Resubmissions
19-01-2021 19:08
210119-tyvvpt3k5a 1018-01-2021 13:40
210118-6d49cq7d3e 1017-01-2021 19:18
210117-paemjaehwa 1014-12-2020 17:16
201214-9v5f6yhaqj 10Analysis
-
max time kernel
151s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 19:08
Behavioral task
behavioral1
Sample
fb71fba4893f205b0f62e2a8bc4f7294.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
fb71fba4893f205b0f62e2a8bc4f7294.exe
-
Size
724KB
-
MD5
fb71fba4893f205b0f62e2a8bc4f7294
-
SHA1
404e7845d1b6ca8fb4ab92000b1c3c80e4623843
-
SHA256
a212ce3b73d111d138568fa10a26dcecafd47a2d9ea3ce26c08ab9a7f1f9edd6
-
SHA512
55c5e812f90c9d8de7babaa23e1c003ca8c03f995bcd93335e7edc7887eda11e423b03efcb587a00e5e2be3694539387eea96e2b73f7e1bee5e123db1128c914
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x00040000000130de-10.dat fakeav behavioral1/files/0x00040000000130de-15.dat fakeav behavioral1/files/0x00040000000130de-40.dat fakeav -
Executes dropped EXE 92 IoCs
pid Process 884 srtsrv32.exe 1528 lssmon.exe 1272 LSASSMGR.EXE 1256 LSASSMGR.EXE 1008 LSASSMGR.EXE 564 srtsrv32.exe 1100 LSASSMGR.EXE 1880 LSASSMGR.EXE 1820 LSASSMGR.EXE 1692 LSASSMGR.EXE 1536 srtsrv32.exe 1952 LSASSMGR.EXE 884 LSASSMGR.EXE 428 LSASSMGR.EXE 1004 LSASSMGR.EXE 1252 LSASSMGR.EXE 340 LSASSMGR.EXE 1364 LSASSMGR.EXE 920 LSASSMGR.EXE 964 LSASSMGR.EXE 112 LSASSMGR.EXE 1840 LSASSMGR.EXE 1552 LSASSMGR.EXE 1596 LSASSMGR.EXE 1728 LSASSMGR.EXE 1820 LSASSMGR.EXE 1212 LSASSMGR.EXE 1660 LSASSMGR.EXE 1784 LSASSMGR.EXE 1952 LSASSMGR.EXE 1688 LSASSMGR.EXE 268 LSASSMGR.EXE 884 LSASSMGR.EXE 728 LSASSMGR.EXE 1124 LSASSMGR.EXE 296 LSASSMGR.EXE 1484 LSASSMGR.EXE 1592 LSASSMGR.EXE 920 LSASSMGR.EXE 1724 LSASSMGR.EXE 1768 LSASSMGR.EXE 1896 LSASSMGR.EXE 360 LSASSMGR.EXE 520 LSASSMGR.EXE 1072 LSASSMGR.EXE 900 LSASSMGR.EXE 556 LSASSMGR.EXE 776 LSASSMGR.EXE 568 LSASSMGR.EXE 1784 LSASSMGR.EXE 648 LSASSMGR.EXE 1100 LSASSMGR.EXE 1756 LSASSMGR.EXE 744 LSASSMGR.EXE 1880 LSASSMGR.EXE 112 LSASSMGR.EXE 1840 LSASSMGR.EXE 1728 LSASSMGR.EXE 1808 LSASSMGR.EXE 920 LSASSMGR.EXE 1340 LSASSMGR.EXE 316 LSASSMGR.EXE 1404 LSASSMGR.EXE 392 LSASSMGR.EXE 1692 LSASSMGR.EXE 1780 LSASSMGR.EXE 1176 LSASSMGR.EXE 660 LSASSMGR.EXE 964 LSASSMGR.EXE 1904 LSASSMGR.EXE 1100 LSASSMGR.EXE 1368 LSASSMGR.EXE 1580 LSASSMGR.EXE 792 LSASSMGR.EXE 1296 LSASSMGR.EXE 564 LSASSMGR.EXE 1572 LSASSMGR.EXE 1716 LSASSMGR.EXE 1632 LSASSMGR.EXE 1348 LSASSMGR.EXE 544 LSASSMGR.EXE 1256 LSASSMGR.EXE 1064 LSASSMGR.EXE 1292 LSASSMGR.EXE 1900 LSASSMGR.EXE 852 LSASSMGR.EXE 392 LSASSMGR.EXE 1008 LSASSMGR.EXE 556 LSASSMGR.EXE 1780 LSASSMGR.EXE 428 LSASSMGR.EXE 648 LSASSMGR.EXE -
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 185 IoCs
pid Process 1056 fb71fba4893f205b0f62e2a8bc4f7294.exe 1056 fb71fba4893f205b0f62e2a8bc4f7294.exe 1056 fb71fba4893f205b0f62e2a8bc4f7294.exe 884 srtsrv32.exe 884 LSASSMGR.EXE 1272 LSASSMGR.EXE 1272 LSASSMGR.EXE 1256 LSASSMGR.EXE 1256 LSASSMGR.EXE 1528 lssmon.exe 1528 lssmon.exe 1008 LSASSMGR.EXE 1008 LSASSMGR.EXE 564 srtsrv32.exe 564 srtsrv32.exe 1100 LSASSMGR.EXE 1100 LSASSMGR.EXE 1528 lssmon.exe 1528 lssmon.exe 1880 LSASSMGR.EXE 1880 LSASSMGR.EXE 1820 LSASSMGR.EXE 1820 LSASSMGR.EXE 1528 lssmon.exe 1528 lssmon.exe 1952 LSASSMGR.EXE 1536 srtsrv32.exe 1952 LSASSMGR.EXE 1692 LSASSMGR.EXE 1536 srtsrv32.exe 1692 LSASSMGR.EXE 884 LSASSMGR.EXE 884 LSASSMGR.EXE 428 LSASSMGR.EXE 428 LSASSMGR.EXE 1004 LSASSMGR.EXE 1004 LSASSMGR.EXE 1252 LSASSMGR.EXE 1252 LSASSMGR.EXE 340 LSASSMGR.EXE 340 LSASSMGR.EXE 920 LSASSMGR.EXE 920 LSASSMGR.EXE 1364 LSASSMGR.EXE 964 LSASSMGR.EXE 1364 LSASSMGR.EXE 964 LSASSMGR.EXE 1840 LSASSMGR.EXE 112 LSASSMGR.EXE 1840 LSASSMGR.EXE 112 LSASSMGR.EXE 1596 LSASSMGR.EXE 1596 LSASSMGR.EXE 1552 LSASSMGR.EXE 1552 LSASSMGR.EXE 1728 LSASSMGR.EXE 1728 LSASSMGR.EXE 1212 LSASSMGR.EXE 1212 LSASSMGR.EXE 1820 LSASSMGR.EXE 1660 LSASSMGR.EXE 1820 LSASSMGR.EXE 1660 LSASSMGR.EXE 268 LSASSMGR.EXE 1952 LSASSMGR.EXE 268 LSASSMGR.EXE 1784 LSASSMGR.EXE 1784 LSASSMGR.EXE 1688 LSASSMGR.EXE 1952 LSASSMGR.EXE 1688 LSASSMGR.EXE 1124 LSASSMGR.EXE 884 LSASSMGR.EXE 1124 LSASSMGR.EXE 884 LSASSMGR.EXE 728 LSASSMGR.EXE 728 LSASSMGR.EXE 296 LSASSMGR.EXE 296 LSASSMGR.EXE 1484 LSASSMGR.EXE 1484 LSASSMGR.EXE 1592 LSASSMGR.EXE 1592 LSASSMGR.EXE 920 LSASSMGR.EXE 920 LSASSMGR.EXE 1724 LSASSMGR.EXE 1724 LSASSMGR.EXE 1896 LSASSMGR.EXE 1896 LSASSMGR.EXE 1768 LSASSMGR.EXE 1768 LSASSMGR.EXE 1072 LSASSMGR.EXE 1072 LSASSMGR.EXE 360 LSASSMGR.EXE 520 LSASSMGR.EXE 520 LSASSMGR.EXE 360 LSASSMGR.EXE 900 LSASSMGR.EXE 900 LSASSMGR.EXE 556 LSASSMGR.EXE 556 LSASSMGR.EXE 776 LSASSMGR.EXE 776 LSASSMGR.EXE 568 LSASSMGR.EXE 568 LSASSMGR.EXE 1784 LSASSMGR.EXE 1784 