Resubmissions
19-01-2021 19:08
210119-tyvvpt3k5a 1018-01-2021 13:40
210118-6d49cq7d3e 1017-01-2021 19:18
210117-paemjaehwa 1014-12-2020 17:16
201214-9v5f6yhaqj 10Analysis
-
max time kernel
151s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 13:40
Behavioral task
behavioral1
Sample
fb71fba4893f205b0f62e2a8bc4f7294.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
fb71fba4893f205b0f62e2a8bc4f7294.exe
-
Size
724KB
-
MD5
fb71fba4893f205b0f62e2a8bc4f7294
-
SHA1
404e7845d1b6ca8fb4ab92000b1c3c80e4623843
-
SHA256
a212ce3b73d111d138568fa10a26dcecafd47a2d9ea3ce26c08ab9a7f1f9edd6
-
SHA512
55c5e812f90c9d8de7babaa23e1c003ca8c03f995bcd93335e7edc7887eda11e423b03efcb587a00e5e2be3694539387eea96e2b73f7e1bee5e123db1128c914
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x00040000000130e1-8.dat fakeav behavioral1/files/0x00040000000130e1-11.dat fakeav -
Executes dropped EXE 72 IoCs
pid Process 2016 srtsrv32.exe 1980 lssmon.exe 1788 LSASSMGR.EXE 1712 LSASSMGR.EXE 1212 LSASSMGR.EXE 608 LSASSMGR.EXE 1008 LSASSMGR.EXE 1680 LSASSMGR.EXE 816 LSASSMGR.EXE 772 srtsrv32.exe 948 LSASSMGR.EXE 1956 LSASSMGR.EXE 1332 LSASSMGR.EXE 1904 LSASSMGR.EXE 1412 LSASSMGR.EXE 1732 LSASSMGR.EXE 1596 LSASSMGR.EXE 1768 LSASSMGR.EXE 1772 LSASSMGR.EXE 1376 LSASSMGR.EXE 1712 LSASSMGR.EXE 1292 LSASSMGR.EXE 1112 LSASSMGR.EXE 1200 LSASSMGR.EXE 328 LSASSMGR.EXE 844 LSASSMGR.EXE 1052 LSASSMGR.EXE 1340 LSASSMGR.EXE 1100 LSASSMGR.EXE 1008 LSASSMGR.EXE 2036 LSASSMGR.EXE 2032 LSASSMGR.EXE 2020 LSASSMGR.EXE 2024 LSASSMGR.EXE 912 LSASSMGR.EXE 1192 LSASSMGR.EXE 1984 LSASSMGR.EXE 1448 LSASSMGR.EXE 1312 LSASSMGR.EXE 764 LSASSMGR.EXE 1536 LSASSMGR.EXE 1472 LSASSMGR.EXE 976 LSASSMGR.EXE 1580 LSASSMGR.EXE 920 LSASSMGR.EXE 592 LSASSMGR.EXE 888 LSASSMGR.EXE 1408 LSASSMGR.EXE 1052 LSASSMGR.EXE 1144 LSASSMGR.EXE 1700 LSASSMGR.EXE 1192 LSASSMGR.EXE 1688 LSASSMGR.EXE 1332 LSASSMGR.EXE 912 LSASSMGR.EXE 1680 LSASSMGR.EXE 1516 LSASSMGR.EXE 1348 LSASSMGR.EXE 1364 LSASSMGR.EXE 1752 LSASSMGR.EXE 560 LSASSMGR.EXE 1964 LSASSMGR.EXE 396 LSASSMGR.EXE 1216 LSASSMGR.EXE 2024 LSASSMGR.EXE 1696 LSASSMGR.EXE 1772 LSASSMGR.EXE 1700 LSASSMGR.EXE 1236 LSASSMGR.EXE 1984 LSASSMGR.EXE 764 LSASSMGR.EXE 572 LSASSMGR.EXE -
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 148 IoCs
pid Process 296 fb71fba4893f205b0f62e2a8bc4f7294.exe 296 fb71fba4893f205b0f62e2a8bc4f7294.exe 296 fb71fba4893f205b0f62e2a8bc4f7294.exe 2016 srtsrv32.exe 2016 srtsrv32.exe 1788 LSASSMGR.EXE 1788 LSASSMGR.EXE 1980 lssmon.exe 1980 lssmon.exe 1712 LSASSMGR.EXE 1712 LSASSMGR.EXE 1980 lssmon.exe 1980 lssmon.exe 1212 LSASSMGR.EXE 1212 LSASSMGR.EXE 608 LSASSMGR.EXE 608 LSASSMGR.EXE 1980 lssmon.exe 1980 lssmon.exe 1680 LSASSMGR.EXE 1680 LSASSMGR.EXE 1008 LSASSMGR.EXE 1008 LSASSMGR.EXE 816 LSASSMGR.EXE 772 srtsrv32.exe 772 srtsrv32.exe 816 LSASSMGR.EXE 948 LSASSMGR.EXE 948 LSASSMGR.EXE 1824 LSASSMGR.EXE 1824 LSASSMGR.EXE 1956 LSASSMGR.EXE 1956 LSASSMGR.EXE 1412 LSASSMGR.EXE 1412 LSASSMGR.EXE 1904 LSASSMGR.EXE 1904 LSASSMGR.EXE 1332 LSASSMGR.EXE 1332 LSASSMGR.EXE 1732 LSASSMGR.EXE 1732 LSASSMGR.EXE 1596 LSASSMGR.EXE 1596 LSASSMGR.EXE 1772 LSASSMGR.EXE 1772 LSASSMGR.EXE 1768 LSASSMGR.EXE 1768 LSASSMGR.EXE 1376 LSASSMGR.EXE 1376 LSASSMGR.EXE 1712 LSASSMGR.EXE 1712 LSASSMGR.EXE 1292 LSASSMGR.EXE 1292 LSASSMGR.EXE 328 LSASSMGR.EXE 328 LSASSMGR.EXE 1200 LSASSMGR.EXE 1200 LSASSMGR.EXE 1112 LSASSMGR.EXE 1112 LSASSMGR.EXE 844 LSASSMGR.EXE 1100 LSASSMGR.EXE 844 LSASSMGR.EXE 1100 LSASSMGR.EXE 1052 LSASSMGR.EXE 1052 LSASSMGR.EXE 1340 LSASSMGR.EXE 1340 LSASSMGR.EXE 1008 LSASSMGR.EXE 1008 LSASSMGR.EXE 2036 LSASSMGR.EXE 2036 LSASSMGR.EXE 2020 LSASSMGR.EXE 2020 LSASSMGR.EXE 2032 LSASSMGR.EXE 2032 LSASSMGR.EXE 1192 LSASSMGR.EXE 2024 LSASSMGR.EXE 1192 LSASSMGR.EXE 2024 LSASSMGR.EXE 1824 LSASSMGR.EXE 912 LSASSMGR.EXE 912 LSASSMGR.EXE 1448 LSASSMGR.EXE 1448 LSASSMGR.EXE 1984 LSASSMGR.EXE 1984 LSASSMGR.EXE 1312 LSASSMGR.EXE 1312 LSASSMGR.EXE 764 LSASSMGR.EXE 764 LSASSMGR.EXE 1536 LSASSMGR.EXE 1536 LSASSMGR.EXE 976 LSASSMGR.EXE 1580 LSASSMGR.EXE 976 LSASSMGR.EXE 1580 LSASSMGR.EXE 1472 LSASSMGR.EXE 1472 LSASSMGR.EXE 592 LSASSMGR.EXE 592 LSASSMGR.EXE 920 LSASSMGR.EXE 920 LSASSMGR.EXE 888 LSASSMGR.EXE 888 LSASSMGR.EXE 1408 LSASSMGR.EXE 1408 LSASSMGR.EXE 1052 LSASSMGR.EXE 1052 LSASSMGR.EXE 