Analysis
-
max time kernel
152s -
max time network
36s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 16:50
Behavioral task
behavioral1
Sample
de9032bf1eed5f793f70d5ed1334c56a.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
de9032bf1eed5f793f70d5ed1334c56a.exe
-
Size
3.5MB
-
MD5
de9032bf1eed5f793f70d5ed1334c56a
-
SHA1
97fc2dacf52c303abf05a87cb05e5557062bc98c
-
SHA256
9723390a444dcfe54f9838e5b7877ffa51903e40fc0876ad630784103f388b39
-
SHA512
92dce12e908548e13b057fe60202108bf1e3954b6cea900be7679cb6f8b441c54c3bff30ea0c34b197fb1eb560f63722ef4bb75250de822c34ce0f16c7bd7043
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x00040000000130d3-7.dat fakeav behavioral1/files/0x00040000000130d3-9.dat fakeav -
Executes dropped EXE 119 IoCs
pid Process 1996 srtsrv32.exe 2012 lssmon.exe 1212 LSASSMGR.EXE 1956 srtsrv32.exe 1688 LSASSMGR.EXE 1816 LSASSMGR.EXE 604 srtsrv32.exe 1332 LSASSMGR.EXE 1572 LSASSMGR.EXE 1008 LSASSMGR.EXE 556 LSASSMGR.EXE 468 LSASSMGR.EXE 1092 LSASSMGR.EXE 1928 LSASSMGR.EXE 1532 LSASSMGR.EXE 1000 LSASSMGR.EXE 1628 LSASSMGR.EXE 292 LSASSMGR.EXE 1668 LSASSMGR.EXE 1988 LSASSMGR.EXE 1072 LSASSMGR.EXE 2036 LSASSMGR.EXE 1968 LSASSMGR.EXE 1696 LSASSMGR.EXE 1812 LSASSMGR.EXE 1704 LSASSMGR.EXE 1652 LSASSMGR.EXE 1248 LSASSMGR.EXE 1608 LSASSMGR.EXE 1688 LSASSMGR.EXE 1216 LSASSMGR.EXE 392 LSASSMGR.EXE 1664 LSASSMGR.EXE 1300 LSASSMGR.EXE 832 LSASSMGR.EXE 1540 LSASSMGR.EXE 1736 LSASSMGR.EXE 1004 LSASSMGR.EXE 1708 LSASSMGR.EXE 1616 LSASSMGR.EXE 1016 LSASSMGR.EXE 1008 LSASSMGR.EXE 1780 LSASSMGR.EXE 1928 LSASSMGR.EXE 1880 LSASSMGR.EXE 1556 LSASSMGR.EXE 2020 LSASSMGR.EXE 636 LSASSMGR.EXE 1656 LSASSMGR.EXE 1204 LSASSMGR.EXE 2024 LSASSMGR.EXE 1988 LSASSMGR.EXE 1952 LSASSMGR.EXE 2036 LSASSMGR.EXE 1072 LSASSMGR.EXE 1964 LSASSMGR.EXE 1812 LSASSMGR.EXE 1808 LSASSMGR.EXE 1652 LSASSMGR.EXE 1604 LSASSMGR.EXE 1496 LSASSMGR.EXE 1312 LSASSMGR.EXE 1664 LSASSMGR.EXE 112 LSASSMGR.EXE 1300 LSASSMGR.EXE 532 LSASSMGR.EXE 336 LSASSMGR.EXE 912 LSASSMGR.EXE 808 LSASSMGR.EXE 1708 LSASSMGR.EXE 1316 LSASSMGR.EXE 1792 LSASSMGR.EXE 1616 LSASSMGR.EXE 1000 LSASSMGR.EXE 1976 LSASSMGR.EXE 1628 LSASSMGR.EXE 1996 LSASSMGR.EXE 1776 LSASSMGR.EXE 856 LSASSMGR.EXE 1604 LSASSMGR.EXE 776 LSASSMGR.EXE 568 LSASSMGR.EXE 748 LSASSMGR.EXE 832 LSASSMGR.EXE 1300 LSASSMGR.EXE 1140 LSASSMGR.EXE 912 LSASSMGR.EXE 1020 LSASSMGR.EXE 1864 LSASSMGR.EXE 1780 LSASSMGR.EXE 1640 LSASSMGR.EXE 432 LSASSMGR.EXE 1616 LSASSMGR.EXE 904 LSASSMGR.EXE 1424 LSASSMGR.EXE 1704 LSASSMGR.EXE 520 LSASSMGR.EXE 948 LSASSMGR.EXE 1604 LSASSMGR.EXE 660 LSASSMGR.EXE 1504 LSASSMGR.EXE 1836 LSASSMGR.EXE 1476 LSASSMGR.EXE 1764 LSASSMGR.EXE 1008 LSASSMGR.EXE 680 LSASSMGR.EXE 1540 LSASSMGR.EXE 1380 LSASSMGR.EXE 1484 LSASSMGR.EXE 1780 LSASSMGR.EXE 324 LSASSMGR.EXE 856 LSASSMGR.EXE 1776 LSASSMGR.EXE 1808 LSASSMGR.EXE 1408 LSASSMGR.EXE 1816 LSASSMGR.EXE 268 LSASSMGR.EXE 2040 LSASSMGR.EXE 900 LSASSMGR.EXE -
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 242 IoCs
pid Process 1204 de9032bf1eed5f793f70d5ed1334c56a.exe 1204 de9032bf1eed5f793f70d5ed1334c56a.exe 1204 de9032bf1eed5f793f70d5ed1334c56a.exe 1996 srtsrv32.exe 1996 srtsrv32.exe 2012 lssmon.exe 2012 lssmon.exe 1212 LSASSMGR.EXE 1212 LSASSMGR.EXE 1956 srtsrv32.exe 1956 srtsrv32.exe 2012 lssmon.exe 2012 lssmon.exe 1688 LSASSMGR.EXE 1688 LSASSMGR.EXE 1816 LSASSMGR.EXE 1816 LSASSMGR.EXE 2012 lssmon.exe 2012 lssmon.exe 604 srtsrv32.exe 1332 LSASSMGR.EXE 604 srtsrv32.exe 1332 LSASSMGR.EXE 1572 LSASSMGR.EXE 1572 LSASSMGR.EXE 1008 LSASSMGR.EXE 1008 LSASSMGR.EXE 468 LSASSMGR.EXE 468 LSASSMGR.EXE 556 LSASSMGR.EXE 556 LSASSMGR.EXE 1092 LSASSMGR.EXE 1092 LSASSMGR.EXE 1928 LSASSMGR.EXE 1928 LSASSMGR.EXE 1532 LSASSMGR.EXE 1000 LSASSMGR.EXE 1532 LSASSMGR.EXE 1000 LSASSMGR.EXE 1232 WerFault.exe 1232 WerFault.exe 1628 LSASSMGR.EXE 1628 LSASSMGR.EXE 292 LSASSMGR.EXE 292 LSASSMGR.EXE 1668 LSASSMGR.EXE 1668 LSASSMGR.EXE 1988 LSASSMGR.EXE 1988 LSASSMGR.EXE 2036 LSASSMGR.EXE 1072 LSASSMGR.EXE 2036 LSASSMGR.EXE 1968 LSASSMGR.EXE 1968 LSASSMGR.EXE 1072 LSASSMGR.EXE 1696 LSASSMGR.EXE 1696 LSASSMGR.EXE 1704 LSASSMGR.EXE 1812 LSASSMGR.EXE 1652 LSASSMGR.EXE 1704 LSASSMGR.EXE 1652 LSASSMGR.EXE 1812 LSASSMGR.EXE 1248 LSASSMGR.EXE 1248 LSASSMGR.EXE 1608 LSASSMGR.EXE 1608 LSASSMGR.EXE 1688 LSASSMGR.EXE 1688 LSASSMGR.EXE 1216 LSASSMGR.EXE 1216 LSASSMGR.EXE 1664 LSASSMGR.EXE 1300 LSASSMGR.EXE 1664 LSASSMGR.EXE 1300 LSASSMGR.EXE 392 LSASSMGR.EXE 392 LSASSMGR.EXE 832 LSASSMGR.EXE 832 LSASSMGR.EXE 1004 LSASSMGR.EXE 1540 LSASSMGR.EXE 1708 LSASSMGR.EXE 1540 LSASSMGR.EXE 1708 LSASSMGR.EXE 1004 LSASSMGR.EXE 1736 LSASSMGR.EXE 1736 LSASSMGR.EXE 1016 LSASSMGR.EXE 1016 LSASSMGR.EXE 1780 LSASSMGR.EXE 1616 LSASSMGR.EXE 1780 LSASSMGR.EXE 1616 LSASSMGR.EXE 1008 LSASSMGR.EXE 1008 LSASSMGR.EXE 1928 LSASSMGR.EXE 1928 LSASSMGR.EXE 1556 LSASSMGR.EXE 1880 LSASSMGR.EXE 1880 LSASSMGR.EXE 1556 LSASSMGR.EXE 2020 LSASSMGR.EXE 2020 LSASSMGR.EXE 1656 LSASSMGR.EXE 1656 LSASSMGR.EXE 636 LSASSMGR.EXE 636 LSASSMGR.EXE 1204 LSASSMGR.EXE 1204 LSASSMGR.EXE 1952 LSASSMGR.EXE 2024 LSASSMGR.EXE 1952 LSASSMGR.EXE 2024 LSASSMGR.EXE 1988 LSASSMGR.EXE 1988 LSASSMGR.EXE 1072 LSASSMGR.EXE 1072 LSASSMGR.EXE 1964 LSASSMGR.EXE 1964 LSASSMGR.EXE 2036 LSASSMGR.EXE 2036 LSASSMGR.EXE 1812 LSASSMGR.EXE 1812 LSASSMGR.EXE 1652 LSASSMGR.EXE 1652 LSASSMGR.EXE 1604 LSASSMGR.EXE 1604 LSASSMGR.EXE 1808 LSASSMGR.EXE 1808 LSASSMGR.EXE 1496 Process not Found 1496 Process not Found 1312 LSASSMGR.EXE 1312 LSASSMGR.EXE 1664 LSASSMGR.EXE 1664 LSASSMGR.EXE 1300 LSASSMGR.EXE 1300 LSASSMGR.EXE 112 LSASSMGR.EXE 112 LSASSMGR.EXE 532 LSASSMGR.EXE 912 LSASSMGR.EXE 532 LSASSMGR.EXE 912 LSASSMGR.EXE 336 LSASSMGR.EXE 336 LSASSMGR.EXE 808 LSASSMGR.EXE 808 LSASSMGR.EXE 1316 LSASSMGR.EXE 1316 LSASSMGR.EXE 1792 LSASSMGR.EXE 1792 LSASSMGR.EXE 1708 LSASSMGR.EXE 1708 LSASSMGR.EXE 1976 LSASSMGR.EXE 1976 LSASSMGR.EXE 1000 LSASSMGR.EXE 1000 LSASSMGR.EXE 1616 LSASSMGR.EXE 1616 LSASSMGR.EXE 1232 WerFault.exe 1628 LSASSMGR.EXE 1628 LSASSMGR.EXE 1996 LSASSMGR.EXE 1996 LSASSMGR.EXE 1776 LSASSMGR.EXE 1776 LSASSMGR.EXE 856 LSASSMGR.EXE 856 LSASSMGR.EXE 1604 LSASSMGR.EXE 1604 LSASSMGR.EXE 776 LSASSMGR.EXE 776 LSASSMGR.EXE 568 LSASSMGR.EXE 568 LSASSMGR.EXE 748 LSASSMGR.EXE 748 LSASSMGR.EXE 832 LSASSMGR.EXE 832 LSASSMGR.EXE 1300 LSASSMGR.EXE 1300 LSASSMGR.EXE 1140 LSASSMGR.EXE 1140 LSASSMGR.EXE 912 LSASSMGR.EXE 912 LSASSMGR.EXE 1020 LSASSMGR.EXE 1864 LSASSMGR.EXE 1864 LSASSMGR.EXE 1020 LSASSMGR.EXE 1780 LSASSMGR.EXE 1780 LSASSMGR.EXE 1640 LSASSMGR.EXE 1640 LSASSMGR.EXE 432 LSASSMGR.EXE 432 LSASSMGR.EXE 1616 LSASSMGR.EXE 1616 LSASSMGR.EXE 904 LSASSMGR.EXE 904 LSASSMGR.EXE 1704 LSASSMGR.EXE 1704 LSASSMGR.EXE 520 LSASSMGR.EXE 520 LSASSMGR.EXE 1424 LSASSMGR.EXE 1424 LSASSMGR.EXE 948 LSASSMGR.EXE 948 LSASSMGR.EXE 660 LSASSMGR.EXE 660 LSASSMGR.EXE 1604 LSASSMGR.EXE 1604 LSASSMGR.EXE 1504 LSASSMGR.EXE 1504 LSASSMGR.EXE 1764 LSASSMGR.EXE 1836 LSASSMGR.EXE 1764 LSASSMGR.EXE 1476 LSASSMGR.EXE 1836 LSASSMGR.EXE 1476 LSASSMGR.EXE 1008 LSASSMGR.EXE 1540 LSASSMGR.EXE 1540 LSASSMGR.EXE 1008 LSASSMGR.EXE 680 LSASSMGR.EXE 680 LSASSMGR.EXE 1380 LSASSMGR.EXE 1380 LSASSMGR.EXE 1780 LSASSMGR.EXE 1484 LSASSMGR.EXE 1780 LSASSMGR.EXE 1484 LSASSMGR.EXE 324 LSASSMGR.EXE 324 LSASSMGR.EXE 1776 LSASSMGR.EXE 1776 LSASSMGR.EXE 856 LSASSMGR.EXE 856 LSASSMGR.EXE 1808 LSASSMGR.EXE 1408 LSASSMGR.EXE 1808 LSASSMGR.EXE 1408 LSASSMGR.EXE 1816 LSASSMGR.EXE 1816 LSASSMGR.EXE -
