPrivilege	768	Csrtss.exe
Token: SeDebugPrivilege	2704	Csrtss.exe
Token: SeDebugPrivilege	2704	Csrtss.exe
Token: SeDebugPrivilege	2528	Csrtss.exe
Token: SeDebugPrivilege	2528	Csrtss.exe
Token: SeDebugPrivilege	4992	Csrtss.exe
Token: SeDebugPrivilege	4992	Csrtss.exe
Token: SeDebugPrivilege	4356	Csrtss.exe
Token: SeDebugPrivilege	4356	Csrtss.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2080	1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe	273
PID 1752 wrote to memory of 2080	1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe	273
PID 1752 wrote to memory of 2080	1752	1cdcb2aa7ed94048ce05a71cbf911b33.exe	273
PID 2080 wrote to memory of 3716	2080	Csrtss.exe	160
PID 2080 wrote to memory of 3716	2080	Csrtss.exe	160
PID 2080 wrote to memory of 3716	2080	Csrtss.exe	160
PID 3716 wrote to memory of 2512	3716	Csrtss.exe	236
PID 3716 wrote to memory of 2512	3716	Csrtss.exe	236
PID 3716 wrote to memory of 2512	3716	Csrtss.exe	236
PID 2512 wrote to memory of 4020	2512	Csrtss.exe	95
PID 2512 wrote to memory of 4020	2512	Csrtss.exe	95
PID 2512 wrote to memory of 4020	2512	Csrtss.exe	95
PID 4020 wrote to memory of 1808	4020	Csrtss.exe	135
PID 4020 wrote to memory of 1808	4020	Csrtss.exe	135
PID 4020 wrote to memory of 1808	4020	Csrtss.exe	135
PID 1808 wrote to memory of 4028	1808	Csrtss.exe	97
PID 1808 wrote to memory of 4028	1808	Csrtss.exe	97
PID 1808 wrote to memory of 4028	1808	Csrtss.exe	97
PID 4028 wrote to memory of 4364	4028	Csrtss.exe	261
PID 4028 wrote to memory of 4364	4028	Csrtss.exe	261
PID 4028 wrote to memory of 4364	4028	Csrtss.exe	261
PID 4364 wrote to memory of 3468	4364	Csrtss.exe	99
PID 4364 wrote to memory of 3468	4364	Csrtss.exe	99
PID 4364 wrote to memory of 3468	4364	Csrtss.exe	99
PID 3468 wrote to memory of 4264	3468	Csrtss.exe	100
PID 3468 wrote to memory of 4264	3468	Csrtss.exe	100
PID 3468 wrote to memory of 4264	3468	Csrtss.exe	100
PID 4264 wrote to memory of 2824	4264	Csrtss.exe	101
PID 4264 wrote to memory of 2824	4264	Csrtss.exe	101
PID 4264 wrote to memory of 2824	4264	Csrtss.exe	101
PID 2824 wrote to memory of 2848	2824	Csrtss.exe	104
PID 2824 wrote to memory of 2848	2824	Csrtss.exe	104
PID 2824 wrote to memory of 2848	2824	Csrtss.exe	104
PID 2848 wrote to memory of 3812	2848	Csrtss.exe	105
PID 2848 wrote to memory of 3812	2848	Csrtss.exe	105
PID 2848 wrote to memory of 3812	2848	Csrtss.exe	105
PID 3812 wrote to memory of 768	3812	Csrtss.exe	108
PID 3812 wrote to memory of 768	3812	Csrtss.exe	108
PID 3812 wrote to memory of 768	3812	Csrtss.exe	108
PID 768 wrote to memory of 2704	768	Csrtss.exe	109
PID 768 wrote to memory of 2704	768	Csrtss.exe	109
PID 768 wrote to memory of 2704	768	Csrtss.exe	109
PID 2704 wrote to memory of 2528	2704	Csrtss.exe	110
PID 2704 wrote to memory of 2528	2704	Csrtss.exe	110
PID 2704 wrote to memory of 2528	2704	Csrtss.exe	110
PID 2528 wrote to memory of 4992	2528	Csrtss.exe	111
PID 2528 wrote to memory of 4992	2528	Csrtss.exe	111
PID 2528 wrote to memory of 4992	2528	Csrtss.exe	111
PID 4992 wrote to memory of 4356	4992	Csrtss.exe	303
PID 4992 wrote to memory of 4356	4992	Csrtss.exe	303
PID 4992 wrote to memory of 4356	4992	Csrtss.exe	303