1144 LSASSMGR.EXE 1144 LSASSMGR.EXE 1700 LSASSMGR.EXE 1700 LSASSMGR.EXE 1192 LSASSMGR.EXE 1192 LSASSMGR.EXE 1688 LSASSMGR.EXE 1688 LSASSMGR.EXE 912 LSASSMGR.EXE 912 LSASSMGR.EXE 1332 LSASSMGR.EXE 1332 LSASSMGR.EXE 1680 LSASSMGR.EXE 1680 LSASSMGR.EXE 1516 LSASSMGR.EXE 1516 LSASSMGR.EXE 1364 LSASSMGR.EXE 1364 LSASSMGR.EXE 1348 LSASSMGR.EXE 1348 LSASSMGR.EXE 560 LSASSMGR.EXE 560 LSASSMGR.EXE 1752 LSASSMGR.EXE 1752 LSASSMGR.EXE 1964 LSASSMGR.EXE 1964 LSASSMGR.EXE 1216 LSASSMGR.EXE 1216 LSASSMGR.EXE 396 LSASSMGR.EXE 396 LSASSMGR.EXE 2024 LSASSMGR.EXE 2024 LSASSMGR.EXE 1696 LSASSMGR.EXE 1696 LSASSMGR.EXE 1772 LSASSMGR.EXE 1772 LSASSMGR.EXE 1236 LSASSMGR.EXE 1236 LSASSMGR.EXE 1700 LSASSMGR.EXE 1700 LSASSMGR.EXE -
Adds Run key to start application 2 TTPs 72 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" srtsrv32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\lssmon.exe" fb71fba4893f205b0f62e2a8bc4f7294.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\lssmon.exe" lssmon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run lssmon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" srtsrv32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run fb71fba4893f205b0f62e2a8bc4f7294.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE -
Drops file in System32 directory 141 IoCs
description ioc Process File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\lssmon.exe fb71fba4893f205b0f62e2a8bc4f7294.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\lssmon.exe fb71fba4893f205b0f62e2a8bc4f7294.exe File created C:\Windows\SysWOW64\spool.exe srtsrv32.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\srtsrv32.exe fb71fba4893f205b0f62e2a8bc4f7294.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE srtsrv32.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE -
Drops file in Program Files directory 136 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe srtsrv32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Internet Explorer\iexplor.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\divx32.dll fb71fba4893f205b0f62e2a8bc4f7294.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1824 1980 WerFault.exe 27 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1824 LSASSMGR.EXE 1824 LSASSMGR.EXE 1824 LSASSMGR.EXE 1824 LSASSMGR.EXE 1824 LSASSMGR.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1824 LSASSMGR.EXE -
Suspicious use of WriteProcessMemory 296 IoCs
description pid Process procid_target PID 296 wrote to memory of 2016 296 fb71fba4893f205b0f62e2a8bc4f7294.exe 26 PID 296 wrote to memory of 2016 296 fb71fba4893f205b0f62e2a8bc4f7294.exe 26 PID 296 wrote to memory of 2016 296 fb71fba4893f205b0f62e2a8bc4f7294.exe 26 PID 296 wrote to memory of 2016 296 fb71fba4893f205b0f62e2a8bc4f7294.exe 26 PID 296 wrote to memory of 1980 296 fb71fba4893f205b0f62e2a8bc4f7294.exe 27 PID 296 wrote to memory of 1980 296 fb71fba4893f205b0f62e2a8bc4f7294.exe 27 PID 296 wrote to memory of 1980 296 fb71fba4893f205b0f62e2a8bc4f7294.exe 27 PID 296 wrote to memory of 1980 296 fb71fba4893f205b0f62e2a8bc4f7294.exe 27 PID 2016 wrote to memory of 1788 2016 srtsrv32.exe 28 PID 2016 wrote to memory of 1788 2016 srtsrv32.exe 28 PID 2016 wrote to memory of 1788 2016 srtsrv32.exe 28 PID 2016 wrote to memory of 1788 2016 srtsrv32.exe 28 PID 1788 wrote to memory of 1712 1788 LSASSMGR.EXE 48 PID 1788 wrote to memory of 1712 1788 LSASSMGR.EXE 48 PID 1788 wrote to memory of 1712 1788 LSASSMGR.EXE 48 PID 1788 wrote to memory of 1712 1788 LSASSMGR.EXE 48 PID 1980 wrote to memory of 1212 1980 lssmon.exe 167 PID 1980 wrote to memory of 1212 1980 lssmon.exe 167 PID 1980 wrote to memory of 1212 1980 lssmon.exe 167 PID 1980 wrote to memory of 1212 1980 lssmon.exe 167 PID 1712 wrote to memory of 608 1712 LSASSMGR.EXE 31 PID 1712 wrote to memory of 608 1712 LSASSMGR.EXE 31 PID 1712 wrote to memory of 608 1712 LSASSMGR.EXE 31 PID 1712 wrote to memory of 608 1712 LSASSMGR.EXE 31 PID 1980 wrote to memory of 1680 1980 lssmon.exe 86 PID 1980 wrote to memory of 1680 1980 lssmon.exe 86 PID 1980 wrote to memory of 1680 1980 lssmon.exe 86 PID 1980 wrote to memory of 1680 1980 lssmon.exe 86 PID 1212 wrote to memory of 1008 1212 LSASSMGR.EXE 292 PID 1212 wrote to memory of 1008 1212 