Adds Run key to start application 2 TTPs 111 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\lssmon.exe" lssmon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" srtsrv32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\lssmon.exe" de9032bf1eed5f793f70d5ed1334c56a.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run lssmon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" srtsrv32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" srtsrv32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run de9032bf1eed5f793f70d5ed1334c56a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE -
Drops file in System32 directory 219 IoCs
description ioc Process File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\lssmon.exe de9032bf1eed5f793f70d5ed1334c56a.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE srtsrv32.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe srtsrv32.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\srtsrv32.exe de9032bf1eed5f793f70d5ed1334c56a.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE srtsrv32.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\lssmon.exe de9032bf1eed5f793f70d5ed1334c56a.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe srtsrv32.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE -
Drops file in Program Files directory 214 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Internet Explorer\iexplor.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe srtsrv32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe srtsrv32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\divx32.dll de9032bf1eed5f793f70d5ed1334c56a.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1232 2012 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe 1232 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1232 WerFault.exe -
Suspicious use of WriteProcessMemory 484 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1996 1204 de9032bf1eed5f793f70d5ed1334c56a.exe 26 PID 1204 wrote to memory of 1996 1204 de9032bf1eed5f793f70d5ed1334c56a.exe 26 PID 1204 wrote to memory of 1996 1204 de9032bf1eed5f793f70d5ed1334c56a.exe 26 PID 1204 wrote to memory of 1996 1204 de9032bf1eed5f793f70d5ed1334c56a.exe 26 PID 1204 wrote to memory of 2012 1204 de9032bf1eed5f793f70d5ed1334c56a.exe 27 PID 1204 wrote to memory of 2012 1204 de9032bf1eed5f793f70d5ed1334c56a.exe 27 PID 1204 wrote to memory of 2012 1204 de9032bf1eed5f793f70d5ed1334c56a.exe 27 PID 1204 wrote to memory of 2012 1204 de9032bf1eed5f793f70d5ed1334c56a.exe 27 PID 1996 wrote to memory of 1212 1996 srtsrv32.exe 28 PID 1996 wrote to memory of 1212 1996 srtsrv32.exe 28 PID 1996 wrote to memory of 1212 1996 srtsrv32.exe 28 PID 1996 wrote to memory of 1212 1996 srtsrv32.exe 28 PID 2012 wrote to memory of 1956 2012 lssmon.exe 29 PID 2012 wrote to memory of 1956 2012 lssmon.exe 29 PID 2012 wrote to memory of 1956 2012 lssmon.exe 29 PID 2012 wrote to memory of 1956 2012 lssmon.exe 29 PID 1212 wrote to memory of 1688 1212 LSASSMGR.EXE 57 PID 1212 wrote to memory of 1688 1212 LSASSMGR.EXE 57 PID 1212 wrote to memory of 1688 1212 LSASSMGR.EXE 57 PID 1212 wrote to memory of 1688 1212 LSASSMGR.EXE 57 PID 1956 wrote to memory of 1816 1956 srtsrv32.exe 37 PID 1956 wrote to memory of 1816 1956 srtsrv32.exe 37 PID 1956 wrote to memory of 1816 1956 srtsrv32.exe 37 PID 1956 wrote to memory of 1816 1956 srtsrv32.exe 37 PID 2012 wrote to memory of 604 2012 lssmon.exe 36 PID 2012 wrote to memory of 604 2012 lssmon.exe 36 PID 2012 wrote to memory of 604 2012 lssmon.exe 36 PID 2012 wrote to memory of 604 2012 lssmon.exe 36 PID 1688 wrote to memory of 1332 1688 LSASSMGR.EXE 31 PID 1688 wrote to memory of 1332 1688 LSASSMGR.EXE 31 PID 1688 wrote to memory of 1332 1688 LSASSMGR.EXE 31 PID 1688 wrote to memory of 1332 1688 LSASSMGR.EXE 31 PID 1816 wrote to memory of 1572 1816 LSASSMGR.EXE 32 PID 1816 wrote to memory of 1572 1816 LSASSMGR.EXE 32 PID 1816 wrote to memory of 1572 1816 LSASSMGR.EXE 32 PID 1816 wrote to memory of 1572 1816 LSASSMGR.EXE 32 PID 2012 wrote to memory of 1008 2012 lssmon.exe 67 PID 2012 wrote to memory of 1008 2012 lssmon.exe 67 PID 2012 wrote to memory of 1008 2012 lssmon.exe 67 PID 2012 wrote to memory of 1008 2012 lssmon.exe 67 PID 604 wrote to memory of 468 604 srtsrv32.exe 34 PID 604 wrote to memory of 468 604 srtsrv32.exe 34 PID 604 wrote to memory of 468 604 srtsrv32.exe 34 PID 604 wrote to memory of 468 604 srtsrv32.exe 34 PID 1332 wrote to memory of 556 1332 LSASSMGR.EXE 33 PID 1332 wrote to memory of 556 1332 LSASSMGR.EXE 33 PID 1332 wrote to memory of 556 1332 LSASSMGR.EXE 33 PID 1332 wrote to memory of 556 1332 LSASSMGR.EXE 33 PID 2012 wrote to memory of 1232 2012 lssmon.exe 39 PID 2012 wrote to memory of 1232 2012 lssmon.exe 39 PID 2012 wrote to memory of 1232 2012 lssmon.exe 39 PID 2012 wrote to memory of 1232 2012 lssmon.exe 39 PID 1572 wrote to memory of 1092 1572 LSASSMGR.EXE 38 PID 1572 wrote to memory of 1092 1572 LSASSMGR.EXE 38 PID 1572 wrote to memory of 1092 1572 LSASSMGR.EXE 38 PID 1572 wrote to memory of 1092 1572 LSASSMGR.EXE 38 PID 1008 wrote to memory of 1928 1008 LSASSMGR.EXE 70 PID 1008 wrote to memory of 1928 1008 LSASSMGR.EXE 70 PID 1008 wrote to memory of 1928 1008 LSASSMGR.EXE 70 PID 1008 wrote to memory of 1928 1008 LSASSMGR.EXE 70 PID 468 wrote to memory of 1532 468 LSASSMGR.EXE 41 PID 468 wrote to memory of 1532 468 LSASSMGR.EXE 41 PID 468 wrote to memory of 1532 468 LSASSMGR.EXE 41 PID 468 wrote to memory of 1532 468 LSASSMGR.EXE 41 PID 556 wrote to memory of 1628 556 LSASSMGR.EXE 43 PID 556 wrote to memory of 1628 556 LSASSMGR.EXE 43 PID 556 wrote to memory of 1628 556 LSASSMGR.EXE 43 PID 556 wrote to memory of 1628 556 LSASSMGR.EXE 43 PID 1092 wrote to memory of 1000 1092 LSASSMGR.EXE 101 PID 1092 wrote to