C:\Users\Admin\AppData\Local\Temp\1cdcb2aa7ed94048ce05a71cbf911b33.exe
"C:\Users\Admin\AppData\Local\Temp\1cdcb2aa7ed94048ce05a71cbf911b33.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\Csrtss.exe
  "C:\Windows\system32\Csrtss.exe" "C:\Users\Admin\AppData\Local\Temp\1cdcb2aa7ed94048ce05a71cbf911b33.exe"
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\Csrtss.exe
    "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
    3⤵
    PID:3716
  - - C:\Windows\SysWOW64\Csrtss.exe
      "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
      4⤵
      PID:2512
    - - C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        6⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        8⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        18⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        19⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        20⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        21⤵
        
        PID:220
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        22⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        23⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        24⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        25⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        26⤵
        
        PID:556
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        27⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        28⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        29⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        30⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        31⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        32⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        33⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        34⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        35⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        36⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        37⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        39⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        40⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        41⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        42⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        43⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        44⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        45⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        46⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        47⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        48⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        49⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        50⤵
        
        PID:352
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        51⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        52⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        53⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        54⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        55⤵
        
        PID:640
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        56⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        57⤵
        
        PID:932
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        58⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        59⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        60⤵
        
        PID:808
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        61⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        62⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        63⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        64⤵
        
        PID:536
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        65⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        66⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        67⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        68⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        69⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        70⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        71⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        72⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        73⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        74⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        75⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        76⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        77⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        78⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        79⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        80⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        81⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        82⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        83⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        84⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        85⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        86⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        87⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        88⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        89⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        90⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        91⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        92⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        93⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        94⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        95⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        96⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        97⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        98⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        99⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        100⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        101⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        102⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        103⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        104⤵
        
        PID:696
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        105⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        106⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        107⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        108⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        109⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        110⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        111⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        112⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        113⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        114⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        115⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        116⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        117⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        118⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        119⤵
        
        PID:560
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        120⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        121⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        122⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        123⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        124⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        125⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        126⤵
        
        PID:668
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        127⤵
        
        PID:812
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        128⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        129⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        130⤵
        
        PID:952
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        131⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        132⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        133⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        134⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        135⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        136⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        137⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        138⤵
        
        PID:220
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        139⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        140⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        141⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        142⤵
        
        PID:536
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        143⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        144⤵
        
        PID:744
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        145⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        146⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        147⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        148⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        149⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        150⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        151⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        152⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        153⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        154⤵
        
        PID:400
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        155⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        156⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        157⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        158⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        159⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        160⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        161⤵
        
        PID:668
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        162⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        163⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        164⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        165⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        166⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        167⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        168⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        169⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        170⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        171⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        172⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        173⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        174⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        175⤵
        
        PID:752
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        176⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        177⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        178⤵
        
        PID:220
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        179⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        180⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        181⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        182⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        183⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        184⤵
        
        PID:520
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        185⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        186⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        187⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        188⤵
        
        PID:764
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        189⤵
        
        PID:468
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        190⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        191⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        192⤵
        
        PID:872
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        193⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        194⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        195⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        196⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        197⤵
        
        PID:472
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        198⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        199⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        200⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4356
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        201⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        202⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        203⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        204⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        205⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        206⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        207⤵
        
        PID:208
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        208⤵
        
        PID:516
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        209⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        210⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        211⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        212⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        213⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        214⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        215⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        216⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        217⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        218⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        219⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        220⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        221⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        222⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        223⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        224⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        225⤵
        