LSASSMGR.EXE 1100 LSASSMGR.EXE 1100 LSASSMGR.EXE 648 LSASSMGR.EXE 648 LSASSMGR.EXE 1756 LSASSMGR.EXE 1756 LSASSMGR.EXE 744 LSASSMGR.EXE 744 LSASSMGR.EXE 112 LSASSMGR.EXE 1840 LSASSMGR.EXE 1840 LSASSMGR.EXE 112 LSASSMGR.EXE 1880 LSASSMGR.EXE 1880 LSASSMGR.EXE 1728 LSASSMGR.EXE 1728 LSASSMGR.EXE 1808 LSASSMGR.EXE 1808 LSASSMGR.EXE 920 LSASSMGR.EXE 920 LSASSMGR.EXE 316 LSASSMGR.EXE 1340 LSASSMGR.EXE 316 LSASSMGR.EXE 1340 LSASSMGR.EXE 1404 LSASSMGR.EXE 1404 LSASSMGR.EXE 1692 LSASSMGR.EXE 1692 LSASSMGR.EXE 1780 LSASSMGR.EXE 392 LSASSMGR.EXE 392 LSASSMGR.EXE 660 LSASSMGR.EXE 1780 LSASSMGR.EXE 1176 LSASSMGR.EXE 1176 LSASSMGR.EXE 660 LSASSMGR.EXE 1100 LSASSMGR.EXE 964 LSASSMGR.EXE 1100 LSASSMGR.EXE 964 LSASSMGR.EXE 1368 LSASSMGR.EXE 1368 LSASSMGR.EXE 1904 LSASSMGR.EXE 1904 LSASSMGR.EXE 792 LSASSMGR.EXE 564 LSASSMGR.EXE 564 LSASSMGR.EXE 792 LSASSMGR.EXE 1580 LSASSMGR.EXE 1580 LSASSMGR.EXE 1296 LSASSMGR.EXE 1296 LSASSMGR.EXE 1572 LSASSMGR.EXE 1348 LSASSMGR.EXE 1716 LSASSMGR.EXE 1572 LSASSMGR.EXE 1348 LSASSMGR.EXE 1716 LSASSMGR.EXE 1632 LSASSMGR.EXE 1632 LSASSMGR.EXE 1256 LSASSMGR.EXE 1256 LSASSMGR.EXE 544 LSASSMGR.EXE 1064 LSASSMGR.EXE 1064 LSASSMGR.EXE 544 LSASSMGR.EXE 1900 LSASSMGR.EXE 1900 LSASSMGR.EXE 1292 LSASSMGR.EXE 1292 LSASSMGR.EXE 852 LSASSMGR.EXE 852 LSASSMGR.EXE 1008 LSASSMGR.EXE 392 LSASSMGR.EXE 1008 LSASSMGR.EXE 392 LSASSMGR.EXE 556 LSASSMGR.EXE 556 LSASSMGR.EXE -
Adds Run key to start application 2 TTPs 95 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" srtsrv32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\lssmon.exe" fb71fba4893f205b0f62e2a8bc4f7294.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\lssmon.exe" lssmon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run lssmon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" srtsrv32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" srtsrv32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run fb71fba4893f205b0f62e2a8bc4f7294.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE -
Drops file in System32 directory 189 IoCs
description ioc Process File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\lssmon.exe fb71fba4893f205b0f62e2a8bc4f7294.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe srtsrv32.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\lssmon.exe WerFault.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe srtsrv32.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\lssmon.exe fb71fba4893f205b0f62e2a8bc4f7294.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\srtsrv32.exe fb71fba4893f205b0f62e2a8bc4f7294.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE srtsrv32.exe File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe srtsrv32.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\lssmon.exe lssmon.exe File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE -
Drops file in Program Files directory 180 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe srtsrv32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe srtsrv32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Internet Explorer\iexplor.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe srtsrv32.exe File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\divx32.dll fb71fba4893f205b0f62e2a8bc4f7294.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 380 1528 WerFault.exe 30 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe 380 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 380 WerFault.exe -
Suspicious use of WriteProcessMemory 376 IoCs
description pid Process procid_target PID 1056 wrote to memory of 884 1056 fb71fba4893f205b0f62e2a8bc4f7294.exe 28 PID 1056 wrote to memory of 884 1056 fb71fba4893f205b0f62e2a8bc4f7294.exe 28 PID 1056 wrote to memory of 884 1056 fb71fba4893f205b0f62e2a8bc4f7294.exe 28 PID 1056 wrote to memory of 884 1056 fb71fba4893f205b0f62e2a8bc4f7294.exe 28 PID 1056 wrote to memory of 1528 1056 fb71fba4893f205b0f62e2a8bc4f7294.exe 30 PID 1056 wrote to memory of 1528 1056 fb71fba4893f205b0f62e2a8bc4f7294.exe 30 PID 1056 wrote to memory of 1528 1056 fb71fba4893f205b0f62e2a8bc4f7294.exe 30 PID 1056 wrote to memory of 1528 1056 fb71fba4893f205b0f62e2a8bc4f7294.exe 30 PID 884 wrote to memory of 1272 884 LSASSMGR.EXE 31 PID 884 wrote to memory of 1272 884 LSASSMGR.EXE 31 PID 884 wrote to memory of 1272 884 LSASSMGR.EXE 31 PID 884 wrote to memory of 1272 884 LSASSMGR.EXE 31 PID 1272 wrote to memory of 1256 1272 LSASSMGR.EXE 32 PID 1272 wrote to memory of 1256 1272 LSASSMGR.EXE 32 PID 1272 wrote to memory of 1256 1272 LSASSMGR.EXE 32 PID 1272 wrote to memory of 1256 