memory of 1000 1092 LSASSMGR.EXE 101 PID 1092 wrote to memory of 1000 1092 LSASSMGR.EXE 101 PID 1092 wrote to memory of 1000 1092 LSASSMGR.EXE 101 PID 1928 wrote to memory of 292 1928 LSASSMGR.EXE 44 PID 1928 wrote to memory of 292 1928 LSASSMGR.EXE 44 PID 1928 wrote to memory of 292 1928 LSASSMGR.EXE 44 PID 1928 wrote to memory of 292 1928 LSASSMGR.EXE 44 PID 1532 wrote to memory of 1668 1532 LSASSMGR.EXE 45 PID 1532 wrote to memory of 1668 1532 LSASSMGR.EXE 45 PID 1532 wrote to memory of 1668 1532 LSASSMGR.EXE 45 PID 1532 wrote to memory of 1668 1532 LSASSMGR.EXE 45 PID 1000 wrote to memory of 1988 1000 LSASSMGR.EXE 79 PID 1000 wrote to memory of 1988 1000 LSASSMGR.EXE 79 PID 1000 wrote to memory of 1988 1000 LSASSMGR.EXE 79 PID 1000 wrote to memory of 1988 1000 LSASSMGR.EXE 79 PID 1628 wrote to memory of 2036 1628 LSASSMGR.EXE 80 PID 1628 wrote to memory of 2036 1628 LSASSMGR.EXE 80 PID 1628 wrote to memory of 2036 1628 LSASSMGR.EXE 80 PID 1628 wrote to memory of 2036 1628 LSASSMGR.EXE 80 PID 292 wrote to memory of 1072 292 LSASSMGR.EXE 81 PID 292 wrote to memory of 1072 292 LSASSMGR.EXE 81 PID 292 wrote to memory of 1072 292 LSASSMGR.EXE 81 PID 292 wrote to memory of 1072 292 LSASSMGR.EXE 81 PID 1668 wrote to memory of 1968 1668 LSASSMGR.EXE 49 PID 1668 wrote to memory of 1968 1668 LSASSMGR.EXE 49 PID 1668 wrote to memory of 1968 1668 LSASSMGR.EXE 49 PID 1668 wrote to memory of 1968 1668 LSASSMGR.EXE 49 PID 1988 wrote to memory of 1696 1988 LSASSMGR.EXE 48 PID 1988 wrote to memory of 1696 1988 LSASSMGR.EXE 48 PID 1988 wrote to memory of 1696 1988 LSASSMGR.EXE 48 PID 1988 wrote to memory of 1696 1988 LSASSMGR.EXE 48 PID 2036 wrote to memory of 1812 2036 LSASSMGR.EXE 86 PID 2036 wrote to memory of 1812 2036 LSASSMGR.EXE 86 PID 2036 wrote to memory of 1812 2036 LSASSMGR.EXE 86 PID 2036 wrote to memory of 1812 2036 LSASSMGR.EXE 86 PID 1968 wrote to memory of 1652 1968 LSASSMGR.EXE 85 PID 1968 wrote to memory of 1652 1968 LSASSMGR.EXE 85 PID 1968 wrote to memory of 1652 1968 LSASSMGR.EXE 85 PID 1968 wrote to memory of 1652 1968 LSASSMGR.EXE 85 PID 1072 wrote to memory of 1704 1072 LSASSMGR.EXE 52 PID 1072 wrote to memory of 1704 1072 LSASSMGR.EXE 52 PID 1072 wrote to memory of 1704 1072 LSASSMGR.EXE 52 PID 1072 wrote to memory of 1704 1072 LSASSMGR.EXE 52 PID 1696 wrote to memory of 1248 1696 LSASSMGR.EXE 54 PID 1696 wrote to memory of 1248 1696 LSASSMGR.EXE 54 PID 1696 wrote to memory of 1248 1696 LSASSMGR.EXE 54 PID 1696 wrote to memory of 1248 1696 LSASSMGR.EXE 54 PID 1704 wrote to memory of 1688 1704 LSASSMGR.EXE 57 PID 1704 wrote to memory of 1688 1704 LSASSMGR.EXE 57 PID 1704 wrote to memory of 1688 1704 LSASSMGR.EXE 57 PID 1704 wrote to memory of 1688 1704 LSASSMGR.EXE 57 PID 1652 wrote to memory of 1216 1652 LSASSMGR.EXE 55 PID 1652 wrote to memory of 1216 1652 LSASSMGR.EXE 55 PID 1652 wrote to memory of 1216 1652 LSASSMGR.EXE 55 PID 1652 wrote to memory of 1216 1652 LSASSMGR.EXE 55 PID 1812 wrote to memory of 1608 1812 LSASSMGR.EXE 56 PID 1812 wrote to memory of 1608 1812 LSASSMGR.EXE 56 PID 1812 wrote to memory of 1608 1812 LSASSMGR.EXE 56 PID 1812 wrote to memory of 1608 1812 LSASSMGR.EXE 56 PID 1248 wrote to memory of 1664 1248 LSASSMGR.EXE 91 PID 1248 wrote to memory of 1664 1248 LSASSMGR.EXE 91 PID 1248 wrote to memory of 1664 1248 LSASSMGR.EXE 91 PID 1248 wrote to memory of 1664 1248 LSASSMGR.EXE 91 PID 1608 wrote to memory of 392 1608 LSASSMGR.EXE 59 PID 1608 wrote to memory of 392 1608 LSASSMGR.EXE 59 PID 1608 wrote to memory of 392 1608 LSASSMGR.EXE 59 PID 1608 wrote to memory of 392 1608 LSASSMGR.EXE 59 PID 1688 wrote to memory of 1300 1688 LSASSMGR.EXE 92 PID 1688 wrote to memory of 1300 1688 LSASSMGR.EXE 92 PID 1688 wrote to memory of 1300 1688 LSASSMGR.EXE 92 PID 1688 wrote to memory of 1300 1688 LSASSMGR.EXE 92 PID 1216 wrote to memory of 832 1216 LSASSMGR.EXE 60 PID 1216 wrote to memory of 832 1216 LSASSMGR.EXE 60 PID 1216 wrote to memory of 832 1216 LSASSMGR.EXE 60 PID 1216 wrote to memory of 832 1216 LSASSMGR.EXE 60 PID 1664 wrote to memory of 1540 1664 LSASSMGR.EXE 62 PID 1664 wrote to memory of 1540 1664 LSASSMGR.EXE 62 PID 1664 wrote to memory of 1540 1664 LSASSMGR.EXE 62 PID 1664 wrote to memory of 1540 1664 LSASSMGR.EXE 62 PID 1300 wrote to memory of 1004 1300 LSASSMGR.EXE 63 PID 1300 wrote to memory of 1004 1300 LSASSMGR.EXE 63 PID 1300 wrote to memory of 1004 1300 LSASSMGR.EXE 63 PID 1300 wrote to memory of 1004 1300 LSASSMGR.EXE 63 PID 392 wrote to memory of 1736 392 LSASSMGR.EXE 64 PID 392 wrote to memory of 1736 392 LSASSMGR.EXE 64 PID 392 wrote to memory of 1736 392 LSASSMGR.EXE 64 PID 392 wrote to memory of 1736 392 LSASSMGR.EXE 64 PID 832 wrote to memory of 1708 832 LSASSMGR.EXE 98 PID 832 wrote to memory of 1708 832 LSASSMGR.EXE 98 PID 832 wrote to memory of 1708 832 LSASSMGR.EXE 98 PID 832 wrote to memory of 1708 832 LSASSMGR.EXE 98 PID 1540 wrote to memory of 1016 1540 LSASSMGR.EXE 68 PID 1540 wrote to memory of 1016 1540 LSASSMGR.EXE 68 PID 1540 wrote to memory of 1016 1540 LSASSMGR.EXE 68 PID 1540 wrote to memory of 1016 1540 LSASSMGR.EXE 68 PID 1708 wrote to memory of 1008 1708 LSASSMGR.EXE 67 PID 1708 wrote to memory of 1008 1708 LSASSMGR.EXE 67 PID 1708 wrote to memory of 1008 1708 LSASSMGR.EXE 67 PID 1708 wrote to memory of 1008 1708 LSASSMGR.EXE 67 PID 1004 wrote to memory of 1616 1004 LSASSMGR.EXE 99 PID 1004 wrote to memory of 1616 1004 LSASSMGR.EXE 99 PID 1004 wrote to memory of 1616 1004 LSASSMGR.EXE 99 PID 1004 wrote to memory of 1616 1004 LSASSMGR.EXE 99 PID 1736 wrote to memory of 1780 1736 LSASSMGR.EXE 66 PID 1736 wrote to memory of 1780 1736 LSASSMGR.EXE 66 PID 1736 wrote to memory of 1780 1736 LSASSMGR.EXE 66 PID 1736 wrote to memory of 1780 1736 LSASSMGR.EXE 66 PID 1016 wrote to memory of 1928 1016 LSASSMGR.EXE 70 PID 1016 wrote to memory of 1928 1016 LSASSMGR.EXE 70 PID 1016 wrote to memory of 1928 1016 LSASSMGR.EXE 70 PID 1016 wrote to memory of 1928 1016 LSASSMGR.EXE 70 PID 1780 wrote to memory of 1880 1780 LSASSMGR.EXE 72 PID 1780 wrote to memory of 1880 1780 LSASSMGR.EXE 72 PID 1780 wrote to memory of 1880 1780 LSASSMGR.EXE 72 PID 1780 wrote to memory of 1880 1780 LSASSMGR.EXE 72 PID 1616 wrote to memory of 1556 1616 LSASSMGR.EXE 71 PID 1616 wrote to memory of 1556 1616 LSASSMGR.EXE 71 PID 1616 wrote to memory of 1556 1616 LSASSMGR.EXE 71 PID 1616 wrote to memory of 1556 1616 LSASSMGR.EXE 71 PID 1008 wrote to memory of 2020 1008 LSASSMGR.EXE 73 PID 1008 wrote to memory of 2020 1008 LSASSMGR.EXE 73 PID 1008 wrote to memory of 2020 1008 LSASSMGR.EXE 73 PID 1008 