Analysis
-
max time kernel
151s -
max time network
13s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
14-12-2020 16:38
Behavioral task
behavioral1
Sample
cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe
-
Size
5.4MB
-
MD5
cfac0fedbb2f5e8d8f1c1bd27fe74cb1
-
SHA1
8428f346686bfa3ff01627497b22a35d32992806
-
SHA256
ccf1261bd2cb9a4f4a5ab144481dc52a3c8eec2e672a46a69ce0031e16ac9231
-
SHA512
4d48cf5a3ff7efbededbd2b19df45de73d3e3bcc88b645322b00647e5df316282f3d607fd151ede645b963cafa6b0cbc01ff99694c61b9e53b3b2408ae9446db
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x0004000000013108-7.dat fakeav behavioral1/files/0x0004000000013108-13.dat fakeav behavioral1/files/0x0004000000013108-62.dat fakeav behavioral1/files/0x0004000000013108-63.dat fakeav behavioral1/files/0x0004000000013108-61.dat fakeav behavioral1/files/0x0004000000013108-72.dat fakeav -
Executes dropped EXE 78 IoCs
pid Process 1208 srtsrv32.exe 1972 LSASSMGR.EXE 1156 lssmon.exe 1732 LSASSMGR.EXE 1704 srtsrv32.exe 1432 LSASSMGR.EXE 1628 LSASSMGR.EXE 1776 LSASSMGR.EXE 736 srtsrv32.exe 1000 srtsrv32.exe 1208 LSASSMGR.EXE 1280 LSASSMGR.EXE 1580 LSASSMGR.EXE 1972 LSASSMGR.EXE 1432 LSASSMGR.EXE 316 LSASSMGR.EXE 928 LSASSMGR.EXE 396 LSASSMGR.EXE 1584 LSASSMGR.EXE 1224 LSASSMGR.EXE 1804 LSASSMGR.EXE 308 LSASSMGR.EXE 2036 LSASSMGR.EXE 1980 LSASSMGR.EXE 1984 LSASSMGR.EXE 1976 LSASSMGR.EXE 388 LSASSMGR.EXE 1852 LSASSMGR.EXE 548 LSASSMGR.EXE 1444 LSASSMGR.EXE 740 LSASSMGR.EXE 1972 LSASSMGR.EXE 344 LSASSMGR.EXE 776 LSASSMGR.EXE 1548 LSASSMGR.EXE 1696 LSASSMGR.EXE 1992 LSASSMGR.EXE 680 LSASSMGR.EXE 1724 LSASSMGR.EXE 1212 LSASSMGR.EXE 1584 LSASSMGR.EXE 1552 LSASSMGR.EXE 1520 LSASSMGR.EXE 1876 LSASSMGR.EXE 924 LSASSMGR.EXE 272 LSASSMGR.EXE 1836 LSASSMGR.EXE 1444 LSASSMGR.EXE 1832 LSASSMGR.EXE 1700 LSASSMGR.EXE 268 LSASSMGR.EXE 1000 LSASSMGR.EXE 1892 LSASSMGR.EXE 344 LSASSMGR.EXE 1800 LSASSMGR.EXE 1252 LSASSMGR.EXE 1820 LSASSMGR.EXE 680 LSASSMGR.EXE 1720 LSASSMGR.EXE 1980 LSASSMGR.EXE 1248 LSASSMGR.EXE 1280 LSASSMGR.EXE 928 LSASSMGR.EXE 1608 LSASSMGR.EXE 1364 LSASSMGR.EXE 832 LSASSMGR.EXE 1444 LSASSMGR.EXE 1836 LSASSMGR.EXE 1372 LSASSMGR.EXE 740 LSASSMGR.EXE 776 LSASSMGR.EXE 1972 LSASSMGR.EXE 1432 LSASSMGR.EXE 1712 LSASSMGR.EXE 1548 LSASSMGR.EXE 308 LSASSMGR.EXE 1096 LSASSMGR.EXE 1232 LSASSMGR.EXE -
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 163 IoCs
pid Process 1096 cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe 1096 cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe 1096 cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe 1208 srtsrv32.exe 1208 srtsrv32.exe 1972 LSASSMGR.EXE 1972 LSASSMGR.EXE 1156 lssmon.exe 1156 lssmon.exe 1732 LSASSMGR.EXE 1732 LSASSMGR.EXE 1432 LSASSMGR.EXE 1432 LSASSMGR.EXE 1704 srtsrv32.exe 1156 lssmon.exe 1156 lssmon.exe 1704 srtsrv32.exe 1156 lssmon.exe 1156 lssmon.exe 960 WerFault.exe 960 WerFault.exe 1776 LSASSMGR.EXE 1628 LSASSMGR.EXE 960 WerFault.exe 1776 LSASSMGR.EXE 1628 LSASSMGR.EXE 1000 LSASSMGR.EXE 736 srtsrv32.exe 1000 LSASSMGR.EXE 736 srtsrv32.exe 1208 LSASSMGR.EXE 1208 LSASSMGR.EXE 1280 LSASSMGR.EXE 1280 LSASSMGR.EXE 1580 LSASSMGR.EXE 1580 LSASSMGR.EXE 1972 LSASSMGR.EXE 1972 LSASSMGR.EXE 928 LSASSMGR.EXE 1432 LSASSMGR.EXE 1432 LSASSMGR.EXE 928 LSASSMGR.EXE 316 LSASSMGR.EXE 316 LSASSMGR.EXE 396 LSASSMGR.EXE 396 LSASSMGR.EXE 1584 LSASSMGR.EXE 1584 LSASSMGR.EXE 1804 LSASSMGR.EXE 1224 LSASSMGR.EXE 1224 LSASSMGR.EXE 1804 LSASSMGR.EXE 308 LSASSMGR.EXE 308 LSASSMGR.EXE 2036 LSASSMGR.EXE 1980 LSASSMGR.EXE 1980 LSASSMGR.EXE 2036 LSASSMGR.EXE 1984 LSASSMGR.EXE 1984 LSASSMGR.EXE 1976 LSASSMGR.EXE 1976 LSASSMGR.EXE 388 LSASSMGR.EXE 388 LSASSMGR.EXE 1852 LSASSMGR.EXE 548 LSASSMGR.EXE 1444 LSASSMGR.EXE 548 LSASSMGR.EXE 1444 LSASSMGR.EXE 1852 LSASSMGR.EXE 740 LSASSMGR.EXE 740 LSASSMGR.EXE 1972 LSASSMGR.EXE 1972 LSASSMGR.EXE 344 LSASSMGR.EXE 344 LSASSMGR.EXE 776 LSASSMGR.EXE 776 LSASSMGR.EXE 1696 LSASSMGR.EXE 1696 LSASSMGR.EXE 1548 LSASSMGR.EXE 1548 LSASSMGR.EXE 1992 LSASSMGR.EXE 1992 LSASSMGR.EXE 680 LSASSMGR.EXE 680 LSASSMGR.EXE 1724 LSASSMGR.EXE 1724 LSASSMGR.EXE 1584 LSASSMGR.EXE 1552 LSASSMGR.EXE 1584 LSASSMGR.EXE 1552 LSASSMGR.EXE 1212 LSASSMGR.EXE 1212 LSASSMGR.EXE 1520 LSASSMGR.EXE 1520 LSASSMGR.EXE 272 LSASSMGR.EXE 272 LSASSMGR.EXE 1876 LSASSMGR.EXE 1876 LSASSMGR.EXE 1836 LSASSMGR.EXE 1836 LSASSMGR.EXE 924 LSASSMGR.EXE 924 LSASSMGR.EXE 1832 LSASSMGR.EXE 1832 LSASSMGR.EXE 1444 LSASSMGR.EXE 1444 LSASSMGR.EXE 1700 LSASSMGR.EXE 1700 LSASSMGR.EXE 1892 LSASSMGR.EXE 1000 LSASSMGR.EXE 1000 LSASSMGR.EXE 1892 LSASSMGR.EXE 268 LSASSMGR.EXE 