LSASSMGR.EXE 292 PID 1212 wrote to memory of 1008 1212 LSASSMGR.EXE 292 PID 1212 wrote to memory of 1008 1212 LSASSMGR.EXE 292 PID 608 wrote to memory of 816 608 LSASSMGR.EXE 288 PID 608 wrote to memory of 816 608 LSASSMGR.EXE 288 PID 608 wrote to memory of 816 608 LSASSMGR.EXE 288 PID 608 wrote to memory of 816 608 LSASSMGR.EXE 288 PID 1980 wrote to memory of 772 1980 lssmon.exe 33 PID 1980 wrote to memory of 772 1980 lssmon.exe 33 PID 1980 wrote to memory of 772 1980 lssmon.exe 33 PID 1980 wrote to memory of 772 1980 lssmon.exe 33 PID 1680 wrote to memory of 948 1680 LSASSMGR.EXE 317 PID 1680 wrote to memory of 948 1680 LSASSMGR.EXE 317 PID 1680 wrote to memory of 948 1680 LSASSMGR.EXE 317 PID 1680 wrote to memory of 948 1680 LSASSMGR.EXE 317 PID 1008 wrote to memory of 1956 1008 LSASSMGR.EXE 34 PID 1008 wrote to memory of 1956 1008 LSASSMGR.EXE 34 PID 1008 wrote to memory of 1956 1008 LSASSMGR.EXE 34 PID 1008 wrote to memory of 1956 1008 LSASSMGR.EXE 34 PID 1980 wrote to memory of 1824 1980 lssmon.exe 420 PID 1980 wrote to memory of 1824 1980 lssmon.exe 420 PID 1980 wrote to memory of 1824 1980 lssmon.exe 420 PID 1980 wrote to memory of 1824 1980 lssmon.exe 420 PID 772 wrote to memory of 1332 772 srtsrv32.exe 191 PID 772 wrote to memory of 1332 772 srtsrv32.exe 191 PID 772 wrote to memory of 1332 772 srtsrv32.exe 191 PID 772 wrote to memory of 1332 772 srtsrv32.exe 191 PID 816 wrote to memory of 1904 816 LSASSMGR.EXE 37 PID 816 wrote to memory of 1904 816 LSASSMGR.EXE 37 PID 816 wrote to memory of 1904 816 LSASSMGR.EXE 37 PID 816 wrote to memory of 1904 816 LSASSMGR.EXE 37 PID 948 wrote to memory of 1412 948 LSASSMGR.EXE 41 PID 948 wrote to memory of 1412 948 LSASSMGR.EXE 41 PID 948 wrote to memory of 1412 948 LSASSMGR.EXE 41 PID 948 wrote to memory of 1412 948 LSASSMGR.EXE 41 PID 1956 wrote to memory of 1732 1956 LSASSMGR.EXE 42 PID 1956 wrote to memory of 1732 1956 LSASSMGR.EXE 42 PID 1956 wrote to memory of 1732 1956 LSASSMGR.EXE 42 PID 1956 wrote to memory of 1732 1956 LSASSMGR.EXE 42 PID 1412 wrote to memory of 1596 1412 LSASSMGR.EXE 44 PID 1412 wrote to memory of 1596 1412 LSASSMGR.EXE 44 PID 1412 wrote to memory of 1596 1412 LSASSMGR.EXE 44 PID 1412 wrote to memory of 1596 1412 LSASSMGR.EXE 44 PID 1904 wrote to memory of 1768 1904 LSASSMGR.EXE 293 PID 1904 wrote to memory of 1768 1904 LSASSMGR.EXE 293 PID 1904 wrote to memory of 1768 1904 LSASSMGR.EXE 293 PID 1904 wrote to memory of 1768 1904 LSASSMGR.EXE 293 PID 1332 wrote to memory of 1772 1332 LSASSMGR.EXE 458 PID 1332 wrote to memory of 1772 1332 LSASSMGR.EXE 458 PID 1332 wrote to memory of 1772 1332 LSASSMGR.EXE 458 PID 1332 wrote to memory of 1772 1332 LSASSMGR.EXE 458 PID 1732 wrote to memory of 1100 1732 LSASSMGR.EXE 46 PID 1732 wrote to memory of 1100 1732 LSASSMGR.EXE 46 PID 1732 wrote to memory of 1100 1732 LSASSMGR.EXE 46 PID 1732 wrote to memory of 1100 1732 LSASSMGR.EXE 46 PID 1596 wrote to memory of 1376 1596 LSASSMGR.EXE 523 PID 1596 wrote to memory of 1376 1596 LSASSMGR.EXE 523 PID 1596 wrote to memory of 1376 1596 LSASSMGR.EXE 523 PID 1596 wrote to memory of 1376 1596 LSASSMGR.EXE 523 PID 1772 wrote to memory of 1712 1772 LSASSMGR.EXE 48 PID 1772 wrote to memory of 1712 1772 LSASSMGR.EXE 48 PID 1772 wrote to memory of 1712 1772 LSASSMGR.EXE 48 PID 1772 wrote to memory of 1712 1772 LSASSMGR.EXE 48 PID 1768 wrote to memory of 1292 1768 LSASSMGR.EXE 49 PID 1768 wrote to memory of 1292 1768 LSASSMGR.EXE 49 PID 1768 wrote to memory of 1292 1768 LSASSMGR.EXE 49 PID 1768 wrote to memory of 1292 1768 LSASSMGR.EXE 49 PID 1376 wrote to memory of 1112 1376 LSASSMGR.EXE 50 PID 1376 wrote to memory of 1112 1376 LSASSMGR.EXE 50 PID 1376 wrote to memory of 1112 1376 LSASSMGR.EXE 50 PID 1376 wrote to memory of 1112 1376 LSASSMGR.EXE 50 PID 1712 wrote to memory of 328 1712 LSASSMGR.EXE 427 PID 1712 wrote to memory of 328 1712 LSASSMGR.EXE 427 PID 1712 wrote to memory of 328 1712 LSASSMGR.EXE 427 PID 1712 wrote to memory of 328 1712 LSASSMGR.EXE 427 PID 1292 wrote to memory of 1200 1292 LSASSMGR.EXE 630 PID 1292 wrote to memory of 1200 1292 LSASSMGR.EXE 630 PID 1292 wrote to memory of 1200 1292 LSASSMGR.EXE 630 PID 1292 wrote to memory of 1200 1292 LSASSMGR.EXE 630 PID 328 wrote to memory of 