wrote to memory of 2020 1008 LSASSMGR.EXE 73 PID 1928 wrote to memory of 636 1928 LSASSMGR.EXE 74 PID 1928 wrote to memory of 636 1928 LSASSMGR.EXE 74 PID 1928 wrote to memory of 636 1928 LSASSMGR.EXE 74 PID 1928 wrote to memory of 636 1928 LSASSMGR.EXE 74 PID 1880 wrote to memory of 1204 1880 LSASSMGR.EXE 75 PID 1880 wrote to memory of 1204 1880 LSASSMGR.EXE 75 PID 1880 wrote to memory of 1204 1880 LSASSMGR.EXE 75 PID 1880 wrote to memory of 1204 1880 LSASSMGR.EXE 75 PID 1556 wrote to memory of 1656 1556 LSASSMGR.EXE 76 PID 1556 wrote to memory of 1656 1556 LSASSMGR.EXE 76 PID 1556 wrote to memory of 1656 1556 LSASSMGR.EXE 76 PID 1556 wrote to memory of 1656 1556 LSASSMGR.EXE 76 PID 2020 wrote to memory of 2024 2020 LSASSMGR.EXE 77 PID 2020 wrote to memory of 2024 2020 LSASSMGR.EXE 77 PID 2020 wrote to memory of 2024 2020 LSASSMGR.EXE 77 PID 2020 wrote to memory of 2024 2020 LSASSMGR.EXE 77 PID 1656 wrote to memory of 1952 1656 LSASSMGR.EXE 78 PID 1656 wrote to memory of 1952 1656 LSASSMGR.EXE 78 PID 1656 wrote to memory of 1952 1656 LSASSMGR.EXE 78 PID 1656 wrote to memory of 1952 1656 LSASSMGR.EXE 78 PID 636 wrote to memory of 1988 636 LSASSMGR.EXE 79 PID 636 wrote to memory of 1988 636 LSASSMGR.EXE 79 PID 636 wrote to memory of 1988 636 LSASSMGR.EXE 79 PID 636 wrote to memory of 1988 636 LSASSMGR.EXE 79 PID 1204 wrote to memory of 2036 1204 LSASSMGR.EXE 80 PID 1204 wrote to memory of 2036 1204 LSASSMGR.EXE 80 PID 1204 wrote to memory of 2036 1204 LSASSMGR.EXE 80 PID 1204 wrote to memory of 2036 1204 LSASSMGR.EXE 80 PID 1952 wrote to memory of 1072 1952 LSASSMGR.EXE 81 PID 1952 wrote to memory of 1072 1952 LSASSMGR.EXE 81 PID 1952 wrote to memory of 1072 1952 LSASSMGR.EXE 81 PID 1952 wrote to memory of 1072 1952 LSASSMGR.EXE 81 PID 2024 wrote to memory of 1660 2024 LSASSMGR.EXE 83 PID 2024 wrote to memory of 1660 2024 LSASSMGR.EXE 83 PID 2024 wrote to memory of 1660 2024 LSASSMGR.EXE 83 PID 2024 wrote to memory of 1660 2024 LSASSMGR.EXE 83 PID 1988 wrote to memory of 1964 1988 LSASSMGR.EXE 82 PID 1988 wrote to memory of 1964 1988 LSASSMGR.EXE 82 PID 1988 wrote to memory of 1964 1988 LSASSMGR.EXE 82 PID 1988 wrote to memory of 1964 1988 LSASSMGR.EXE 82 PID 1072 wrote to memory of 1808 1072 LSASSMGR.EXE 84 PID 1072 wrote to memory of 1808 1072 LSASSMGR.EXE 84 PID 1072 wrote to memory of 1808 1072 LSASSMGR.EXE 84 PID 1072 wrote to memory of 1808 1072 LSASSMGR.EXE 84 PID 1964 wrote to memory of 1812 1964 LSASSMGR.EXE 86 PID 1964 wrote to memory of 1812 1964 LSASSMGR.EXE 86 PID 1964 wrote to memory of 1812 1964 LSASSMGR.EXE 86 PID 1964 wrote to memory of 1812 1964 LSASSMGR.EXE 86 PID 2036 wrote to memory of 1652 2036 LSASSMGR.EXE 85 PID 2036 wrote to memory of 1652 2036 LSASSMGR.EXE 85 PID 2036 wrote to memory of 1652 2036 LSASSMGR.EXE 85 PID 2036 wrote to memory of 1652 2036 LSASSMGR.EXE 85 PID 1812 wrote to memory of 1604 1812 LSASSMGR.EXE 87 PID 1812 wrote to memory of 1604 1812 LSASSMGR.EXE 87 PID 1812 wrote to memory of 1604 1812 LSASSMGR.EXE 87 PID 1812 wrote to memory of 1604 1812 LSASSMGR.EXE 87 PID 1652 wrote to memory of 1496 1652 LSASSMGR.EXE 90 PID 1652 wrote to memory of 1496 1652 LSASSMGR.EXE 90 PID 1652 wrote to memory of 1496 1652 LSASSMGR.EXE 90 PID 1652 wrote to memory of 1496 1652 LSASSMGR.EXE 90 PID 1604 wrote to memory of 1312 1604 LSASSMGR.EXE 89 PID 1604 wrote to memory of 1312 1604 LSASSMGR.EXE 89 PID 1604 wrote to memory of 1312 1604 LSASSMGR.EXE 89 PID 1604 wrote to memory of 1312 1604 LSASSMGR.EXE 89 PID 1808 wrote to memory of 112 1808 LSASSMGR.EXE 88 PID 1808 wrote to memory of 112 1808 LSASSMGR.EXE 88 PID 1808 wrote to memory of 112 1808 LSASSMGR.EXE 88 PID 1808 wrote to memory of 112 1808 LSASSMGR.EXE 88 PID 1496 wrote to memory of 1664 1496 Process not Found 91 PID 1496 wrote to memory of 1664 1496 Process not Found 91 PID 1496 wrote to memory of 1664 1496 Process not Found 91 PID 1496 wrote to memory of 1664 1496 Process not Found 91 PID 1312 wrote to memory of 1300 1312 LSASSMGR.EXE 113 PID 1312 wrote to memory of 1300 1312 LSASSMGR.EXE 113 PID 1312 wrote to memory of 1300 1312 LSASSMGR.EXE 113 PID 1312 wrote to memory of 1300 1312 LSASSMGR.EXE 113 PID 1664 wrote to memory of 532 1664 LSASSMGR.EXE 93 PID 1664 wrote to memory of 532 1664 LSASSMGR.EXE 93 PID 1664 wrote to memory of 532 1664 LSASSMGR.EXE 93 PID 1664 wrote to memory of 532 1664 LSASSMGR.EXE 93 PID 1300 wrote to memory of 336 1300 LSASSMGR.EXE 94 PID 1300 wrote to memory of 336 1300 LSASSMGR.EXE 94 PID 1300 wrote to memory of 336 1300 LSASSMGR.EXE 94 PID 1300 wrote to memory of 336 1300 LSASSMGR.EXE 94 PID 112 wrote to memory of 912 112 LSASSMGR.EXE 117 PID 112 wrote to memory of 912 112 LSASSMGR.EXE 117 PID 112 wrote to memory of 912 112 LSASSMGR.EXE 117 PID 112 wrote to memory of 912 112 LSASSMGR.EXE 117 PID 532 wrote to memory of 1708 532 LSASSMGR.EXE 98 PID 532 wrote to memory of 1708 532 LSASSMGR.EXE 98 PID 532 wrote to memory of 1708 532 LSASSMGR.EXE 98 PID 532 wrote to memory of 1708 532 LSASSMGR.EXE 98 PID 912 wrote to memory of 808 912 LSASSMGR.EXE 173 PID 912 wrote to memory of 808 912 LSASSMGR.EXE 173 PID 912 wrote to memory of 808 912 LSASSMGR.EXE 173 PID 912 wrote to memory of 808 912 LSASSMGR.EXE 173 PID 336 wrote to memory of 1316 336 LSASSMGR.EXE 167 PID 336 wrote to memory of 1316 336 LSASSMGR.EXE 167 PID 336 wrote to memory of 1316 336 LSASSMGR.EXE 167 PID 336 wrote to memory of 1316 336 LSASSMGR.EXE 167 PID 808 wrote to memory of 1792 808 LSASSMGR.EXE 102 PID 808 wrote to memory of 1792 808 LSASSMGR.EXE 102 PID 808 wrote to memory of 1792 808 LSASSMGR.EXE 102 PID 808 wrote to memory of 1792 808 LSASSMGR.EXE 102 PID 1316 wrote to memory of 1616 1316 LSASSMGR.EXE 304 PID 1316 wrote to memory of 1616 1316 LSASSMGR.EXE 304 PID 1316 wrote to memory of 1616 1316 LSASSMGR.EXE 304 PID 1316 wrote to memory of 1616 1316 LSASSMGR.EXE 304 PID 1792 wrote to memory of 1000 1792 LSASSMGR.EXE 209 PID 1792 wrote to memory of 1000 1792 LSASSMGR.EXE 209 PID 1792 wrote to memory of 1000 1792 LSASSMGR.EXE 209 PID 1792 wrote to memory of 1000 1792 LSASSMGR.EXE 209 PID 1708 wrote to memory of 1976 1708 LSASSMGR.EXE 363 PID 1708 wrote to memory of 1976 1708 LSASSMGR.EXE 363 PID 1708 wrote to memory of 1976 1708 LSASSMGR.EXE 363 PID 1708 wrote to memory of 1976 1708 LSASSMGR.EXE 363 PID 1976 wrote to memory of 1628 1976 LSASSMGR.EXE 337 PID 1976 wrote to memory of 1628 1976 LSASSMGR.EXE 337 PID 1976 wrote to memory of 1628 1976 LSASSMGR.EXE 337 PID 1976 wrote to memory of 1628 1976 LSASSMGR.EXE 337 PID 1000 wrote to memory of 1996 1000 