268 LSASSMGR.EXE 344 LSASSMGR.EXE 1252 LSASSMGR.EXE 344 LSASSMGR.EXE 1252 LSASSMGR.EXE 1800 LSASSMGR.EXE 1800 LSASSMGR.EXE 1820 LSASSMGR.EXE 1820 LSASSMGR.EXE 680 LSASSMGR.EXE 1248 LSASSMGR.EXE 1248 LSASSMGR.EXE 680 LSASSMGR.EXE 1720 LSASSMGR.EXE 1720 LSASSMGR.EXE 1980 LSASSMGR.EXE 1980 LSASSMGR.EXE 928 LSASSMGR.EXE 928 LSASSMGR.EXE 1364 LSASSMGR.EXE 1364 LSASSMGR.EXE 1280 LSASSMGR.EXE 1608 LSASSMGR.EXE 1280 LSASSMGR.EXE 1608 LSASSMGR.EXE 832 LSASSMGR.EXE 832 LSASSMGR.EXE 1444 LSASSMGR.EXE 1444 LSASSMGR.EXE 1372 LSASSMGR.EXE 1836 LSASSMGR.EXE 1836 LSASSMGR.EXE 1372 LSASSMGR.EXE 776 LSASSMGR.EXE 740 LSASSMGR.EXE 776 LSASSMGR.EXE 740 LSASSMGR.EXE 1972 LSASSMGR.EXE 1972 LSASSMGR.EXE 1432 LSASSMGR.EXE 1432 LSASSMGR.EXE 1548 LSASSMGR.EXE 1548 LSASSMGR.EXE 308 LSASSMGR.EXE 1096 LSASSMGR.EXE 308 LSASSMGR.EXE 1096 LSASSMGR.EXE 1712 LSASSMGR.EXE -
Adds Run key to start application 2 TTPs 80 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\lssmon.exe" cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" srtsrv32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" srtsrv32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\lssmon.exe" lssmon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" srtsrv32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run lssmon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" srtsrv32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE -
Drops file in System32 directory 157 IoCs
description ioc Process File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe srtsrv32.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\srtsrv32.exe cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe srtsrv32.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE srtsrv32.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\lssmon.exe cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\lssmon.exe cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE -
Drops file in Program Files directory 153 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Internet Explorer\iexplor.exe srtsrv32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe srtsrv32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe srtsrv32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\divx32.dll cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 960 1156 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 960 WerFault.exe 960 WerFault.exe 960 WerFault.exe 960 WerFault.exe 960 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 960 WerFault.exe -
Suspicious use of WriteProcessMemory 324 IoCs
description pid Process procid_target PID 1096 wrote to memory of 1208 1096 cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe 26 PID 1096 wrote to memory of 1208 1096 cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe 26 PID 1096 wrote to memory of 1208 1096 cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe 26 PID 1096 wrote to memory of 1208 1096 cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe 26 PID 1096 wrote to memory of 1156 1096 cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe 27 PID 1096 wrote to memory of 1156 1096 cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe 27 PID 1096 wrote to memory of 1156 1096 cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe 27 PID 1096 wrote to memory of 1156 1096 cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe 27 PID 1208 wrote to memory of 1972 1208 srtsrv32.exe 28 PID 1208 wrote to memory of 1972 1208 srtsrv32.exe 28 PID 1208 wrote to memory of 1972 1208 srtsrv32.exe 28 PID 1208 wrote to memory of 1972 1208 srtsrv32.exe 28 PID 1972 wrote to memory of 1732 1972 LSASSMGR.EXE 29 PID 1972 wrote to memory of 1732 1972 LSASSMGR.EXE 29 PID 1972 wrote to memory of 1732 1972 LSASSMGR.EXE 29 PID 1972 wrote to memory of 1732 1972 LSASSMGR.EXE 29 PID 1156 wrote to memory of 1704 1156 lssmon.exe 30 PID 1156 wrote to memory of 1704 1156 lssmon.exe 30 PID 1156 wrote to memory of 1704 1156 lssmon.exe 30 PID 1156 wrote to memory of 1704 1156 lssmon.exe 30 PID 1732 wrote to memory of 1432 1732 LSASSMGR.EXE 45 PID 1732 wrote to memory of 1432 1732 LSASSMGR.EXE 45 PID 1732 wrote to memory of 1432 1732 LSASSMGR.EXE 45 PID 1732 wrote to memory of 1432 1732 LSASSMGR.EXE 45 PID 1432 wrote to memory of 1628 1432 LSASSMGR.EXE 34 PID 1432 wrote to memory of 1628 1432 LSASSMGR.EXE 34 PID 1432 wrote to memory of 1628 1432 LSASSMGR.EXE 34 PID 1432 wrote to memory of 1628 1432 LSASSMGR.EXE 34 PID 1156 wrote to memory of 736 1156 lssmon.exe 33 PID 1156 wrote to memory of 