        PID:864
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        226⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        227⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        228⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        229⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        230⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        231⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        232⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        233⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        234⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        235⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        236⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        237⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        238⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        239⤵
        
        PID:556
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        240⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        241⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        242⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        243⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        244⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        245⤵
        
        PID:544
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        246⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        247⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        248⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        249⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        250⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        251⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        252⤵
        
        PID:888
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        253⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        254⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        255⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\Csrtss.exe
        
        "C:\Windows\system32\Csrtss.exe" "C:\Windows\SysWOW64\Csrtss.exe"
        256⤵
        
        PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Csrtss.exe

Filesize
384KB

MD5
4cee809c748882d6a1106a25e071a7c9

SHA1
59d85b69f41890037dfde178dc13ec3788581197

SHA256
417c6d9a6cdec3c9955e9d5c7c1b10af2ce06b87be3b7f23328350abad35eae2

SHA512
4f55d819d0c612083c48722672e1d7b01dfec9ea83fbabd6cfe319aed21d9e23a390a4837685f0f59fa1c501953c2bcd500cb41ab8e757c775d394ec94183402

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
92KB

MD5
597677ec018c307f069d0da7a2020d46

SHA1
a4c8b0988ddce69a4ab1061c269a60ab90c405dd

SHA256
a4f2189975d9576c749bde80a912e4f68ffa7e93808f5dd1117b9b2f796ae096

SHA512
29784a1d6d10734cf70a6e17c3e507fa0ed3cdc56b15f453fc6e4dc4085a543e871af758e8e8c0838054758f80e1ae4553c61e68f24d3c9916abfc488e92b8d5

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
348KB

MD5
7d72c2a2b6c41faab6460ae38d775545

SHA1
2b640c9a01a534e464f1b287740463ebf5184687

SHA256
6aba4e4c2b05b1adcb3e797c957e42bf224bab4befe10c7b5e7b20adbb548cfe

SHA512
2cb9c5d74cbbeb4571bca7a3301a6ee1605c786568b5924545b368b5140c771fafdee70d024bda63cad1e8e21d20ba288064e93f6a727df4d1e815f17d62f980

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
93KB

MD5
51da5efbe90ab134e35b386fb8e722ee

SHA1
e662706c81d2a54c1a8e9ae3b7b15887b60dc1ec

SHA256
0f6455fef39d40f19c65dbc5ce5a2eccde270a1aca713bb893fbb2c1d0f9cceb

SHA512
71562bb4cfbfa5af1f98ca667eca2b88c918ee12c91a2dbef1d6db49a14cb251f414c3d233ae0f67e38c466b602a4249d2222088c67b4c98a9acaa3b628cdd74

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
382KB

MD5
ed3125f4b8046bb556511f272e798786

SHA1
a155200d755ebacfdec50dbfb6d080600b29811d

SHA256
355fff88f0109b1066476d961ff9b44470d68628019eea61c09414213842a74a

SHA512
49ff36c62fa78627a97af323f0a14a98b7a3d2f0678ebca5694cf931e4ba71b918e2999646b9f9fa2b688f2d34b33b490ed7aa25c41a84fe44d35309f03e96ac

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
471KB

MD5
1cdcb2aa7ed94048ce05a71cbf911b33

SHA1
2f5d084011b7a7942bd0c90a6557397ce87f730b

SHA256
1fdb72c9f14350081f3717e6a70df391fa1aa5ca938c8bd82769bc0c254c17dd

SHA512
5f55cb852349f775cb7dcdcf5de4294c549e7b4a0d44e37f03580b91c5b4175f21c005446c16fc48fab718ac6baf46ee7b4b20236d92ef5ad772561ea91b1263