844 328 LSASSMGR.EXE 53 PID 328 wrote to memory of 844 328 LSASSMGR.EXE 53 PID 328 wrote to memory of 844 328 LSASSMGR.EXE 53 PID 328 wrote to memory of 844 328 LSASSMGR.EXE 53 PID 1200 wrote to memory of 1340 1200 LSASSMGR.EXE 697 PID 1200 wrote to memory of 1340 1200 LSASSMGR.EXE 697 PID 1200 wrote to memory of 1340 1200 LSASSMGR.EXE 697 PID 1200 wrote to memory of 1340 1200 LSASSMGR.EXE 697 PID 1112 wrote to memory of 1052 1112 LSASSMGR.EXE 78 PID 1112 wrote to memory of 1052 1112 LSASSMGR.EXE 78 PID 1112 wrote to memory of 1052 1112 LSASSMGR.EXE 78 PID 1112 wrote to memory of 1052 1112 LSASSMGR.EXE 78 PID 844 wrote to memory of 2036 844 LSASSMGR.EXE 766 PID 844 wrote to memory of 2036 844 LSASSMGR.EXE 766 PID 844 wrote to memory of 2036 844 LSASSMGR.EXE 766 PID 844 wrote to memory of 2036 844 LSASSMGR.EXE 766 PID 1100 wrote to memory of 1008 1100 LSASSMGR.EXE 727 PID 1100 wrote to memory of 1008 1100 LSASSMGR.EXE 727 PID 1100 wrote to memory of 1008 1100 LSASSMGR.EXE 727 PID 1100 wrote to memory of 1008 1100 LSASSMGR.EXE 727 PID 1052 wrote to memory of 2032 1052 LSASSMGR.EXE 58 PID 1052 wrote to memory of 2032 1052 LSASSMGR.EXE 58 PID 1052 wrote to memory of 2032 1052 LSASSMGR.EXE 58 PID 1052 wrote to memory of 2032 1052 LSASSMGR.EXE 58 PID 1340 wrote to memory of 2020 1340 LSASSMGR.EXE 59 PID 1340 wrote to memory of 2020 1340 LSASSMGR.EXE 59 PID 1340 wrote to memory of 2020 1340 LSASSMGR.EXE 59 PID 1340 wrote to memory of 2020 1340 LSASSMGR.EXE 59 PID 1008 wrote to memory of 2024 1008 LSASSMGR.EXE 923 PID 1008 wrote to memory of 2024 1008 LSASSMGR.EXE 923 PID 1008 wrote to memory of 2024 1008 LSASSMGR.EXE 923 PID 1008 wrote to memory of 2024 1008 LSASSMGR.EXE 923 PID 2036 wrote to memory of 1192 2036 LSASSMGR.EXE 843 PID 2036 wrote to memory of 1192 2036 LSASSMGR.EXE 843 PID 2036 wrote to memory of 1192 2036 LSASSMGR.EXE 843 PID 2036 wrote to memory of 1192 2036 LSASSMGR.EXE 843 PID 2020 wrote to memory of 912 2020 LSASSMGR.EXE 1240 PID 2020 wrote to memory of 912 2020 LSASSMGR.EXE 1240 PID 2020 wrote to memory of 912 2020 LSASSMGR.EXE 1240 PID 2020 wrote to memory of 912 2020 LSASSMGR.EXE 1240 PID 2032 wrote to memory of 680 2032 LSASSMGR.EXE 62 PID 2032 wrote to memory of 680 2032 LSASSMGR.EXE 62 PID 2032 wrote to memory of 680 2032 LSASSMGR.EXE 62 PID 2032 wrote to memory of 680 2032 LSASSMGR.EXE 62 PID 1192 wrote to memory of 1984 1192 LSASSMGR.EXE 601 PID 1192 wrote to memory of 1984 1192 LSASSMGR.EXE 601 PID 1192 wrote to memory of 1984 1192 LSASSMGR.EXE 601 PID 1192 wrote to memory of 1984 1192 LSASSMGR.EXE 601 PID 2024 wrote to memory of 1448 2024 LSASSMGR.EXE 1241 PID 2024 wrote to memory of 1448 2024 LSASSMGR.EXE 1241 PID 2024 wrote to memory of 1448 2024 LSASSMGR.EXE 1241 PID 2024 wrote to memory of 1448 2024 LSASSMGR.EXE 1241 PID 912 wrote to memory of 1312 912 LSASSMGR.EXE 1029 PID 912 wrote to memory of 1312 912 LSASSMGR.EXE 1029 PID 912 wrote to memory of 1312 912 LSASSMGR.EXE 1029 PID 912 wrote to memory of 1312 912 LSASSMGR.EXE 1029 PID 1448 wrote to memory of 764 1448 LSASSMGR.EXE 1185 PID 1448 wrote to memory of 764 1448 LSASSMGR.EXE 1185 PID 1448 wrote to memory of 764 1448 LSASSMGR.EXE 1185 PID 1448 wrote to memory of 764 1448 LSASSMGR.EXE 1185 PID 1984 wrote to memory of 1536 1984 LSASSMGR.EXE 1262 PID 1984 wrote to memory of 1536 1984 LSASSMGR.EXE 1262 PID 1984 wrote to memory of 1536 1984 LSASSMGR.EXE 1262 PID 1984 wrote to memory of 1536 1984 LSASSMGR.EXE 1262 PID 1312 wrote to memory of 976 1312 LSASSMGR.EXE 1267 PID 1312 wrote to memory of 976 1312 LSASSMGR.EXE 1267 PID 1312 wrote to memory of 976 1312 LSASSMGR.EXE 1267 PID 1312 wrote to memory of 976 1312 LSASSMGR.EXE 1267 PID 764 wrote to memory of 1472 764 LSASSMGR.EXE 1243 PID 764 wrote to memory of 1472 764 LSASSMGR.EXE 1243 PID 764 wrote to memory of 1472 764 LSASSMGR.EXE 1243 PID 764 wrote to memory of 1472 764 LSASSMGR.EXE 1243 PID 1536 wrote to memory of 1580 1536 LSASSMGR.EXE 1273 PID 1536 wrote to memory of 1580 1536 LSASSMGR.EXE 1273 PID 1536 wrote to memory of 1580 1536 LSASSMGR.EXE 1273 PID 1536 wrote to memory of 1580 1536 LSASSMGR.EXE 1273 PID 976 wrote to memory of 920 976 LSASSMGR.EXE 1059 PID 976 wrote to memory of 920 976 LSASSMGR.EXE 1059 PID 976 wrote