736 1156 lssmon.exe 33 PID 1156 wrote to memory of 736 1156 lssmon.exe 33 PID 1156 wrote to memory of 736 1156 lssmon.exe 33 PID 1704 wrote to memory of 1776 1704 srtsrv32.exe 32 PID 1704 wrote to memory of 1776 1704 srtsrv32.exe 32 PID 1704 wrote to memory of 1776 1704 srtsrv32.exe 32 PID 1704 wrote to memory of 1776 1704 srtsrv32.exe 32 PID 1156 wrote to memory of 1000 1156 lssmon.exe 35 PID 1156 wrote to memory of 1000 1156 lssmon.exe 35 PID 1156 wrote to memory of 1000 1156 lssmon.exe 35 PID 1156 wrote to memory of 1000 1156 lssmon.exe 35 PID 1156 wrote to memory of 960 1156 lssmon.exe 36 PID 1156 wrote to memory of 960 1156 lssmon.exe 36 PID 1156 wrote to memory of 960 1156 lssmon.exe 36 PID 1156 wrote to memory of 960 1156 lssmon.exe 36 PID 1776 wrote to memory of 1208 1776 LSASSMGR.EXE 41 PID 1776 wrote to memory of 1208 1776 LSASSMGR.EXE 41 PID 1776 wrote to memory of 1208 1776 LSASSMGR.EXE 41 PID 1776 wrote to memory of 1208 1776 LSASSMGR.EXE 41 PID 1628 wrote to memory of 1280 1628 LSASSMGR.EXE 91 PID 1628 wrote to memory of 1280 1628 LSASSMGR.EXE 91 PID 1628 wrote to memory of 1280 1628 LSASSMGR.EXE 91 PID 1628 wrote to memory of 1280 1628 LSASSMGR.EXE 91 PID 1000 wrote to memory of 1580 1000 LSASSMGR.EXE 42 PID 1000 wrote to memory of 1580 1000 LSASSMGR.EXE 42 PID 1000 wrote to memory of 1580 1000 LSASSMGR.EXE 42 PID 1000 wrote to memory of 1580 1000 LSASSMGR.EXE 42 PID 736 wrote to memory of 1972 736 srtsrv32.exe 102 PID 736 wrote to memory of 1972 736 srtsrv32.exe 102 PID 736 wrote to memory of 1972 736 srtsrv32.exe 102 PID 736 wrote to memory of 1972 736 srtsrv32.exe 102 PID 1208 wrote to memory of 316 1208 LSASSMGR.EXE 44 PID 1208 wrote to memory of 316 1208 LSASSMGR.EXE 44 PID 1208 wrote to memory of 316 1208 LSASSMGR.EXE 44 PID 1208 wrote to memory of 316 1208 LSASSMGR.EXE 44 PID 1280 wrote to memory of 1432 1280 LSASSMGR.EXE 101 PID 1280 wrote to memory of 1432 1280 LSASSMGR.EXE 101 PID 1280 wrote to memory of 1432 1280 LSASSMGR.EXE 101 PID 1280 wrote to memory of 1432 1280 LSASSMGR.EXE 101 PID 1580 wrote to memory of 928 1580 LSASSMGR.EXE 92 PID 1580 wrote to memory of 928 1580 LSASSMGR.EXE 92 PID 1580 wrote to memory of 928 1580 LSASSMGR.EXE 92 PID 1580 wrote to memory of 928 1580 LSASSMGR.EXE 92 PID 1972 wrote to memory of 396 1972 LSASSMGR.EXE 47 PID 1972 wrote to memory of 396 1972 LSASSMGR.EXE 47 PID 1972 wrote to memory of 396 1972 LSASSMGR.EXE 47 PID 1972 wrote to memory of 396 1972 LSASSMGR.EXE 47 PID 1432 wrote to memory of 1584 1432 LSASSMGR.EXE 164 PID 1432 wrote to memory of 1584 1432 LSASSMGR.EXE 164 PID 1432 wrote to memory of 1584 1432 LSASSMGR.EXE 164 PID 1432 wrote to memory of 1584 1432 LSASSMGR.EXE 164 PID 928 wrote to memory of 1804 928 LSASSMGR.EXE 135 PID 928 wrote to memory of 1804 928 LSASSMGR.EXE 135 PID 928 wrote to memory of 1804 928 LSASSMGR.EXE 135 PID 928 wrote to memory of 1804 928 LSASSMGR.EXE 135 PID 316 wrote to memory of 308 316 LSASSMGR.EXE 104 PID 316 wrote to memory of 308 316 LSASSMGR.EXE 104 PID 316 wrote to memory of 308 316 LSASSMGR.EXE 104 PID 316 wrote to memory of 308 316 LSASSMGR.EXE 104 PID 396 wrote to memory of 1224 396 LSASSMGR.EXE 172 PID 396 wrote to memory of 1224 396 LSASSMGR.EXE 172 PID 396 wrote to memory of 1224 396 LSASSMGR.EXE 172 PID 396 wrote to memory of 1224 396 LSASSMGR.EXE 172 PID 1584 wrote to memory of 2036 1584 LSASSMGR.EXE 207 PID 1584 wrote to memory of 2036 1584 LSASSMGR.EXE 207 PID 1584 wrote to memory of 2036 1584 LSASSMGR.EXE 207 PID 1584 wrote to memory of 2036 1584 LSASSMGR.EXE 207 PID 1224 wrote to memory of 1980 1224 LSASSMGR.EXE 126 PID 1224 wrote to memory of 1980 1224 LSASSMGR.EXE 126 PID 1224 wrote to memory of 1980 1224 LSASSMGR.EXE 126 PID 1224 wrote to memory of 1980 1224 LSASSMGR.EXE 126 PID 1804 wrote to memory of 1984 1804 LSASSMGR.EXE 53 PID 1804 wrote to memory of 1984 1804 LSASSMGR.EXE 53 PID 1804 wrote to memory of 1984 1804 LSASSMGR.EXE 53 PID 1804 wrote to memory of 1984 1804 LSASSMGR.EXE 53 PID 308 wrote to memory of 1976 308 LSASSMGR.EXE 178 PID 308 wrote to memory of 1976 308 LSASSMGR.EXE 178 PID 308 wrote to memory of 1976 308 LSASSMGR.EXE 178 PID 308 wrote to memory of 1976 308 LSASSMGR.EXE 178 PID 1980 wrote to memory of 388 1980 LSASSMGR.EXE 162 PID 1980 wrote to memory of 388 1980 LSASSMGR.EXE 162 PID 1980 wrote to memory of 388 1980 LSASSMGR.EXE 162 PID 1980 wrote to memory of 388 1980 LSASSMGR.EXE 162 PID 2036 wrote to memory of 1852 2036 LSASSMGR.EXE 196 PID 2036 wrote to memory of 1852 2036 LSASSMGR.EXE 196 PID 2036 