1272 LSASSMGR.EXE 32 PID 1256 wrote to memory of 1008 1256 LSASSMGR.EXE 33 PID 1256 wrote to memory of 1008 1256 LSASSMGR.EXE 33 PID 1256 wrote to memory of 1008 1256 LSASSMGR.EXE 33 PID 1256 wrote to memory of 1008 1256 LSASSMGR.EXE 33 PID 1528 wrote to memory of 564 1528 lssmon.exe 34 PID 1528 wrote to memory of 564 1528 lssmon.exe 34 PID 1528 wrote to memory of 564 1528 lssmon.exe 34 PID 1528 wrote to memory of 564 1528 lssmon.exe 34 PID 1008 wrote to memory of 1100 1008 LSASSMGR.EXE 35 PID 1008 wrote to memory of 1100 1008 LSASSMGR.EXE 35 PID 1008 wrote to memory of 1100 1008 LSASSMGR.EXE 35 PID 1008 wrote to memory of 1100 1008 LSASSMGR.EXE 35 PID 564 wrote to memory of 1880 564 srtsrv32.exe 36 PID 564 wrote to memory of 1880 564 srtsrv32.exe 36 PID 564 wrote to memory of 1880 564 srtsrv32.exe 36 PID 564 wrote to memory of 1880 564 srtsrv32.exe 36 PID 1100 wrote to memory of 1820 1100 LSASSMGR.EXE 55 PID 1100 wrote to memory of 1820 1100 LSASSMGR.EXE 55 PID 1100 wrote to memory of 1820 1100 LSASSMGR.EXE 55 PID 1100 wrote to memory of 1820 1100 LSASSMGR.EXE 55 PID 1528 wrote to memory of 1536 1528 lssmon.exe 37 PID 1528 wrote to memory of 1536 1528 lssmon.exe 37 PID 1528 wrote to memory of 1536 1528 lssmon.exe 37 PID 1528 wrote to memory of 1536 1528 lssmon.exe 37 PID 1880 wrote to memory of 1692 1880 LSASSMGR.EXE 94 PID 1880 wrote to memory of 1692 1880 LSASSMGR.EXE 94 PID 1880 wrote to memory of 1692 1880 LSASSMGR.EXE 94 PID 1880 wrote to memory of 1692 1880 LSASSMGR.EXE 94 PID 1820 wrote to memory of 1952 1820 LSASSMGR.EXE 151 PID 1820 wrote to memory of 1952 1820 LSASSMGR.EXE 151 PID 1820 wrote to memory of 1952 1820 LSASSMGR.EXE 151 PID 1820 wrote to memory of 1952 1820 LSASSMGR.EXE 151 PID 1528 wrote to memory of 884 1528 lssmon.exe 62 PID 1528 wrote to memory of 884 1528 lssmon.exe 62 PID 1528 wrote to memory of 884 1528 lssmon.exe 62 PID 1528 wrote to memory of 884 1528 lssmon.exe 62 PID 1528 wrote to memory of 380 1528 lssmon.exe 42 PID 1528 wrote to memory of 380 1528 lssmon.exe 42 PID 1528 wrote to memory of 380 1528 lssmon.exe 42 PID 1528 wrote to memory of 380 1528 lssmon.exe 42 PID 1952 wrote to memory of 1252 1952 LSASSMGR.EXE 154 PID 1952 wrote to memory of 1252 1952 LSASSMGR.EXE 154 PID 1952 wrote to memory of 1252 1952 LSASSMGR.EXE 154 PID 1952 wrote to memory of 1252 1952 LSASSMGR.EXE 154 PID 1536 wrote to memory of 428 1536 srtsrv32.exe 188 PID 1536 wrote to memory of 428 1536 srtsrv32.exe 188 PID 1536 wrote to memory of 428 1536 srtsrv32.exe 188 PID 1536 wrote to memory of 428 1536 srtsrv32.exe 188 PID 1692 wrote to memory of 1004 1692 LSASSMGR.EXE 165 PID 1692 wrote to memory of 1004 1692 LSASSMGR.EXE 165 PID 1692 wrote to memory of 1004 1692 LSASSMGR.EXE 165 PID 1692 wrote to memory of 1004 1692 LSASSMGR.EXE 165 PID 884 wrote to memory of 340 884 LSASSMGR.EXE 45 PID 884 wrote to memory of 340 884 LSASSMGR.EXE 45 PID 884 wrote to memory of 340 884 LSASSMGR.EXE 45 PID 884 wrote to memory of 340 884 LSASSMGR.EXE 45 PID 428 wrote to memory of 1364 428 LSASSMGR.EXE 216 PID 428 wrote to memory of 1364 428 LSASSMGR.EXE 216 PID 428 wrote to memory of 1364 428 LSASSMGR.EXE 216 PID 428 wrote to memory of 1364 428 LSASSMGR.EXE 216 PID 1004 wrote to memory of 920 1004 LSASSMGR.EXE 238 PID 1004 wrote to memory of 920 1004 LSASSMGR.EXE 238 PID 1004 wrote to memory of 920 1004 LSASSMGR.EXE 238 PID 1004 wrote to memory of 920 1004 LSASSMGR.EXE 238 PID 1252 wrote to memory of 964 1252 LSASSMGR.EXE 275 PID 1252 wrote to memory of 964 1252 LSASSMGR.EXE 275 PID 1252 wrote to memory of 964 1252 LSASSMGR.EXE 275 PID 1252 wrote to memory of 964 1252 LSASSMGR.EXE 275 PID 340 wrote to memory of 1840 340 LSASSMGR.EXE 187 PID 340 wrote to memory of 1840 340 LSASSMGR.EXE 187 PID 340 wrote to memory of 1840 340 LSASSMGR.EXE 187 PID 340 wrote to memory of 1840 340 LSASSMGR.EXE 187 PID 920 wrote to memory of 112 920 LSASSMGR.EXE 84 PID 920 wrote to memory of 112 920 LSASSMGR.EXE 84 PID 920 wrote to memory of 112 920 LSASSMGR.EXE 84 PID 920 wrote to memory of 112 920 LSASSMGR.EXE 84 PID 1364 wrote to memory of 1552 1364 LSASSMGR.EXE 328 PID 1364 wrote to memory of 1552 1364 LSASSMGR.EXE 328 PID 1364 wrote to memory of 1552 1364 LSASSMGR.EXE 328 PID 1364 wrote to memory of 1552 1364 LSASSMGR.EXE 328 PID 964 wrote to memory of 1596 964 LSASSMGR.EXE 307 PID 964 wrote to memory of 1596 964 LSASSMGR.EXE 307 PID 964 wrote to memory of 1596 964 LSASSMGR.EXE 307 PID 964 wrote to memory of 1596 964 LSASSMGR.EXE 307 PID 1840 wrote to memory of 1728 1840 LSASSMGR.EXE 284 PID 1840 wrote to memory of 1728 1840 