to memory of 920 976 LSASSMGR.EXE 1059 PID 976 wrote to memory of 920 976 LSASSMGR.EXE 1059 PID 1580 wrote to memory of 592 1580 LSASSMGR.EXE 1104 PID 1580 wrote to memory of 592 1580 LSASSMGR.EXE 1104 PID 1580 wrote to memory of 592 1580 LSASSMGR.EXE 1104 PID 1580 wrote to memory of 592 1580 LSASSMGR.EXE 1104 PID 1472 wrote to memory of 888 1472 LSASSMGR.EXE 1139 PID 1472 wrote to memory of 888 1472 LSASSMGR.EXE 1139 PID 1472 wrote to memory of 888 1472 LSASSMGR.EXE 1139 PID 1472 wrote to memory of 888 1472 LSASSMGR.EXE 1139 PID 592 wrote to memory of 1052 592 LSASSMGR.EXE 78 PID 592 wrote to memory of 1052 592 LSASSMGR.EXE 78 PID 592 wrote to memory of 1052 592 LSASSMGR.EXE 78 PID 592 wrote to memory of 1052 592 LSASSMGR.EXE 78 PID 920 wrote to memory of 1408 920 LSASSMGR.EXE 1141 PID 920 wrote to memory of 1408 920 LSASSMGR.EXE 1141 PID 920 wrote to memory of 1408 920 LSASSMGR.EXE 1141 PID 920 wrote to memory of 1408 920 LSASSMGR.EXE 1141 PID 888 wrote to memory of 1144 888 LSASSMGR.EXE 1252 PID 888 wrote to memory of 1144 888 LSASSMGR.EXE 1252 PID 888 wrote to memory of 1144 888 LSASSMGR.EXE 1252 PID 888 wrote to memory of 1144 888 LSASSMGR.EXE 1252 PID 1408 wrote to memory of 1700 1408 LSASSMGR.EXE 1177 PID 1408 wrote to memory of 1700 1408 LSASSMGR.EXE 1177 PID 1408 wrote to memory of 1700 1408 LSASSMGR.EXE 1177 PID 1408 wrote to memory of 1700 1408 LSASSMGR.EXE 1177 PID 1052 wrote to memory of 1192 1052 LSASSMGR.EXE 1197 PID 1052 wrote to memory of 1192 1052 LSASSMGR.EXE 1197 PID 1052 wrote to memory of 1192 1052 LSASSMGR.EXE 1197 PID 1052 wrote to memory of 1192 1052 LSASSMGR.EXE 1197 PID 1144 wrote to memory of 1688 1144 LSASSMGR.EXE 839 PID 1144 wrote to memory of 1688 1144 LSASSMGR.EXE 839 PID 1144 wrote to memory of 1688 1144 LSASSMGR.EXE 839 PID 1144 wrote to memory of 1688 1144 LSASSMGR.EXE 839 PID 1700 wrote to memory of 1332 1700 LSASSMGR.EXE 1074 PID 1700 wrote to memory of 1332 1700 LSASSMGR.EXE 1074 PID 1700 wrote to memory of 1332 1700 LSASSMGR.EXE 1074 PID 1700 wrote to memory of 1332 1700 LSASSMGR.EXE 1074 PID 1192 wrote to memory of 912 1192 LSASSMGR.EXE 1327 PID 1192 wrote to memory of 912 1192 LSASSMGR.EXE 1327 PID 1192 wrote to memory of 912 1192 LSASSMGR.EXE 1327 PID 1192 wrote to memory of 912 1192 LSASSMGR.EXE 1327 PID 1688 wrote to memory of 1680 1688 LSASSMGR.EXE 1346 PID 1688 wrote to memory of 1680 1688 LSASSMGR.EXE 1346 PID 1688 wrote to memory of 1680 1688 LSASSMGR.EXE 1346 PID 1688 wrote to memory of 1680 1688 LSASSMGR.EXE 1346 PID 912 wrote to memory of 1516 912 LSASSMGR.EXE 1558 PID 912 wrote to memory of 1516 912 LSASSMGR.EXE 1558 PID 912 wrote to memory of 1516 912 LSASSMGR.EXE 1558 PID 912 wrote to memory of 1516 912 LSASSMGR.EXE 1558 PID 1332 wrote to memory of 1364 1332 LSASSMGR.EXE 1583 PID 1332 wrote to memory of 1364 1332 LSASSMGR.EXE 1583 PID 1332 wrote to memory of 1364 1332 LSASSMGR.EXE 1583 PID 1332 wrote to memory of 1364 1332 LSASSMGR.EXE 1583 PID 1680 wrote to memory of 1348 1680 LSASSMGR.EXE 1259 PID 1680 wrote to memory of 1348 1680 LSASSMGR.EXE 1259 PID 1680 wrote to memory of 1348 1680 LSASSMGR.EXE 1259 PID 1680 wrote to memory of 1348 1680 LSASSMGR.EXE 1259 PID 1516 wrote to memory of 560 1516 LSASSMGR.EXE 1523 PID 1516 wrote to memory of 560 1516 LSASSMGR.EXE 1523 PID 1516 wrote to memory of 560 1516 LSASSMGR.EXE 1523 PID 1516 wrote to memory of 560 1516 LSASSMGR.EXE 1523 PID 1364 wrote to memory of 1752 1364 LSASSMGR.EXE 1543 PID 1364 wrote to memory of 1752 1364 LSASSMGR.EXE 1543 PID 1364 wrote to memory of 1752 1364 LSASSMGR.EXE 1543 PID 1364 wrote to memory of 1752 1364 LSASSMGR.EXE 1543 PID 1348 wrote to memory of 1964 1348 LSASSMGR.EXE 1506 PID 1348 wrote to memory of 1964 1348 LSASSMGR.EXE 1506 PID 1348 wrote to memory of 1964 1348 LSASSMGR.EXE 1506 PID 1348 wrote to memory of 1964 1348 LSASSMGR.EXE 1506 PID 560 wrote to memory of 1216 560 LSASSMGR.EXE 544 PID 560 wrote to memory of 1216 560 LSASSMGR.EXE 544 PID 560 wrote to memory of 1216 560 LSASSMGR.EXE 544 PID 560 wrote to memory of 1216 560 LSASSMGR.EXE 544 PID 1752 wrote to memory of 396 1752 LSASSMGR.EXE 1549 PID 1752 wrote to memory of 396 1752 LSASSMGR.EXE 1549 PID 1752 wrote to memory of 396 1752 LSASSMGR.EXE 1549 PID 1752 