wrote to memory of 1852 2036 LSASSMGR.EXE 196 PID 2036 wrote to memory of 1852 2036 LSASSMGR.EXE 196 PID 1984 wrote to memory of 1444 1984 LSASSMGR.EXE 97 PID 1984 wrote to memory of 1444 1984 LSASSMGR.EXE 97 PID 1984 wrote to memory of 1444 1984 LSASSMGR.EXE 97 PID 1984 wrote to memory of 1444 1984 LSASSMGR.EXE 97 PID 1976 wrote to memory of 548 1976 LSASSMGR.EXE 148 PID 1976 wrote to memory of 548 1976 LSASSMGR.EXE 148 PID 1976 wrote to memory of 548 1976 LSASSMGR.EXE 148 PID 1976 wrote to memory of 548 1976 LSASSMGR.EXE 148 PID 388 wrote to memory of 740 388 LSASSMGR.EXE 99 PID 388 wrote to memory of 740 388 LSASSMGR.EXE 99 PID 388 wrote to memory of 740 388 LSASSMGR.EXE 99 PID 388 wrote to memory of 740 388 LSASSMGR.EXE 99 PID 548 wrote to memory of 1972 548 LSASSMGR.EXE 102 PID 548 wrote to memory of 1972 548 LSASSMGR.EXE 102 PID 548 wrote to memory of 1972 548 LSASSMGR.EXE 102 PID 548 wrote to memory of 1972 548 LSASSMGR.EXE 102 PID 1444 wrote to memory of 344 1444 LSASSMGR.EXE 124 PID 1444 wrote to memory of 344 1444 LSASSMGR.EXE 124 PID 1444 wrote to memory of 344 1444 LSASSMGR.EXE 124 PID 1444 wrote to memory of 344 1444 LSASSMGR.EXE 124 PID 1852 wrote to memory of 776 1852 LSASSMGR.EXE 153 PID 1852 wrote to memory of 776 1852 LSASSMGR.EXE 153 PID 1852 wrote to memory of 776 1852 LSASSMGR.EXE 153 PID 1852 wrote to memory of 776 1852 LSASSMGR.EXE 153 PID 740 wrote to memory of 1548 740 LSASSMGR.EXE 106 PID 740 wrote to memory of 1548 740 LSASSMGR.EXE 106 PID 740 wrote to memory of 1548 740 LSASSMGR.EXE 106 PID 740 wrote to memory of 1548 740 LSASSMGR.EXE 106 PID 1972 wrote to memory of 1696 1972 LSASSMGR.EXE 192 PID 1972 wrote to memory of 1696 1972 LSASSMGR.EXE 192 PID 1972 wrote to memory of 1696 1972 LSASSMGR.EXE 192 PID 1972 wrote to memory of 1696 1972 LSASSMGR.EXE 192 PID 344 wrote to memory of 680 344 LSASSMGR.EXE 110 PID 344 wrote to memory of 680 344 LSASSMGR.EXE 110 PID 344 wrote to memory of 680 344 LSASSMGR.EXE 110 PID 344 wrote to memory of 680 344 LSASSMGR.EXE 110 PID 776 wrote to memory of 1992 776 LSASSMGR.EXE 67 PID 776 wrote to memory of 1992 776 LSASSMGR.EXE 67 PID 776 wrote to memory of 1992 776 LSASSMGR.EXE 67 PID 776 wrote to memory of 1992 776 LSASSMGR.EXE 67 PID 1696 wrote to memory of 1552 1696 LSASSMGR.EXE 230 PID 1696 wrote to memory of 1552 1696 LSASSMGR.EXE 230 PID 1696 wrote to memory of 1552 1696 LSASSMGR.EXE 230 PID 1696 wrote to memory of 1552 1696 LSASSMGR.EXE 230 PID 1548 wrote to memory of 1724 1548 LSASSMGR.EXE 228 PID 1548 wrote to memory of 1724 1548 LSASSMGR.EXE 228 PID 1548 wrote to memory of 1724 1548 LSASSMGR.EXE 228 PID 1548 wrote to memory of 1724 1548 LSASSMGR.EXE 228 PID 1992 wrote to memory of 1584 1992 LSASSMGR.EXE 280 PID 1992 wrote to memory of 1584 1992 LSASSMGR.EXE 280 PID 1992 wrote to memory of 1584 1992 LSASSMGR.EXE 280 PID 1992 wrote to memory of 1584 1992 LSASSMGR.EXE 280 PID 680 wrote to memory of 1212 680 LSASSMGR.EXE 170 PID 680 wrote to memory of 1212 680 LSASSMGR.EXE 170 PID 680 wrote to memory of 1212 680 LSASSMGR.EXE 170 PID 680 wrote to memory of 1212 680 LSASSMGR.EXE 170 PID 1724 wrote to memory of 1520 1724 LSASSMGR.EXE 293 PID 1724 wrote to memory of 1520 1724 LSASSMGR.EXE 293 PID 1724 wrote to memory of 1520 1724 LSASSMGR.EXE 293 PID 1724 wrote to memory of 1520 1724 LSASSMGR.EXE 293 PID 1584 wrote to memory of 1876 1584 LSASSMGR.EXE 371 PID 1584 wrote to memory of 1876 1584 LSASSMGR.EXE 371 PID 1584 wrote to memory of 1876 1584 LSASSMGR.EXE 371 PID 1584 wrote to memory of 1876 1584 LSASSMGR.EXE 371 PID 1552 wrote to memory of 924 1552 LSASSMGR.EXE 349 PID 1552 wrote to memory of 924 1552 LSASSMGR.EXE 349 PID 1552 wrote to memory of 924 1552 LSASSMGR.EXE 349 PID 1552 wrote to memory of 924 1552 LSASSMGR.EXE 349 PID 1212 wrote to memory of 272 1212 LSASSMGR.EXE 348 PID 1212 wrote to memory of 272 1212 LSASSMGR.EXE 348 PID 1212 wrote to memory of 272 1212 LSASSMGR.EXE 348 PID 1212 wrote to memory of 272 1212 LSASSMGR.EXE 348 PID 1520 wrote to memory of 1836 1520 LSASSMGR.EXE 303 PID 1520 wrote to memory of 1836 1520 LSASSMGR.EXE 303 PID 1520 wrote to memory of 1836 1520 LSASSMGR.EXE 303 PID 1520 wrote to memory of 1836 1520 LSASSMGR.EXE 303 PID 272 wrote to memory of 1832 272 LSASSMGR.EXE 397 PID 272 wrote to memory of 1832 272 LSASSMGR.EXE 397 PID 272 wrote to memory of 1832 272 LSASSMGR.EXE 397 PID 272 wrote to memory of 1832 272 LSASSMGR.EXE 397 PID 1876 wrote to memory of 1444 1876 LSASSMGR.EXE 386 PID 1876 wrote to memory of 1444 1876 LSASSMGR.EXE 386 PID 1876 