LSASSMGR.EXE 284 PID 1840 wrote to memory of 1728 1840 LSASSMGR.EXE 284 PID 1840 wrote to memory of 1728 1840 LSASSMGR.EXE 284 PID 112 wrote to memory of 1820 112 LSASSMGR.EXE 225 PID 112 wrote to memory of 1820 112 LSASSMGR.EXE 225 PID 112 wrote to memory of 1820 112 LSASSMGR.EXE 225 PID 112 wrote to memory of 1820 112 LSASSMGR.EXE 225 PID 1596 wrote to memory of 1212 1596 LSASSMGR.EXE 380 PID 1596 wrote to memory of 1212 1596 LSASSMGR.EXE 380 PID 1596 wrote to memory of 1212 1596 LSASSMGR.EXE 380 PID 1596 wrote to memory of 1212 1596 LSASSMGR.EXE 380 PID 1552 wrote to memory of 1660 1552 LSASSMGR.EXE 57 PID 1552 wrote to memory of 1660 1552 LSASSMGR.EXE 57 PID 1552 wrote to memory of 1660 1552 LSASSMGR.EXE 57 PID 1552 wrote to memory of 1660 1552 LSASSMGR.EXE 57 PID 1728 wrote to memory of 1784 1728 LSASSMGR.EXE 384 PID 1728 wrote to memory of 1784 1728 LSASSMGR.EXE 384 PID 1728 wrote to memory of 1784 1728 LSASSMGR.EXE 384 PID 1728 wrote to memory of 1784 1728 LSASSMGR.EXE 384 PID 1212 wrote to memory of 1952 1212 LSASSMGR.EXE 516 PID 1212 wrote to memory of 1952 1212 LSASSMGR.EXE 516 PID 1212 wrote to memory of 1952 1212 LSASSMGR.EXE 516 PID 1212 wrote to memory of 1952 1212 LSASSMGR.EXE 516 PID 1820 wrote to memory of 1688 1820 LSASSMGR.EXE 557 PID 1820 wrote to memory of 1688 1820 LSASSMGR.EXE 557 PID 1820 wrote to memory of 1688 1820 LSASSMGR.EXE 557 PID 1820 wrote to memory of 1688 1820 LSASSMGR.EXE 557 PID 1660 wrote to memory of 268 1660 LSASSMGR.EXE 60 PID 1660 wrote to memory of 268 1660 LSASSMGR.EXE 60 PID 1660 wrote to memory of 268 1660 LSASSMGR.EXE 60 PID 1660 wrote to memory of 268 1660 LSASSMGR.EXE 60 PID 268 wrote to memory of 884 268 LSASSMGR.EXE 568 PID 268 wrote to memory of 884 268 LSASSMGR.EXE 568 PID 268 wrote to memory of 884 268 LSASSMGR.EXE 568 PID 268 wrote to memory of 884 268 LSASSMGR.EXE 568 PID 1784 wrote to memory of 728 1784 LSASSMGR.EXE 555 PID 1784 wrote to memory of 728 1784 LSASSMGR.EXE 555 PID 1784 wrote to memory of 728 1784 LSASSMGR.EXE 555 PID 1784 wrote to memory of 728 1784 LSASSMGR.EXE 555 PID 1952 wrote to memory of 1124 1952 LSASSMGR.EXE 682 PID 1952 wrote to memory of 1124 1952 LSASSMGR.EXE 682 PID 1952 wrote to memory of 1124 1952 LSASSMGR.EXE 682 PID 1952 wrote to memory of 1124 1952 LSASSMGR.EXE 682 PID 1688 wrote to memory of 296 1688 LSASSMGR.EXE 421 PID 1688 wrote to memory of 296 1688 LSASSMGR.EXE 421 PID 1688 wrote to memory of 296 1688 LSASSMGR.EXE 421 PID 1688 wrote to memory of 296 1688 LSASSMGR.EXE 421 PID 1124 wrote to memory of 1484 1124 LSASSMGR.EXE 441 PID 1124 wrote to memory of 1484 1124 LSASSMGR.EXE 441 PID 1124 wrote to memory of 1484 1124 LSASSMGR.EXE 441 PID 1124 wrote to memory of 1484 1124 LSASSMGR.EXE 441 PID 884 wrote to memory of 1592 884 LSASSMGR.EXE 716 PID 884 wrote to memory of 1592 884 LSASSMGR.EXE 716 PID 884 wrote to memory of 1592 884 LSASSMGR.EXE 716 PID 884 wrote to memory of 1592 884 LSASSMGR.EXE 716 PID 728 wrote to memory of 920 728 LSASSMGR.EXE 477 PID 728 wrote to memory of 920 728 LSASSMGR.EXE 477 PID 728 wrote to memory of 920 728 LSASSMGR.EXE 477 PID 728 wrote to memory of 920 728 LSASSMGR.EXE 477 PID 296 wrote to memory of 1724 296 LSASSMGR.EXE 761 PID 296 wrote to memory of 1724 296 LSASSMGR.EXE 761 PID 296 wrote to memory of 1724 296 LSASSMGR.EXE 761 PID 296 wrote to memory of 1724 296 LSASSMGR.EXE 761 PID 1484 wrote to memory of 1768 1484 LSASSMGR.EXE 547 PID 1484 wrote to memory of 1768 1484 LSASSMGR.EXE 547 PID 1484 wrote to memory of 1768 1484 LSASSMGR.EXE 547 PID 1484 wrote to memory of 1768 1484 LSASSMGR.EXE 547 PID 1592 wrote to memory of 1896 1592 LSASSMGR.EXE 598 PID 1592 wrote to memory of 1896 1592 LSASSMGR.EXE 598 PID 1592 wrote to memory of 1896 1592 LSASSMGR.EXE 598 PID 1592 wrote to memory of 1896 1592 LSASSMGR.EXE 598 PID 920 wrote to memory of 360 920 LSASSMGR.EXE 730 PID 920 wrote to memory of 360 920 LSASSMGR.EXE 730 PID 920 wrote to memory of 360 920 LSASSMGR.EXE 730 PID 920 wrote to memory of 360 920 LSASSMGR.EXE 730 PID 1724 wrote to memory of 520 1724 LSASSMGR.EXE 885 PID 1724 wrote to memory of 520 1724 LSASSMGR.EXE 885 PID 1724 wrote to memory of 520 1724 LSASSMGR.EXE 885 PID 1724 wrote to memory of 520 1724 LSASSMGR.EXE 885 PID 1896 wrote to memory of 1072 1896 LSASSMGR.EXE 902 PID 1896 wrote to memory of 1072 1896 LSASSMGR.EXE 902 PID 1896 wrote to memory of 1072 1896 LSASSMGR.EXE 902 PID 1896 wrote to memory of 1072 1896 LSASSMGR.EXE 902 PID 1768 wrote to memory of 900 1768 LSASSMGR.EXE 869 PID 1768 wrote to memory of 900 1768 LSASSMGR.EXE 869 PID 1768 wrote to memory of 900 1768 