wrote to memory of 396 1752 LSASSMGR.EXE 1549 PID 1964 wrote to memory of 1696 1964 LSASSMGR.EXE 281 PID 1964 wrote to memory of 1696 1964 LSASSMGR.EXE 281 PID 1964 wrote to memory of 1696 1964 LSASSMGR.EXE 281 PID 1964 wrote to memory of 1696 1964 LSASSMGR.EXE 281 PID 1216 wrote to memory of 2024 1216 LSASSMGR.EXE 1860 PID 1216 wrote to memory of 2024 1216 LSASSMGR.EXE 1860 PID 1216 wrote to memory of 2024 1216 LSASSMGR.EXE 1860 PID 1216 wrote to memory of 2024 1216 LSASSMGR.EXE 1860 PID 396 wrote to memory of 1772 396 LSASSMGR.EXE 1865 PID 396 wrote to memory of 1772 396 LSASSMGR.EXE 1865 PID 396 wrote to memory of 1772 396 LSASSMGR.EXE 1865 PID 396 wrote to memory of 1772 396 LSASSMGR.EXE 1865 PID 2024 wrote to memory of 1700 2024 LSASSMGR.EXE 1970 PID 2024 wrote to memory of 1700 2024 LSASSMGR.EXE 1970 PID 2024 wrote to memory of 1700 2024 LSASSMGR.EXE 1970 PID 2024 wrote to memory of 1700 2024 LSASSMGR.EXE 1970 PID 1696 wrote to memory of 1236 1696 LSASSMGR.EXE 2057 PID 1696 wrote to memory of 1236 1696 LSASSMGR.EXE 2057 PID 1696 wrote to memory of 1236 1696 LSASSMGR.EXE 2057 PID 1696 wrote to memory of 1236 1696 LSASSMGR.EXE 2057 PID 1772 wrote to memory of 1984 1772 LSASSMGR.EXE 601 PID 1772 wrote to memory of 1984 1772 LSASSMGR.EXE 601 PID 1772 wrote to memory of 1984 1772 LSASSMGR.EXE 601 PID 1772 wrote to memory of 1984 1772 LSASSMGR.EXE 601 PID 1236 wrote to memory of 764 1236 LSASSMGR.EXE 2266 PID 1236 wrote to memory of 764 1236 LSASSMGR.EXE 2266 PID 1236 wrote to memory of 764 1236 LSASSMGR.EXE 2266 PID 1236 wrote to memory of 764 1236 LSASSMGR.EXE 2266 PID 1700 wrote to memory of 572 1700 LSASSMGR.EXE 2118 PID 1700 wrote to memory of 572 1700 LSASSMGR.EXE 2118 PID 1700 wrote to memory of 572 1700 LSASSMGR.EXE 2118 PID 1700 wrote to memory of 572 1700 LSASSMGR.EXE 2118
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb71fba4893f205b0f62e2a8bc4f7294.exe"C:\Users\Admin\AppData\Local\Temp\fb71fba4893f205b0f62e2a8bc4f7294.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\SysWOW64\srtsrv32.exe"C:\Windows\system32\srtsrv32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"4⤵PID:1712
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"6⤵PID:816
-
-
-
-
-
-
C:\Windows\SysWOW64\lssmon.exe"C:\Windows\system32\lssmon.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\srtsrv32.exe"C:\Windows\system32\srtsrv32.exe"3⤵PID:1212
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"4⤵PID:1008
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1956 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1732 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
PID:1100 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"8⤵PID:1008
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"9⤵PID:2024
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"10⤵PID:1448
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"11⤵PID:764
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"12⤵PID:1472
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"13⤵PID:888
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"14⤵PID:1144
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"15⤵PID:1688
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"16⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"17⤵PID:1348
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"18⤵PID:1964
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"19⤵PID:1696
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"20⤵PID:1236
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"21⤵PID:764
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"22⤵PID:1200
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"23⤵PID:1008
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"24⤵PID:2028
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"25⤵PID:556
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"26⤵PID:1464
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"27⤵PID:1460
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"28⤵PID:1200
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"29⤵PID:436
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"30⤵PID:1972
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"31⤵PID:948
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"32⤵PID:1724
