fakeav | 83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253

Analysis

max time kernel
11s
max time network
145s
platform
windows10_x64
resource
win10v20210410
submitted
17-05-2021 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253.exe
Size

864KB
MD5

a49106b69eabe445f1eb80819d1fef95
SHA1

5fef062d76c478a16cf4eacc2e14180edad4c9e4
SHA256

83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253
SHA512

341b1d3bd54b5f88a6a70a78ec9d3fe93707728743df16b81e0cc02018afd045ed9e2382434045d3d115ad96e09024e3bf38a4759aa216fc3e9199a344716a14

Score

10^/10

fakeav xmrig fakeav miner persistence spyware

Malware Config

Signatures

FakeAV, RogueAntivirus
FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.
fakeav spyware fakeav
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

FakeAV payload 2 IoCs

fakeav spyware

resource	yara_rule
behavioral2/files/0x000200000001ab6f-120.dat	fakeav
behavioral2/files/0x000200000001ab6f-119.dat	fakeav

Executes dropped EXE 64 IoCs

pid	Process
2084	srtsrv32.exe
2480	lssmon.exe
2840	LSASSMGR.EXE
3600	srtsrv32.exe
204	LSASSMGR.EXE
3124	srtsrv32.exe
372	LSASSMGR.EXE
2076	LSASSMGR.EXE
2508	LSASSMGR.EXE
2396	LSASSMGR.EXE
1668	LSASSMGR.EXE
3520	LSASSMGR.EXE
2156	LSASSMGR.EXE
2120	LSASSMGR.EXE
3960	LSASSMGR.EXE
204	LSASSMGR.EXE
4052	LSASSMGR.EXE
3700	LSASSMGR.EXE
1892	LSASSMGR.EXE
2304	LSASSMGR.EXE
3192	LSASSMGR.EXE
2416	LSASSMGR.EXE
2680	LSASSMGR.EXE
2708	LSASSMGR.EXE
2616	LSASSMGR.EXE
1792	LSASSMGR.EXE
3960	LSASSMGR.EXE
2664	LSASSMGR.EXE
3400	LSASSMGR.EXE
3684	LSASSMGR.EXE
208	LSASSMGR.EXE
1144	LSASSMGR.EXE
4068	LSASSMGR.EXE
744	LSASSMGR.EXE
2816	LSASSMGR.EXE
2840	LSASSMGR.EXE
3520	LSASSMGR.EXE
2736	LSASSMGR.EXE
3292	LSASSMGR.EXE
208	LSASSMGR.EXE
2108	LSASSMGR.EXE
1496	LSASSMGR.EXE
2152	LSASSMGR.EXE
2156	LSASSMGR.EXE
200	LSASSMGR.EXE
1512	LSASSMGR.EXE
2420	LSASSMGR.EXE
1792	LSASSMGR.EXE
208	LSASSMGR.EXE
3060	LSASSMGR.EXE
2108	LSASSMGR.EXE
1760	LSASSMGR.EXE
3192	LSASSMGR.EXE
2152	LSASSMGR.EXE
3960	LSASSMGR.EXE
1660	LSASSMGR.EXE
3964	LSASSMGR.EXE
3684	LSASSMGR.EXE
2840	LSASSMGR.EXE
1140	LSASSMGR.EXE
196	LSASSMGR.EXE
200	LSASSMGR.EXE
1572	LSASSMGR.EXE
3292	Process not Found