LSASSMGR.EXE 869 PID 1768 wrote to memory of 900 1768 LSASSMGR.EXE 869 PID 1072 wrote to memory of 556 1072 LSASSMGR.EXE 895 PID 1072 wrote to memory of 556 1072 LSASSMGR.EXE 895 PID 1072 wrote to memory of 556 1072 LSASSMGR.EXE 895 PID 1072 wrote to memory of 556 1072 LSASSMGR.EXE 895 PID 360 wrote to memory of 776 360 LSASSMGR.EXE 905 PID 360 wrote to memory of 776 360 LSASSMGR.EXE 905 PID 360 wrote to memory of 776 360 LSASSMGR.EXE 905 PID 360 wrote to memory of 776 360 LSASSMGR.EXE 905 PID 520 wrote to memory of 568 520 LSASSMGR.EXE 976 PID 520 wrote to memory of 568 520 LSASSMGR.EXE 976 PID 520 wrote to memory of 568 520 LSASSMGR.EXE 976 PID 520 wrote to memory of 568 520 LSASSMGR.EXE 976 PID 900 wrote to memory of 1784 900 LSASSMGR.EXE 1000 PID 900 wrote to memory of 1784 900 LSASSMGR.EXE 1000 PID 900 wrote to memory of 1784 900 LSASSMGR.EXE 1000 PID 900 wrote to memory of 1784 900 LSASSMGR.EXE 1000 PID 556 wrote to memory of 648 556 LSASSMGR.EXE 986 PID 556 wrote to memory of 648 556 LSASSMGR.EXE 986 PID 556 wrote to memory of 648 556 LSASSMGR.EXE 986 PID 556 wrote to memory of 648 556 LSASSMGR.EXE 986 PID 776 wrote to memory of 1100 776 LSASSMGR.EXE 1051 PID 776 wrote to memory of 1100 776 LSASSMGR.EXE 1051 PID 776 wrote to memory of 1100 776 LSASSMGR.EXE 1051 PID 776 wrote to memory of 1100 776 LSASSMGR.EXE 1051 PID 568 wrote to memory of 1756 568 LSASSMGR.EXE 1190 PID 568 wrote to memory of 1756 568 LSASSMGR.EXE 1190 PID 568 wrote to memory of 1756 568 LSASSMGR.EXE 1190 PID 568 wrote to memory of 1756 568 LSASSMGR.EXE 1190 PID 1784 wrote to memory of 744 1784 LSASSMGR.EXE 1039 PID 1784 wrote to memory of 744 1784 LSASSMGR.EXE 1039 PID 1784 wrote to memory of 744 1784 LSASSMGR.EXE 1039 PID 1784 wrote to memory of 744 1784 LSASSMGR.EXE 1039 PID 1100 wrote to memory of 112 1100 LSASSMGR.EXE 1200 PID 1100 wrote to memory of 112 1100 LSASSMGR.EXE 1200 PID 1100 wrote to memory of 112 1100 LSASSMGR.EXE 1200 PID 1100 wrote to memory of 112 1100 LSASSMGR.EXE 1200 PID 648 wrote to memory of 1880 648 LSASSMGR.EXE 1327 PID 648 wrote to memory of 1880 648 LSASSMGR.EXE 1327 PID 648 wrote to memory of 1880 648 LSASSMGR.EXE 1327 PID 648 wrote to memory of 1880 648 LSASSMGR.EXE 1327 PID 1756 wrote to memory of 1840 1756 LSASSMGR.EXE 1010 PID 1756 wrote to memory of 1840 1756 LSASSMGR.EXE 1010 PID 1756 wrote to memory of 1840 1756 LSASSMGR.EXE 1010 PID 1756 wrote to memory of 1840 1756 LSASSMGR.EXE 1010 PID 744 wrote to memory of 1728 744 LSASSMGR.EXE 1360 PID 744 wrote to memory of 1728 744 LSASSMGR.EXE 1360 PID 744 wrote to memory of 1728 744 LSASSMGR.EXE 1360 PID 744 wrote to memory of 1728 744 LSASSMGR.EXE 1360 PID 1840 wrote to memory of 1808 1840 LSASSMGR.EXE 1348 PID 1840 wrote to memory of 1808 1840 LSASSMGR.EXE 1348 PID 1840 wrote to memory of 1808 1840 LSASSMGR.EXE 1348 PID 1840 wrote to memory of 1808 1840 LSASSMGR.EXE 1348 PID 112 wrote to memory of 920 112 LSASSMGR.EXE 1221 PID 112 wrote to memory of 920 112 LSASSMGR.EXE 1221 PID 112 wrote to memory of 920 112 LSASSMGR.EXE 1221 PID 112 wrote to memory of 920 112 LSASSMGR.EXE 1221 PID 1880 wrote to memory of 1340 1880 LSASSMGR.EXE 1538 PID 1880 wrote to memory of 1340 1880 LSASSMGR.EXE 1538 PID 1880 wrote to memory of 1340 1880 LSASSMGR.EXE 1538 PID 1880 wrote to memory of 1340 1880 LSASSMGR.EXE 1538 PID 1728 wrote to memory of 316 1728 LSASSMGR.EXE 933 PID 1728 wrote to memory of 316 1728 LSASSMGR.EXE 933 PID 1728 wrote to memory of 316 1728 LSASSMGR.EXE 933 PID 1728 wrote to memory of 316 1728 LSASSMGR.EXE 933 PID 1808 wrote to memory of 1404 1808 LSASSMGR.EXE 1491 PID 1808 wrote to memory of 1404 1808 LSASSMGR.EXE 1491 PID 1808 wrote to memory of 1404 1808 LSASSMGR.EXE 1491 PID 1808 wrote to memory of 1404 1808 LSASSMGR.EXE 1491 PID 920 wrote to memory of 392 920 LSASSMGR.EXE 1685 PID 920 wrote to memory of 392 920 LSASSMGR.EXE 1685 PID 920 wrote to memory of 392 920 LSASSMGR.EXE 1685 PID 920 wrote to memory of 392 920 LSASSMGR.EXE 1685 PID 316 wrote to memory of 1692 316 LSASSMGR.EXE 1696 PID 316 wrote to memory of 1692 316 LSASSMGR.EXE 1696 PID 316 wrote to memory of 1692 316 LSASSMGR.EXE 1696 PID 316 wrote to memory of 1692 316 LSASSMGR.EXE 1696 PID 1340 wrote to memory of 1780 1340 LSASSMGR.EXE 1811 PID 1340 wrote to memory of 1780 1340 LSASSMGR.EXE 1811 PID 1340 wrote to memory of 1780 1340 LSASSMGR.EXE 1811 PID 1340 wrote to memory of 1780 1340 LSASSMGR.EXE 1811 PID 1404 wrote to memory of 1176 1404 LSASSMGR.EXE 1659 PID 1404 wrote to memory of 1176 1404 LSASSMGR.EXE 1659 PID 1404 wrote to memory of 1176 1404 LSASSMGR.EXE 1659 PID 1404 