LSASSMGR.EXE 105 PID 1000 wrote to memory of 1996 1000 LSASSMGR.EXE 105 PID 1000 wrote to memory of 1996 1000 LSASSMGR.EXE 105 PID 1000 wrote to memory of 1996 1000 LSASSMGR.EXE 105 PID 1616 wrote to memory of 1776 1616 LSASSMGR.EXE 373 PID 1616 wrote to memory of 1776 1616 LSASSMGR.EXE 373 PID 1616 wrote to memory of 1776 1616 LSASSMGR.EXE 373 PID 1616 wrote to memory of 1776 1616 LSASSMGR.EXE 373 PID 1628 wrote to memory of 748 1628 LSASSMGR.EXE 107 PID 1628 wrote to memory of 748 1628 LSASSMGR.EXE 107 PID 1628 wrote to memory of 748 1628 LSASSMGR.EXE 107 PID 1628 wrote to memory of 748 1628 LSASSMGR.EXE 107 PID 1996 wrote to memory of 856 1996 LSASSMGR.EXE 383 PID 1996 wrote to memory of 856 1996 LSASSMGR.EXE 383 PID 1996 wrote to memory of 856 1996 LSASSMGR.EXE 383 PID 1996 wrote to memory of 856 1996 LSASSMGR.EXE 383 PID 1776 wrote to memory of 1604 1776 LSASSMGR.EXE 418 PID 1776 wrote to memory of 1604 1776 LSASSMGR.EXE 418 PID 1776 wrote to memory of 1604 1776 LSASSMGR.EXE 418 PID 1776 wrote to memory of 1604 1776 LSASSMGR.EXE 418 PID 856 wrote to memory of 776 856 LSASSMGR.EXE 447 PID 856 wrote to memory of 776 856 LSASSMGR.EXE 447 PID 856 wrote to memory of 776 856 LSASSMGR.EXE 447 PID 856 wrote to memory of 776 856 LSASSMGR.EXE 447 PID 1604 wrote to memory of 568 1604 LSASSMGR.EXE 477 PID 1604 wrote to memory of 568 1604 LSASSMGR.EXE 477 PID 1604 wrote to memory of 568 1604 LSASSMGR.EXE 477 PID 1604 wrote to memory of 568 1604 LSASSMGR.EXE 477 PID 776 wrote to memory of 832 776 LSASSMGR.EXE 445 PID 776 wrote to memory of 832 776 LSASSMGR.EXE 445 PID 776 wrote to memory of 832 776 LSASSMGR.EXE 445 PID 776 wrote to memory of 832 776 LSASSMGR.EXE 445 PID 568 wrote to memory of 1300 568 LSASSMGR.EXE 465 PID 568 wrote to memory of 1300 568 LSASSMGR.EXE 465 PID 568 wrote to memory of 1300 568 LSASSMGR.EXE 465 PID 568 wrote to memory of 1300 568 LSASSMGR.EXE 465 PID 748 wrote to memory of 912 748 LSASSMGR.EXE 117 PID 748 wrote to memory of 912 748 LSASSMGR.EXE 117 PID 748 wrote to memory of 912 748 LSASSMGR.EXE 117 PID 748 wrote to memory of 912 748 LSASSMGR.EXE 117 PID 832 wrote to memory of 1140 832 LSASSMGR.EXE 468 PID 832 wrote to memory of 1140 832 LSASSMGR.EXE 468 PID 832 wrote to memory of 1140 832 LSASSMGR.EXE 468 PID 832 wrote to memory of 1140 832 LSASSMGR.EXE 468 PID 1300 wrote to memory of 1020 1300 LSASSMGR.EXE 572 PID 1300 wrote to memory of 1020 1300 LSASSMGR.EXE 572 PID 1300 wrote to memory of 1020 1300 LSASSMGR.EXE 572 PID 1300 wrote to memory of 1020 1300 LSASSMGR.EXE 572 PID 1140 wrote to memory of 1780 1140 LSASSMGR.EXE 568 PID 1140 wrote to memory of 1780 1140 LSASSMGR.EXE 568 PID 1140 wrote to memory of 1780 1140 LSASSMGR.EXE 568 PID 1140 wrote to memory of 1780 1140 LSASSMGR.EXE 568 PID 912 wrote to memory of 1864 912 LSASSMGR.EXE 277 PID 912 wrote to memory of 1864 912 LSASSMGR.EXE 277 PID 912 wrote to memory of 1864 912 LSASSMGR.EXE 277 PID 912 wrote to memory of 1864 912 LSASSMGR.EXE 277 PID 1864 wrote to memory of 1640 1864 LSASSMGR.EXE 122 PID 1864 wrote to memory of 1640 1864 LSASSMGR.EXE 122 PID 1864 wrote to memory of 1640 1864 LSASSMGR.EXE 122 PID 1864 wrote to memory of 1640 1864 LSASSMGR.EXE 122 PID 1020 wrote to memory of 432 1020 LSASSMGR.EXE 660 PID 1020 wrote to memory of 432 1020 LSASSMGR.EXE 660 PID 1020 wrote to memory of 432 1020 LSASSMGR.EXE 660 PID 1020 wrote to memory of 432 1020 LSASSMGR.EXE 660 PID 1780 wrote to memory of 1616 1780 LSASSMGR.EXE 689 PID 1780 wrote to memory of 1616 1780 LSASSMGR.EXE 689 PID 1780 wrote to memory of 1616 1780 LSASSMGR.EXE 689 PID 1780 wrote to memory of 1616 1780 LSASSMGR.EXE 689 PID 1640 wrote to memory of 1424 1640 LSASSMGR.EXE 608 PID 1640 wrote to memory of 1424 1640 LSASSMGR.EXE 608 PID 1640 wrote to memory of 1424 1640 LSASSMGR.EXE 608 PID 1640 wrote to memory of 1424 1640 LSASSMGR.EXE 608 PID 432 wrote to memory of 904 432 LSASSMGR.EXE 677 PID 432 wrote to memory of 904 432 LSASSMGR.EXE 677 PID 432 wrote to memory of 904 432 LSASSMGR.EXE 677 PID 432 wrote to memory of 904 432 LSASSMGR.EXE 677 PID 1616 wrote to memory of 1704 1616 LSASSMGR.EXE 605 PID 1616 wrote to memory of 1704 1616 LSASSMGR.EXE 605 PID 1616 wrote to memory of 1704 1616 LSASSMGR.EXE 605 PID 1616 wrote to memory of 1704 1616 LSASSMGR.EXE 605 PID 904 wrote to memory of 520 904 LSASSMGR.EXE 127 PID 904 wrote to memory of 520 904 LSASSMGR.EXE 127 PID 904 wrote to memory of 520 904 LSASSMGR.EXE 127 PID 904 wrote to memory of 520 904 LSASSMGR.EXE 127 PID 1704 wrote to memory of 948 1704 LSASSMGR.EXE 761 PID 1704 wrote to memory of 948 1704 LSASSMGR.EXE 761 PID 1704 wrote to memory of 948 1704 LSASSMGR.EXE 761 PID 1704 wrote to memory of 948 1704 LSASSMGR.EXE 761 PID 520 wrote to memory of 660 520 LSASSMGR.EXE 734 PID 520 wrote to memory of 660 520 LSASSMGR.EXE 734 PID 520 wrote to memory of 660 520 LSASSMGR.EXE 734 PID 520 wrote to memory of 660 520 LSASSMGR.EXE 734 PID 1424 wrote to memory of 1604 1424 LSASSMGR.EXE 756 PID 1424 wrote to memory of 1604 1424 LSASSMGR.EXE 756 PID 1424 wrote to memory of 1604 1424 LSASSMGR.EXE 756 PID 1424 wrote to memory of 1604 1424 LSASSMGR.EXE 756 PID 948 wrote to memory of 1504 948 LSASSMGR.EXE 131 PID 948 wrote to memory of 1504 948 LSASSMGR.EXE 131 PID 948 wrote to memory of 1504 948 LSASSMGR.EXE 131 PID 948 wrote to memory of 1504 948 LSASSMGR.EXE 131 PID 660 wrote to memory of 1836 660 LSASSMGR.EXE 636 PID 660 wrote to memory of 1836 660 LSASSMGR.EXE 636 PID 660 wrote to memory of 1836 660 LSASSMGR.EXE 636 PID 660 wrote to memory of 1836 660 LSASSMGR.EXE 636 PID 1604 wrote to memory of 1764 1604 LSASSMGR.EXE 874 PID 1604 wrote to memory of 1764 1604 LSASSMGR.EXE 874 PID 1604 wrote to memory of 1764 1604 LSASSMGR.EXE 874 PID 1604 wrote to memory of 1764 1604 LSASSMGR.EXE 874 PID 1504 wrote to memory of 1476 1504 LSASSMGR.EXE 810 PID 1504 wrote to memory of 1476 1504 LSASSMGR.EXE 810 PID 1504 wrote to memory of 1476 1504 LSASSMGR.EXE 810 PID 1504 wrote to memory of 1476 1504 LSASSMGR.EXE 810 PID 1764 wrote to memory of 1008 1764 LSASSMGR.EXE 903 PID 1764 wrote to memory of 1008 1764 LSASSMGR.EXE 903 PID 1764 wrote to memory of 1008 1764 LSASSMGR.EXE 903 PID 1764 wrote to memory of 1008 1764 LSASSMGR.EXE 903 PID 1836 wrote to memory of 1540 1836 LSASSMGR.EXE 939 PID 1836 wrote to memory of 1540 1836 LSASSMGR.EXE 939 PID 1836 wrote to memory of 1540 1836 LSASSMGR.EXE 939 PID 1836 wrote to memory of 1540 1836 LSASSMGR.EXE 939 PID 1476 wrote to memory of 680 1476 LSASSMGR.EXE 135 PID 1476 wrote to memory of 680 1476 LSASSMGR.EXE 135 PID 1476 wrote