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"33⤵PID:1656
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"34⤵PID:1520
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"35⤵PID:1068
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"36⤵PID:436
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"37⤵PID:1684
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"38⤵PID:1376
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"39⤵PID:1472
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"40⤵PID:344
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"41⤵PID:328
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"42⤵PID:1964
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"43⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1212 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"44⤵PID:1972
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"45⤵PID:1580
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"46⤵PID:1464
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"47⤵PID:1312
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"48⤵PID:1700
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"49⤵PID:1776
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"50⤵PID:472
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"51⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1332 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"52⤵PID:1724
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"53⤵PID:2044
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"54⤵PID:1560
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"55⤵PID:616
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"56⤵PID:2024
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"57⤵PID:1656
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"58⤵PID:764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"22⤵PID:1784
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"23⤵PID:344
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"24⤵PID:1208
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"25⤵PID:708
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"26⤵PID:1020
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"27⤵PID:1408
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"28⤵PID:592
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"29⤵PID:436
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"30⤵PID:1960
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"31⤵PID:1208
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"32⤵PID:1768
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"33⤵PID:1976
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"34⤵PID:1336
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"35⤵PID:1560
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"36⤵PID:1444
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"37⤵PID:1772
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"38⤵PID:976
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"39⤵PID:1976
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"40⤵PID:1512
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"41⤵PID:1692
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"42⤵PID:1216
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"43⤵PID:616
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"44⤵PID:1668
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"45⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"46⤵PID:1408
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"47⤵PID:932
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"48⤵PID:592
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"49⤵PID:1376
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"50⤵PID:1088
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"51⤵PID:1784
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"52⤵PID:1908
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"53⤵PID:2028
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"54⤵PID:1516
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"55⤵PID:1960
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"56⤵PID:1376
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"57⤵PID:1968
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"58⤵PID:2044