wrote to memory of 1176 1404 LSASSMGR.EXE 1659 PID 1692 wrote to memory of 660 1692 LSASSMGR.EXE 1952 PID 1692 wrote to memory of 660 1692 LSASSMGR.EXE 1952 PID 1692 wrote to memory of 660 1692 LSASSMGR.EXE 1952 PID 1692 wrote to memory of 660 1692 LSASSMGR.EXE 1952 PID 392 wrote to memory of 964 392 LSASSMGR.EXE 1906 PID 392 wrote to memory of 964 392 LSASSMGR.EXE 1906 PID 392 wrote to memory of 964 392 LSASSMGR.EXE 1906 PID 392 wrote to memory of 964 392 LSASSMGR.EXE 1906 PID 1780 wrote to memory of 1904 1780 LSASSMGR.EXE 2090 PID 1780 wrote to memory of 1904 1780 LSASSMGR.EXE 2090 PID 1780 wrote to memory of 1904 1780 LSASSMGR.EXE 2090 PID 1780 wrote to memory of 1904 1780 LSASSMGR.EXE 2090 PID 1176 wrote to memory of 1100 1176 LSASSMGR.EXE 1974 PID 1176 wrote to memory of 1100 1176 LSASSMGR.EXE 1974 PID 1176 wrote to memory of 1100 1176 LSASSMGR.EXE 1974 PID 1176 wrote to memory of 1100 1176 LSASSMGR.EXE 1974 PID 660 wrote to memory of 1368 660 LSASSMGR.EXE 2051 PID 660 wrote to memory of 1368 660 LSASSMGR.EXE 2051 PID 660 wrote to memory of 1368 660 LSASSMGR.EXE 2051 PID 660 wrote to memory of 1368 660 LSASSMGR.EXE 2051 PID 1100 wrote to memory of 1580 1100 LSASSMGR.EXE 2228 PID 1100 wrote to memory of 1580 1100 LSASSMGR.EXE 2228 PID 1100 wrote to memory of 1580 1100 LSASSMGR.EXE 2228 PID 1100 wrote to memory of 1580 1100 LSASSMGR.EXE 2228 PID 964 wrote to memory of 792 964 LSASSMGR.EXE 2280 PID 964 wrote to memory of 792 964 LSASSMGR.EXE 2280 PID 964 wrote to memory of 792 964 LSASSMGR.EXE 2280 PID 964 wrote to memory of 792 964 LSASSMGR.EXE 2280 PID 1368 wrote to memory of 1296 1368 LSASSMGR.EXE 2246 PID 1368 wrote to memory of 1296 1368 LSASSMGR.EXE 2246 PID 1368 wrote to memory of 1296 1368 LSASSMGR.EXE 2246 PID 1368 wrote to memory of 1296 1368 LSASSMGR.EXE 2246 PID 1904 wrote to memory of 564 1904 LSASSMGR.EXE 2162 PID 1904 wrote to memory of 564 1904 LSASSMGR.EXE 2162 PID 1904 wrote to memory of 564 1904 LSASSMGR.EXE 2162 PID 1904 wrote to memory of 564 1904 LSASSMGR.EXE 2162 PID 564 wrote to memory of 1716 564 LSASSMGR.EXE 2292 PID 564 wrote to memory of 1716 564 LSASSMGR.EXE 2292 PID 564 wrote to memory of 1716 564 LSASSMGR.EXE 2292 PID 564 wrote to memory of 1716 564 LSASSMGR.EXE 2292 PID 792 wrote to memory of 1572 792 LSASSMGR.EXE 2458 PID 792 wrote to memory of 1572 792 LSASSMGR.EXE 2458 PID 792 wrote to memory of 1572 792 LSASSMGR.EXE 2458 PID 792 wrote to memory of 1572 792 LSASSMGR.EXE 2458 PID 1580 wrote to memory of 1632 1580 LSASSMGR.EXE 2417 PID 1580 wrote to memory of 1632 1580 LSASSMGR.EXE 2417 PID 1580 wrote to memory of 1632 1580 LSASSMGR.EXE 2417 PID 1580 wrote to memory of 1632 1580 LSASSMGR.EXE 2417 PID 1296 wrote to memory of 1348 1296 LSASSMGR.EXE 635 PID 1296 wrote to memory of 1348 1296 LSASSMGR.EXE 635 PID 1296 wrote to memory of 1348 1296 LSASSMGR.EXE 635 PID 1296 wrote to memory of 1348 1296 LSASSMGR.EXE 635 PID 1572 wrote to memory of 544 1572 LSASSMGR.EXE 2282 PID 1572 wrote to memory of 544 1572 LSASSMGR.EXE 2282 PID 1572 wrote to memory of 544 1572 LSASSMGR.EXE 2282 PID 1572 wrote to memory of 544 1572 LSASSMGR.EXE 2282 PID 1348 wrote to memory of 1256 1348 LSASSMGR.EXE 2511 PID 1348 wrote to memory of 1256 1348 LSASSMGR.EXE 2511 PID 1348 wrote to memory of 1256 1348 LSASSMGR.EXE 2511 PID 1348 wrote to memory of 1256 1348 LSASSMGR.EXE 2511 PID 1716 wrote to memory of 1064 1716 LSASSMGR.EXE 2352 PID 1716 wrote to memory of 1064 1716 LSASSMGR.EXE 2352 PID 1716 wrote to memory of 1064 1716 LSASSMGR.EXE 2352 PID 1716 wrote to memory of 1064 1716 LSASSMGR.EXE 2352 PID 1632 wrote to memory of 1292 1632 LSASSMGR.EXE 2599 PID 1632 wrote to memory of 1292 1632 LSASSMGR.EXE 2599 PID 1632 wrote to memory of 1292 1632 LSASSMGR.EXE 2599 PID 1632 wrote to memory of 1292 1632 LSASSMGR.EXE 2599 PID 1256 wrote to memory of 1900 1256 LSASSMGR.EXE 2796 PID 1256 wrote to memory of 1900 1256 LSASSMGR.EXE 2796 PID 1256 wrote to memory of 1900 1256 LSASSMGR.EXE 2796 PID 1256 wrote to memory of 1900 1256 LSASSMGR.EXE 2796 PID 1064 wrote to memory of 392 1064 LSASSMGR.EXE 2125 PID 1064 wrote to memory of 392 1064 LSASSMGR.EXE 2125 PID 1064 wrote to memory of 392 1064 LSASSMGR.EXE 2125 PID 1064 wrote to memory of 392 1064 LSASSMGR.EXE 2125 PID 544 wrote to memory of 852 544 LSASSMGR.EXE 2766 PID 544 wrote to memory of 852 544 LSASSMGR.EXE 2766 PID 544 wrote to memory of 852 544 LSASSMGR.EXE 2766 PID 544 wrote to memory of 852 544 LSASSMGR.EXE 2766 PID 1900 wrote to memory of 556 1900 LSASSMGR.EXE 2725 PID 1900 wrote to memory of 556 1900 LSASSMGR.EXE 2725 PID 1900 wrote to memory