wrote to memory of 1444 1876 LSASSMGR.EXE 386 PID 1876 wrote to memory of 1444 1876 LSASSMGR.EXE 386 PID 1836 wrote to memory of 1700 1836 LSASSMGR.EXE 79 PID 1836 wrote to memory of 1700 1836 LSASSMGR.EXE 79 PID 1836 wrote to memory of 1700 1836 LSASSMGR.EXE 79 PID 1836 wrote to memory of 1700 1836 LSASSMGR.EXE 79 PID 924 wrote to memory of 1000 924 LSASSMGR.EXE 385 PID 924 wrote to memory of 1000 924 LSASSMGR.EXE 385 PID 924 wrote to memory of 1000 924 LSASSMGR.EXE 385 PID 924 wrote to memory of 1000 924 LSASSMGR.EXE 385 PID 1832 wrote to memory of 268 1832 LSASSMGR.EXE 396 PID 1832 wrote to memory of 268 1832 LSASSMGR.EXE 396 PID 1832 wrote to memory of 268 1832 LSASSMGR.EXE 396 PID 1832 wrote to memory of 268 1832 LSASSMGR.EXE 396 PID 1444 wrote to memory of 1892 1444 LSASSMGR.EXE 383 PID 1444 wrote to memory of 1892 1444 LSASSMGR.EXE 383 PID 1444 wrote to memory of 1892 1444 LSASSMGR.EXE 383 PID 1444 wrote to memory of 1892 1444 LSASSMGR.EXE 383 PID 1700 wrote to memory of 344 1700 LSASSMGR.EXE 335 PID 1700 wrote to memory of 344 1700 LSASSMGR.EXE 335 PID 1700 wrote to memory of 344 1700 LSASSMGR.EXE 335 PID 1700 wrote to memory of 344 1700 LSASSMGR.EXE 335 PID 1000 wrote to memory of 1800 1000 LSASSMGR.EXE 472 PID 1000 wrote to memory of 1800 1000 LSASSMGR.EXE 472 PID 1000 wrote to memory of 1800 1000 LSASSMGR.EXE 472 PID 1000 wrote to memory of 1800 1000 LSASSMGR.EXE 472 PID 1892 wrote to memory of 1820 1892 LSASSMGR.EXE 157 PID 1892 wrote to memory of 1820 1892 LSASSMGR.EXE 157 PID 1892 wrote to memory of 1820 1892 LSASSMGR.EXE 157 PID 1892 wrote to memory of 1820 1892 LSASSMGR.EXE 157 PID 268 wrote to memory of 1252 268 LSASSMGR.EXE 510 PID 268 wrote to memory of 1252 268 LSASSMGR.EXE 510 PID 268 wrote to memory of 1252 268 LSASSMGR.EXE 510 PID 268 wrote to memory of 1252 268 LSASSMGR.EXE 510 PID 344 wrote to memory of 680 344 LSASSMGR.EXE 706 PID 344 wrote to memory of 680 344 LSASSMGR.EXE 706 PID 344 wrote to memory of 680 344 LSASSMGR.EXE 706 PID 344 wrote to memory of 680 344 LSASSMGR.EXE 706 PID 1252 wrote to memory of 1980 1252 LSASSMGR.EXE 750 PID 1252 wrote to memory of 1980 1252 LSASSMGR.EXE 750 PID 1252 wrote to memory of 1980 1252 LSASSMGR.EXE 750 PID 1252 wrote to memory of 1980 1252 LSASSMGR.EXE 750 PID 1800 wrote to memory of 1720 1800 LSASSMGR.EXE 89 PID 1800 wrote to memory of 1720 1800 LSASSMGR.EXE 89 PID 1800 wrote to memory of 1720 1800 LSASSMGR.EXE 89 PID 1800 wrote to memory of 1720 1800 LSASSMGR.EXE 89 PID 1820 wrote to memory of 1248 1820 LSASSMGR.EXE 711 PID 1820 wrote to memory of 1248 1820 LSASSMGR.EXE 711 PID 1820 wrote to memory of 1248 1820 LSASSMGR.EXE 711 PID 1820 wrote to memory of 1248 1820 LSASSMGR.EXE 711 PID 1248 wrote to memory of 1280 1248 LSASSMGR.EXE 1011 PID 1248 wrote to memory of 1280 1248 LSASSMGR.EXE 1011 PID 1248 wrote to memory of 1280 1248 LSASSMGR.EXE 1011 PID 1248 wrote to memory of 1280 1248 LSASSMGR.EXE 1011 PID 680 wrote to memory of 928 680 LSASSMGR.EXE 1092 PID 680 wrote to memory of 928 680 LSASSMGR.EXE 1092 PID 680 wrote to memory of 928 680 LSASSMGR.EXE 1092 PID 680 wrote to memory of 928 680 LSASSMGR.EXE 1092 PID 1720 wrote to memory of 1608 1720 LSASSMGR.EXE 1122 PID 1720 wrote to memory of 1608 1720 LSASSMGR.EXE 1122 PID 1720 wrote to memory of 1608 1720 LSASSMGR.EXE 1122 PID 1720 wrote to memory of 1608 1720 LSASSMGR.EXE 1122 PID 1980 wrote to memory of 1364 1980 LSASSMGR.EXE 1189 PID 1980 wrote to memory of 1364 1980 LSASSMGR.EXE 1189 PID 1980 wrote to memory of 1364 1980 LSASSMGR.EXE 1189 PID 1980 wrote to memory of 1364 1980 LSASSMGR.EXE 1189 PID 928 wrote to memory of 832 928 LSASSMGR.EXE 1334 PID 928 wrote to memory of 832 928 LSASSMGR.EXE 1334 PID 928 wrote to memory of 832 928 LSASSMGR.EXE 1334 PID 928 wrote to memory of 832 928 LSASSMGR.EXE 1334 PID 1364 wrote to memory of 1372 1364 LSASSMGR.EXE 1477 PID 1364 wrote to memory of 1372 1364 LSASSMGR.EXE 1477 PID 1364 wrote to memory of 1372 1364 LSASSMGR.EXE 1477 PID 1364 wrote to memory of 1372 1364 LSASSMGR.EXE 1477 PID 1280 wrote to memory of 1444 1280 LSASSMGR.EXE 1521 PID 1280 wrote to memory of 1444 1280 LSASSMGR.EXE 1521 PID 1280 wrote to memory of 1444 1280 LSASSMGR.EXE 1521 PID 1280 wrote to memory of 1444 1280 LSASSMGR.EXE 1521 PID 1608 wrote to memory of 1836 1608 LSASSMGR.EXE 1269 PID 1608 wrote to memory of 1836 1608 LSASSMGR.EXE 1269 PID 1608 wrote to memory of 1836 1608 LSASSMGR.EXE 1269 PID 1608 wrote to memory of 1836 1608 LSASSMGR.EXE 1269 PID 832 wrote to memory of 740 832 LSASSMGR.EXE 1427 PID 832 