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
381KB

MD5
53c27b2636e2846692a2d7371286a2d5

SHA1
c712d31fecdfbaab36c5eada24de0769a61477a4

SHA256
644075c626333dc931d620b90c5767707584cf8bb13c5a1a8ee81184e772b5a4

SHA512
7ad570eebe317d36912e6c0b8815a51d84960fdf16a786c2806612881d170c0831db9c48aff23ed91fab545ab7e5c274038468e2d6608e4de9574c37d8666f87

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
95KB

MD5
259db2fb5099ee154e6dd70e81996538

SHA1
b60ede465ceb931b0f0011a743b7ebcf4f413253

SHA256
3793957b3522ffafb42e7d72982c99cfbf540b4ad8b8af667e11504e8ffa3f80

SHA512
45a7c24200eb7f46669677fc96d217581b2c428804702ea0dea86ffda7647782599dcaa835b32feaa57cba6025c2d9321d546b1b2836b0a148d1f2eafd80b550

Download Submit
C:\Windows\SysWOW64\Csrtss.exe

Filesize
99KB

MD5
a6a55bd9712754a322446fb19a2884b9

SHA1
f32e2e44f1841e8bedbe2e290493c2cf0debc748

SHA256
84aa2a46cfab76d90b63cfc8d0ed6742cb0f840eddeda9a859109fad4258f323

SHA512
4a0717ec9ac6b34c992ee6e9fcfcfa8df8ed616d5cf5f22011b76b4383e9340ad97b21c87b812a3204aa9a807babf7ce60e0bf5e22d10b698f3c25ae2bba7b4e

Download Submit
memory/220-68-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/220-70-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/352-155-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/352-153-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/536-194-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/536-195-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/556-83-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/556-85-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/640-169-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/640-167-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/768-49-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/768-47-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/808-144-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/808-184-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/808-182-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/808-146-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/932-173-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/932-175-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1020-150-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1020-152-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1048-158-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1048-156-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1052-77-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/1052-79-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1176-105-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1176-103-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1180-71-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/1180-73-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1252-97-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/1252-99-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1456-178-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1456-176-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/1552-166-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1552-164-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1728-62-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1728-64-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1752-0-0x0000000002340000-0x0000000002341000-memory.dmp

Filesize
4KB

Download
memory/1752-10-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1808-119-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1808-117-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/1808-25-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1808-23-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2080-11-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2080-13-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2316-198-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2344-163-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2344-161-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/2472-128-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2472-126-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/2476-123-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2476-125-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2512-17-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/2512-19-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2528-55-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2528-53-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/2552-65-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2552-67-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2704-52-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2704-50-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2824-40-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2824-38-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2848-43-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2848-41-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/2884-106-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2884-108-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2920-76-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2920-74-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/2956-102-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2956-100-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3000-132-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3000-134-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3004-196-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/3220-160-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3244-116-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3244-114-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/3268-172-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3268-170-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/3296-179-0x0000000002110000-0x0000000002111000-memory.dmp

Filesize
4KB

Download
memory/3296-181-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3392-140-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3392-138-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3468-34-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3468-32-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/3668-122-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3668-120-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/3700-88-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3700-90-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3708-111-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3708-113-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3716-110-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3716-16-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3716-187-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3716-185-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/3716-14-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3812-46-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3812-44-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/3868-147-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3868-149-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3880-188-0x0000000002200000-0x0000000002201000-memory.dmp

Filesize
4KB

Download
memory/3880-190-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3888-200-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/3996-143-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3996-141-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/4020-22-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4020-20-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4028-26-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4028-28-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4040-87-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4120-193-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4120-191-0x00000000021E0000-0x00000000021E1000-memory.dmp

Filesize
4KB

Download
memory/4264-37-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4264-35-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/4356-59-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4356-61-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4364-29-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/4364-31-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4800-96-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4800-94-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/4808-131-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4808-129-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4972-82-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4972-80-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4980-137-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4980-135-0x0000000002310000-0x0000000002311000-memory.dmp

Filesize
4KB

Download
memory/4992-56-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4992-58-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/5104-91-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/5104-93-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download