of 556 1900 LSASSMGR.EXE 2725 PID 1900 wrote to memory of 556 1900 LSASSMGR.EXE 2725 PID 1292 wrote to memory of 1008 1292 LSASSMGR.EXE 2949 PID 1292 wrote to memory of 1008 1292 LSASSMGR.EXE 2949 PID 1292 wrote to memory of 1008 1292 LSASSMGR.EXE 2949 PID 1292 wrote to memory of 1008 1292 LSASSMGR.EXE 2949 PID 852 wrote to memory of 1780 852 LSASSMGR.EXE 2902 PID 852 wrote to memory of 1780 852 LSASSMGR.EXE 2902 PID 852 wrote to memory of 1780 852 LSASSMGR.EXE 2902 PID 852 wrote to memory of 1780 852 LSASSMGR.EXE 2902 PID 1008 wrote to memory of 428 1008 LSASSMGR.EXE 2984 PID 1008 wrote to memory of 428 1008 LSASSMGR.EXE 2984 PID 1008 wrote to memory of 428 1008 LSASSMGR.EXE 2984 PID 1008 wrote to memory of 428 1008 LSASSMGR.EXE 2984 PID 392 wrote to memory of 648 392 LSASSMGR.EXE 2978 PID 392 wrote to memory of 648 392 LSASSMGR.EXE 2978 PID 392 wrote to memory of 648 392 LSASSMGR.EXE 2978 PID 392 wrote to memory of 648 392 LSASSMGR.EXE 2978 PID 556 wrote to memory of 1784 556 LSASSMGR.EXE 2863 PID 556 wrote to memory of 1784 556 LSASSMGR.EXE 2863 PID 556 wrote to memory of 1784 556 LSASSMGR.EXE 2863 PID 556 wrote to memory of 1784 556 LSASSMGR.EXE 2863
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb71fba4893f205b0f62e2a8bc4f7294.exe"C:\Users\Admin\AppData\Local\Temp\fb71fba4893f205b0f62e2a8bc4f7294.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\srtsrv32.exe"C:\Windows\system32\srtsrv32.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:884 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"7⤵PID:1820
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"8⤵PID:1952
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"9⤵PID:1252
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"10⤵PID:964
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"11⤵PID:1596
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"12⤵PID:1212
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"13⤵PID:1952
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"14⤵PID:1124
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"15⤵PID:1484
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"16⤵PID:1768
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"17⤵PID:900
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"18⤵PID:1784
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"19⤵PID:744
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"20⤵PID:1728
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"21⤵PID:316
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"22⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"23⤵PID:660
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"24⤵PID:1368
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"25⤵PID:1296
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"26⤵PID:1348
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"27⤵PID:1256
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"28⤵PID:1900
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"29⤵PID:556
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"30⤵PID:1784
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"31⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"32⤵PID:1808
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"33⤵PID:1744
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"34⤵PID:1292
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"35⤵PID:1724
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"36⤵PID:1840
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"37⤵PID:1696
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"38⤵PID:1328
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"39⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1252 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"40⤵PID:1612
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"41⤵PID:612
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"42⤵PID:1716
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"43⤵PID:1172
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"44⤵PID:1056
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"45⤵PID:1524
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"46⤵PID:776
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"47⤵PID:1068
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"48⤵PID:360
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"49⤵PID:296
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"50⤵PID:948
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"51⤵PID:1008
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"52⤵PID:1896
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"53⤵PID:1784