wrote to memory of 740 832 LSASSMGR.EXE 1427 PID 832 wrote to memory of 740 832 LSASSMGR.EXE 1427 PID 832 wrote to memory of 740 832 LSASSMGR.EXE 1427 PID 1444 wrote to memory of 776 1444 LSASSMGR.EXE 1570 PID 1444 wrote to memory of 776 1444 LSASSMGR.EXE 1570 PID 1444 wrote to memory of 776 1444 LSASSMGR.EXE 1570 PID 1444 wrote to memory of 776 1444 LSASSMGR.EXE 1570 PID 1836 wrote to memory of 1432 1836 LSASSMGR.EXE 408 PID 1836 wrote to memory of 1432 1836 LSASSMGR.EXE 408 PID 1836 wrote to memory of 1432 1836 LSASSMGR.EXE 408 PID 1836 wrote to memory of 1432 1836 LSASSMGR.EXE 408 PID 1372 wrote to memory of 1972 1372 LSASSMGR.EXE 1757 PID 1372 wrote to memory of 1972 1372 LSASSMGR.EXE 1757 PID 1372 wrote to memory of 1972 1372 LSASSMGR.EXE 1757 PID 1372 wrote to memory of 1972 1372 LSASSMGR.EXE 1757 PID 776 wrote to memory of 1712 776 LSASSMGR.EXE 1993 PID 776 wrote to memory of 1712 776 LSASSMGR.EXE 1993 PID 776 wrote to memory of 1712 776 LSASSMGR.EXE 1993 PID 776 wrote to memory of 1712 776 LSASSMGR.EXE 1993 PID 740 wrote to memory of 308 740 LSASSMGR.EXE 2079 PID 740 wrote to memory of 308 740 LSASSMGR.EXE 2079 PID 740 wrote to memory of 308 740 LSASSMGR.EXE 2079 PID 740 wrote to memory of 308 740 LSASSMGR.EXE 2079 PID 1972 wrote to memory of 1548 1972 LSASSMGR.EXE 2085 PID 1972 wrote to memory of 1548 1972 LSASSMGR.EXE 2085 PID 1972 wrote to memory of 1548 1972 LSASSMGR.EXE 2085 PID 1972 wrote to memory of 1548 1972 LSASSMGR.EXE 2085 PID 1432 wrote to memory of 1096 1432 LSASSMGR.EXE 2060 PID 1432 wrote to memory of 1096 1432 LSASSMGR.EXE 2060 PID 1432 wrote to memory of 1096 1432 LSASSMGR.EXE 2060 PID 1432 wrote to memory of 1096 1432 LSASSMGR.EXE 2060 PID 1548 wrote to memory of 1232 1548 LSASSMGR.EXE 2105 PID 1548 wrote to memory of 1232 1548 LSASSMGR.EXE 2105 PID 1548 wrote to memory of 1232 1548 LSASSMGR.EXE 2105 PID 1548 wrote to memory of 1232 1548 LSASSMGR.EXE 2105 PID 308 wrote to memory of 1640 308 LSASSMGR.EXE 2510 PID 308 wrote to memory of 1640 308 LSASSMGR.EXE 2510 PID 308 wrote to memory of 1640 308 LSASSMGR.EXE 2510 PID 308 wrote to memory of 1640 308 LSASSMGR.EXE 2510 PID 1096 wrote to memory of 1520 1096 LSASSMGR.EXE 2481 PID 1096 wrote to memory of 1520 1096 LSASSMGR.EXE 2481 PID 1096 wrote to memory of 1520 1096 LSASSMGR.EXE 2481 PID 1096 wrote to memory of 1520 1096 LSASSMGR.EXE 2481
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe"C:\Users\Admin\AppData\Local\Temp\cfac0fedbb2f5e8d8f1c1bd27fe74cb1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\srtsrv32.exe"C:\Windows\system32\srtsrv32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"5⤵PID:1432
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"7⤵PID:1280
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"9⤵PID:1584
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"10⤵PID:2036
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"11⤵PID:1852
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"12⤵PID:776
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"13⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"14⤵PID:1584
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"15⤵PID:1876
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"16⤵PID:1444
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"17⤵PID:1892
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"18⤵PID:1820
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"19⤵PID:1248
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"20⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:1280 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1444 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"22⤵PID:776
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"23⤵PID:1712
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"24⤵
- Executes dropped EXE
- Adds Run key to start application
PID:680 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"25⤵PID:924
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"26⤵PID:1252
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"27⤵PID:736
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"28⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:344 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"29⤵PID:304
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"30⤵PID:524
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"31⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1804 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"32⤵PID:1976
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"33⤵PID:1800