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"59⤵PID:1512
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"60⤵PID:268
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"61⤵PID:1700
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"62⤵PID:1516
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"63⤵PID:708
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"64⤵PID:1772
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"65⤵PID:1160
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"66⤵PID:1536
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"67⤵PID:912
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"68⤵PID:436
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"69⤵PID:1588
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"70⤵PID:1208
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"71⤵PID:1472
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"72⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"73⤵PID:1352
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"74⤵PID:1684
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"75⤵PID:268
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"76⤵PID:1588
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"77⤵PID:1376
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"78⤵PID:1464
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"79⤵PID:1336
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"80⤵PID:1460
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"81⤵PID:1984
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"82⤵PID:1692
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"83⤵PID:1516
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"84⤵PID:616
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"85⤵PID:1724
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"86⤵PID:1772
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"87⤵PID:2028
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"88⤵PID:344
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"89⤵PID:268
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"90⤵PID:1528
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"91⤵PID:1704
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"92⤵PID:2036
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"93⤵PID:1668
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"94⤵PID:912
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"95⤵PID:1020
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"96⤵PID:1088
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"97⤵PID:616
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"98⤵PID:1908
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"99⤵PID:1008
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"100⤵PID:296
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"101⤵PID:1580
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"102⤵PID:1348
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"103⤵PID:2024
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"104⤵PID:764
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"105⤵PID:1924
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"106⤵PID:700
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"107⤵PID:436
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"108⤵PID:396
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"109⤵PID:268
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"110⤵PID:1020
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"111⤵PID:556
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"112⤵PID:2028
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"113⤵PID:1408
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"114⤵PID:1940
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"115⤵PID:592
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"116⤵PID:572
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"117⤵PID:1364
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"118⤵PID:1724
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"119⤵PID:556
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"120⤵PID:344
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"121⤵PID:1900
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-