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"54⤵PID:1592
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"55⤵PID:564
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"56⤵PID:1836
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"57⤵PID:612
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"58⤵PID:648
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"59⤵PID:544
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"60⤵PID:392
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"61⤵PID:1804
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"62⤵PID:1972
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"63⤵PID:1404
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"64⤵PID:1296
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"65⤵PID:1816
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"66⤵PID:1952
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"67⤵PID:2024
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"68⤵PID:360
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"69⤵PID:1176
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"70⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"71⤵PID:1816
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"72⤵PID:1984
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"73⤵PID:1780
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"74⤵PID:1172
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"75⤵PID:1340
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"76⤵PID:884
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"77⤵PID:556
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"78⤵PID:1056
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"79⤵PID:2044
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"80⤵PID:836
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"81⤵PID:1952
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"82⤵PID:1552
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"83⤵PID:748
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"84⤵PID:544
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"85⤵PID:1296
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"86⤵PID:584
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"87⤵PID:1692
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"88⤵PID:1896
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"89⤵PID:1980
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"90⤵PID:1744
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"91⤵PID:884
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"92⤵PID:556
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"93⤵PID:1596
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"94⤵PID:1176
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"95⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"96⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"97⤵PID:816
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"98⤵PID:564
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"99⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"100⤵PID:1900
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"101⤵PID:1016
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"102⤵PID:1804
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"103⤵PID:1580
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"104⤵PID:2032
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"105⤵PID:1524
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"106⤵PID:792
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"107⤵
- Adds Run key to start application
- Drops file in Program Files directory
PID:1552 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"108⤵PID:1768
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"109⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"110⤵PID:1368
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"111⤵PID:1980
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"112⤵PID:660
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"113⤵PID:920
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"114⤵
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"115⤵PID:852
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"116⤵PID:2040
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"117⤵PID:1072
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"118⤵PID:112
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"119⤵PID:1256
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"120⤵PID:1840
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"121⤵PID:544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-