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"34⤵PID:2036
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"35⤵PID:396
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"36⤵PID:1600
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"37⤵PID:1760
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"38⤵PID:912
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"39⤵PID:1632
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"40⤵PID:1704
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"41⤵
- Loads dropped DLL
PID:316
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"32⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"33⤵PID:1976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\lssmon.exe"C:\Windows\system32\lssmon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\srtsrv32.exe"C:\Windows\system32\srtsrv32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:316 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"7⤵PID:308
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"8⤵PID:1976
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"9⤵PID:548
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"10⤵PID:1972
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"11⤵PID:1696
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"12⤵PID:1552
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"13⤵PID:924
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"14⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"15⤵PID:1800
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"16⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1720 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"17⤵PID:1608
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"18⤵PID:1836
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1432 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"20⤵PID:1096
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"21⤵PID:1520
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"22⤵PID:436
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"23⤵PID:1852
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"24⤵PID:1728
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1980 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"26⤵PID:2016
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"27⤵PID:1252
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"28⤵PID:268
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"29⤵PID:1208
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"30⤵PID:1328
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"31⤵PID:1248
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"32⤵PID:992
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"33⤵PID:1676
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"34⤵PID:304
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"35⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1224 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"36⤵PID:396
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"37⤵PID:1968
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"38⤵PID:1248
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"39⤵PID:1708
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"40⤵PID:912
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"41⤵PID:520
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"42⤵
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"43⤵PID:1628
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"44⤵PID:1708
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"45⤵PID:1244
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"46⤵PID:1328
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"47⤵PID:776
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"48⤵PID:924
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"49⤵PID:1776
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"50⤵PID:1372
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"51⤵PID:2024
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"52⤵PID:308
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"53⤵PID:272
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"54⤵PID:396
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"55⤵PID:992
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"56⤵PID:1908
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"57⤵PID:1252
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"58⤵PID:1000
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"59⤵PID:1712
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"60⤵PID:1832