to memory of 680 1476 LSASSMGR.EXE 135 PID 1476 wrote to memory of 680 1476 LSASSMGR.EXE 135 PID 1540 wrote to memory of 1380 1540 LSASSMGR.EXE 1040 PID 1540 wrote to memory of 1380 1540 LSASSMGR.EXE 1040 PID 1540 wrote to memory of 1380 1540 LSASSMGR.EXE 1040 PID 1540 wrote to memory of 1380 1540 LSASSMGR.EXE 1040 PID 1008 wrote to memory of 1484 1008 LSASSMGR.EXE 901 PID 1008 wrote to memory of 1484 1008 LSASSMGR.EXE 901 PID 1008 wrote to memory of 1484 1008 LSASSMGR.EXE 901 PID 1008 wrote to memory of 1484 1008 LSASSMGR.EXE 901 PID 680 wrote to memory of 1780 680 LSASSMGR.EXE 842 PID 680 wrote to memory of 1780 680 LSASSMGR.EXE 842 PID 680 wrote to memory of 1780 680 LSASSMGR.EXE 842 PID 680 wrote to memory of 1780 680 LSASSMGR.EXE 842 PID 1380 wrote to memory of 324 1380 LSASSMGR.EXE 141 PID 1380 wrote to memory of 324 1380 LSASSMGR.EXE 141 PID 1380 wrote to memory of 324 1380 LSASSMGR.EXE 141 PID 1380 wrote to memory of 324 1380 LSASSMGR.EXE 141 PID 1780 wrote to memory of 1776 1780 LSASSMGR.EXE 1161 PID 1780 wrote to memory of 1776 1780 LSASSMGR.EXE 1161 PID 1780 wrote to memory of 1776 1780 LSASSMGR.EXE 1161 PID 1780 wrote to memory of 1776 1780 LSASSMGR.EXE 1161 PID 1484 wrote to memory of 856 1484 LSASSMGR.EXE 1122 PID 1484 wrote to memory of 856 1484 LSASSMGR.EXE 1122 PID 1484 wrote to memory of 856 1484 LSASSMGR.EXE 1122 PID 1484 wrote to memory of 856 1484 LSASSMGR.EXE 1122 PID 324 wrote to memory of 1808 324 LSASSMGR.EXE 1020 PID 324 wrote to memory of 1808 324 LSASSMGR.EXE 1020 PID 324 wrote to memory of 1808 324 LSASSMGR.EXE 1020 PID 324 wrote to memory of 1808 324 LSASSMGR.EXE 1020 PID 1776 wrote to memory of 1816 1776 LSASSMGR.EXE 1140 PID 1776 wrote to memory of 1816 1776 LSASSMGR.EXE 1140 PID 1776 wrote to memory of 1816 1776 LSASSMGR.EXE 1140 PID 1776 wrote to memory of 1816 1776 LSASSMGR.EXE 1140 PID 856 wrote to memory of 1408 856 LSASSMGR.EXE 1234 PID 856 wrote to memory of 1408 856 LSASSMGR.EXE 1234 PID 856 wrote to memory of 1408 856 LSASSMGR.EXE 1234 PID 856 wrote to memory of 1408 856 LSASSMGR.EXE 1234 PID 1808 wrote to memory of 268 1808 LSASSMGR.EXE 1351 PID 1808 wrote to memory of 268 1808 LSASSMGR.EXE 1351 PID 1808 wrote to memory of 268 1808 LSASSMGR.EXE 1351 PID 1808 wrote to memory of 268 1808 LSASSMGR.EXE 1351 PID 1408 wrote to memory of 2040 1408 LSASSMGR.EXE 1372 PID 1408 wrote to memory of 2040 1408 LSASSMGR.EXE 1372 PID 1408 wrote to memory of 2040 1408 LSASSMGR.EXE 1372 PID 1408 wrote to memory of 2040 1408 LSASSMGR.EXE 1372 PID 1816 wrote to memory of 900 1816 LSASSMGR.EXE 1398 PID 1816 wrote to memory of 900 1816 LSASSMGR.EXE 1398 PID 1816 wrote to memory of 900 1816 LSASSMGR.EXE 1398 PID 1816 wrote to memory of 900 1816 LSASSMGR.EXE 1398
Processes
-
C:\Users\Admin\AppData\Local\Temp\de9032bf1eed5f793f70d5ed1334c56a.exe"C:\Users\Admin\AppData\Local\Temp\de9032bf1eed5f793f70d5ed1334c56a.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\srtsrv32.exe"C:\Windows\system32\srtsrv32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"4⤵PID:1688
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:556 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1628 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"8⤵PID:2036
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"9⤵PID:1812
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"10⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:1608 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"11⤵
- Executes dropped EXE
PID:392 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"12⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:1736 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"13⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1780 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"14⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"15⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1204 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1652 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"19⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"20⤵
- Adds Run key to start application
PID:532 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"21⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"22⤵PID:1976
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"23⤵PID:1628
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"24⤵PID:748
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"25⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:912 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"26⤵PID:1864
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"27⤵
- Adds Run key to start application
- Drops file in Program Files directory
PID:1640 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"28⤵PID:1424
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"29⤵PID:1604
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"30⤵PID:1764
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"31⤵PID:1008
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"32⤵PID:1484
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"33⤵PID:856
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"34⤵PID:1408
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"35⤵PID:2040
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"36⤵PID:1476
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"37⤵PID:1984
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"38⤵PID:1248
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"39⤵PID:1704
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"40⤵PID:832
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"41⤵PID:1628
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"42⤵PID:972
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"43⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:808 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"44⤵PID:1800
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"34⤵PID:336
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"35⤵PID:1652
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"36⤵PID:1844
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"37⤵PID:808
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"38⤵PID:792
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"39⤵PID:2028
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"40⤵PID:1340
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"41⤵PID:1148
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"42⤵PID:604
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"43⤵PID:972
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"44⤵PID:1616