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"61⤵PID:1364
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"62⤵PID:1784
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"63⤵PID:1620
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"64⤵PID:1000
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"65⤵PID:1576
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"66⤵PID:1684
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"67⤵PID:1328
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"68⤵PID:1948
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"69⤵PID:1952
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"70⤵PID:776
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"71⤵PID:1800
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"72⤵PID:1252
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"73⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"74⤵PID:1632
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"75⤵PID:396
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"76⤵PID:268
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"77⤵PID:1832
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"78⤵PID:1584
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"79⤵PID:1208
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"80⤵PID:1600
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"81⤵PID:1644
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"82⤵PID:592
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"83⤵PID:736
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"84⤵PID:1328
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"85⤵PID:1696
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"86⤵PID:1980
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"87⤵PID:1244
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"88⤵PID:776
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"89⤵PID:992
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"90⤵PID:1328
-
-
-
-
-
-
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"85⤵PID:1952
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"86⤵PID:1336
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"87⤵PID:832
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"88⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"89⤵PID:928
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"90⤵PID:1576
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"91⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"92⤵PID:396
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"93⤵PID:2036
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"94⤵PID:1096
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"95⤵PID:1728
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"96⤵PID:2024
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"97⤵PID:1376
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"98⤵PID:1948
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"99⤵PID:832
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"100⤵PID:1548
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"101⤵PID:1640
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"102⤵PID:1992
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"103⤵PID:1996
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"104⤵PID:1600
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"105⤵PID:1576
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"106⤵PID:1644
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"107⤵PID:992
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"108⤵PID:552
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"109⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:1800 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"110⤵PID:1836
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"111⤵PID:1628
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"112⤵PID:308
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"113⤵PID:1608
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"114⤵PID:1660
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"115⤵PID:1972
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"116⤵PID:396
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"117⤵PID:1704
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"118⤵PID:1208
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"119⤵PID:2008
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"120⤵PID:1600
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"121⤵PID:1688
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-