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"45⤵PID:1096
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"46⤵PID:1776
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"47⤵PID:532
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"48⤵PID:1148
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"49⤵PID:1976
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"50⤵PID:968
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"51⤵PID:900
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"52⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1864
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\lssmon.exe"C:\Windows\system32\lssmon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\srtsrv32.exe"C:\Windows\system32\srtsrv32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1816
-
-
-
C:\Windows\SysWOW64\srtsrv32.exe"C:\Windows\system32\srtsrv32.exe"3⤵PID:1008
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"4⤵PID:1928
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:292 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"6⤵PID:1072
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"9⤵PID:1300
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"10⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1004 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"11⤵PID:1616
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"12⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:1556 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"13⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1656 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"14⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1952 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"16⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"17⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:112 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"18⤵PID:912
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"19⤵PID:808
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"20⤵
- Adds Run key to start application
PID:1792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"6⤵PID:1764
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"7⤵PID:1868
-
-
-
-
-
-
C:\Windows\SysWOW64\srtsrv32.exe"C:\Windows\system32\srtsrv32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:604
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 3403⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1232
-
-
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1092 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"3⤵PID:1000
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"4⤵PID:1988
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1696 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
PID:1248 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"7⤵PID:1664
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"8⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1540 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"9⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1016 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"10⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1928 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"11⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:636 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1988 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"13⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1964 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"14⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
PID:1812 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"15⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"16⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1312 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"17⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"18⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"19⤵PID:1316
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"20⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:1616 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"21⤵PID:1776
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"22⤵PID:1604
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"16⤵PID:568
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"17⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1300 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"18⤵PID:1020
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"19⤵PID:432
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"20⤵PID:904
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"21⤵
- Drops file in System32 directory
PID:520 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"22⤵PID:660
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"23⤵PID:1836
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"24⤵PID:1540
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"25⤵PID:1380
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"26⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:324 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"27⤵PID:1808
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"28⤵PID:268
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"29⤵PID:1764
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"30⤵PID:1004
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"31⤵PID:1484
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"32⤵PID:968
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"33⤵PID:1304
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"34⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"35⤵PID:528
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"36⤵PID:1864
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"37⤵PID:956
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"38⤵PID:1652
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"39⤵PID:1768
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"40⤵PID:2040
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"41⤵PID:1020
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"42⤵PID:1540
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"43⤵PID:960
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"44⤵PID:1484
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"45⤵PID:1652
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"46⤵PID:532
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"47⤵PID:2040
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"48⤵PID:1020
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"42⤵PID:960
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"43⤵PID:1140
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"44⤵PID:1728
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"45⤵PID:1876
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"46⤵PID:604
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"47⤵PID:1736
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"48⤵PID:1020
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"49⤵PID:832
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"50⤵PID:1212
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"51⤵PID:1628
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"52⤵PID:612
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"53⤵PID:1368
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"54⤵PID:1576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"37⤵PID:1304
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"38⤵PID:960
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"39⤵PID:1780
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"40⤵PID:1484
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"41⤵PID:1800
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"42⤵PID:1424
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"43⤵PID:1316
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"44⤵PID:692
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"45⤵PID:1868
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"46⤵PID:1488
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"47⤵PID:1808
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"48⤵PID:1004
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"49⤵PID:660
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"50⤵PID:1304
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"51⤵PID:1656
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"52⤵PID:1780
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"53⤵PID:1092
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"54⤵PID:1732
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"55⤵PID:1776
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"56⤵PID:1380
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"57⤵PID:1688
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"58⤵PID:1976
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"59⤵PID:904
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"60⤵PID:1980
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"61⤵PID:868
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"62⤵PID:1812
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"63⤵PID:540
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"64⤵PID:1616
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"65⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"66⤵PID:904
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"67⤵PID:1876
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"68⤵PID:1096
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"69⤵PID:940
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"70⤵PID:944
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"71⤵PID:972
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"72⤵PID:1160
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"73⤵PID:900
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"74⤵PID:1340
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"75⤵PID:1096
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"76⤵PID:1704
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"77⤵PID:1800
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"78⤵PID:540
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"79⤵PID:1332
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"80⤵PID:1016
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"81⤵PID:1980
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"82⤵PID:1488
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"83⤵PID:968
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"84⤵PID:2028
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"85⤵PID:1736
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"86⤵PID:336
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"87⤵PID:692
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"88⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"89⤵PID:1704
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"90⤵PID:1212
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"91⤵PID:1312
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"92⤵PID:1160
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"93⤵PID:808
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"94⤵PID:1576
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"95⤵PID:1812
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"96⤵PID:1212
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"97⤵PID:1780
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"98⤵PID:972
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"99⤵PID:1368
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"100⤵
- Adds Run key to start application
PID:1300 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"101⤵PID:1060
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"102⤵PID:1484
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"103⤵PID:568
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"104⤵PID:972
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"105⤵PID:336
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"106⤵PID:1408
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"107⤵PID:1704
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"108⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:748 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"109⤵PID:1476
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"110⤵PID:944
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"111⤵PID:1368
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"112⤵PID:1812
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"113⤵PID:968
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"114⤵PID:1212
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"115⤵PID:868
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"116⤵PID:532
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"117⤵PID:1340
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"118⤵PID:1868
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"119⤵PID:1776
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"120⤵PID:1380
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"121⤵PID:1004
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-