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	srtsrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\lssmon.exe"	83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lssmon.exe	lssmon.exe
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	srtsrv32.exe
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\lssmon.exe	83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253.exe
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Internet Explorer\iexplor.exe	srtsrv32.exe
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	srtsrv32.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\divx32.dll	83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1672	2480	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	1672	WerFault.exe
Token: SeBackupPrivilege	1672	WerFault.exe
Token: SeDebugPrivilege	1672	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1828 wrote to memory of 2084	1828	83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253.exe	75
PID 1828 wrote to memory of 2084	1828	83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253.exe	75
PID 1828 wrote to memory of 2084	1828	83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253.exe	75
PID 1828 wrote to memory of 2480	1828	83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253.exe	76
PID 1828 wrote to memory of 2480	1828	83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253.exe	76
PID 1828 wrote to memory of 2480	1828	83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253.exe	76
PID 2084 wrote to memory of 2840	2084	srtsrv32.exe	77
PID 2084 wrote to memory of 2840	2084	srtsrv32.exe	77
PID 2084 wrote to memory of 2840	2084	srtsrv32.exe	77
PID 2480 wrote to memory of 3600	2480	lssmon.exe	78
PID 2480 wrote to memory of 3600	2480	lssmon.exe	78
PID 2480 wrote to memory of 3600	2480	lssmon.exe	78
PID 2480 wrote to memory of 204	2480	lssmon.exe	93
PID 2480 wrote to memory of 204	2480	lssmon.exe	93
PID 2480 wrote to memory of 204	2480	lssmon.exe	93
PID 2480 wrote to memory of 3124	2480	lssmon.exe	81
PID 2480 wrote to memory of 3124	2480	lssmon.exe	81
PID 2480 wrote to memory of 3124	2480	lssmon.exe	81
PID 2840 wrote to memory of 372	2840	LSASSMGR.EXE	82
PID 2840 wrote to memory of 372	2840	LSASSMGR.EXE	82
PID 2840 wrote to memory of 372	2840	LSASSMGR.EXE	82
PID 3600 wrote to memory of 2076	3600	srtsrv32.exe	84
PID 3600 wrote to memory of 2076	3600	srtsrv32.exe	84
PID 3600 wrote to memory of 2076	3600	srtsrv32.exe	84
PID 204 wrote to memory of 2396	204	LSASSMGR.EXE	89
PID 204 wrote to memory of 2396	204	LSASSMGR.EXE	89
PID 204 wrote to memory of 2396	204	LSASSMGR.EXE	89
PID 3124 wrote to memory of 2508	3124	srtsrv32.exe	172
PID 3124 wrote to memory of 2508	3124	srtsrv32.exe	172
PID 3124 wrote to memory of 2508	3124	srtsrv32.exe	172
PID 372 wrote to memory of 1668	372	LSASSMGR.EXE	86
PID 372 wrote to memory of 1668	372	LSASSMGR.EXE	86
PID 372 wrote to memory of 1668	372	LSASSMGR.EXE	86
PID 2508 wrote to memory of 3520	2508	LSASSMGR.EXE	224
PID 2508 wrote to memory of 3520	2508	LSASSMGR.EXE	224
PID 2508 wrote to memory of 3520	2508	LSASSMGR.EXE	224
PID 2396 wrote to memory of 2120	2396	LSASSMGR.EXE	196
PID 2396 wrote to memory of 2120	2396	LSASSMGR.EXE	196
PID 2396 wrote to memory of 2120	2396	LSASSMGR.EXE	196
PID 2076 wrote to memory of 2156	2076	LSASSMGR.EXE	232
PID 2076 wrote to memory of 2156	2076	LSASSMGR.EXE	232
PID 2076 wrote to memory of 2156	2076	LSASSMGR.EXE	232
PID 1668 wrote to memory of 3960	1668	LSASSMGR.EXE	245
PID 1668 wrote to memory of 3960	1668	LSASSMGR.EXE	245
PID 1668 wrote to memory of 3960	1668	LSASSMGR.EXE	245
PID 3520 wrote to memory of 204	3520	LSASSMGR.EXE	93
PID 3520 wrote to memory of 204	3520	LSASSMGR.EXE	93
PID 3520 wrote to memory of 204	3520	LSASSMGR.EXE	93
PID 2120 wrote to memory of 3700	2120	LSASSMGR.EXE	95
PID 2120 wrote to memory of 3700	2120	LSASSMGR.EXE	95
PID 2120 wrote to memory of 3700	2120	LSASSMGR.EXE	95
PID 2156 wrote to memory of 4052	2156	LSASSMGR.EXE	94
PID 2156 wrote to memory of 4052	2156	LSASSMGR.EXE	94
PID 2156 wrote to memory of 4052	2156	LSASSMGR.EXE	94
PID 3960 wrote to memory of 1892	3960	LSASSMGR.EXE	361
PID 3960 wrote to memory of 1892	3960	LSASSMGR.EXE	361
PID 3960 wrote to memory of 1892	3960	LSASSMGR.EXE	361
PID 204 wrote to memory of 2304	204	LSASSMGR.EXE	270
PID 204 wrote to memory of 2304	204	LSASSMGR.EXE	270
PID 204 wrote to memory of 2304	204	LSASSMGR.EXE	270
PID 3700 wrote to memory of 3192	3700	LSASSMGR.EXE	274
PID 3700 wrote to memory of 3192	3700	LSASSMGR.EXE	274
PID 3700 wrote to memory of 3192	3700	LSASSMGR.EXE	274
PID 4052 wrote to memory of 2416	4052	LSASSMGR.EXE	230

C:\Users\Admin\AppData\Local\Temp\83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253.exe
"C:\Users\Admin\AppData\Local\Temp\83fc747a681b9862f2889f71c9b9b9005059820fc0a6b40d24ff590aefe6c253.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1828
- C:\Windows\SysWOW64\srtsrv32.exe
  "C:\Windows\system32\srtsrv32.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2840
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:372
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:1668
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        30⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        31⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        32⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        33⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        34⤵
        
        PID:912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        35⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        36⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        37⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        38⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        39⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        40⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        41⤵
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        42⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        43⤵
        
        PID:424
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        44⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        45⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        46⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        48⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        49⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        50⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        51⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        52⤵
        
        PID:216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        53⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        54⤵
        
        PID:200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        55⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        56⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        57⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        58⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        59⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        60⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        61⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        62⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        63⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        64⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        65⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        66⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        67⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        68⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        69⤵
        
        PID:748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        70⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        71⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        72⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        73⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        74⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        75⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        76⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        77⤵
        
        PID:372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        78⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        79⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        80⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        81⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        82⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        83⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        84⤵
        
        PID:748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        85⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        86⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        87⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        88⤵
        
        PID:772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        89⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        90⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        91⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        92⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        93⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        94⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        95⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        96⤵
        
        PID:196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        97⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        98⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        99⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        100⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2664
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        101⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        102⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        103⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        104⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        105⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        106⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        107⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        108⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        109⤵
        
        PID:620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        110⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        111⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        112⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        113⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        114⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        115⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        116⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        117⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        118⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        119⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        120⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        121⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        122⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        123⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        124⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        125⤵
        
        PID:192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        126⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        127⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        128⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        129⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        130⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        131⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        132⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        133⤵
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        134⤵
        
        PID:912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        135⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        136⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        137⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        138⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        139⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        140⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        141⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        142⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        143⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        144⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        145⤵
        
        PID:748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        146⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        147⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        148⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        149⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        150⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        151⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        152⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        153⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:1760
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        154⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        155⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        156⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        157⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        158⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        159⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        160⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        161⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        162⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        163⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        164⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        165⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        166⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        167⤵
        
        PID:748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        168⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        169⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        170⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        171⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        172⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        173⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        174⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        175⤵
        
        PID:912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        176⤵
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        177⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        178⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        179⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        180⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        181⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        182⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        183⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        184⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        185⤵
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        186⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        187⤵
        
        PID:196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        188⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        189⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        190⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        191⤵
        
        PID:912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        192⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        193⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        194⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        195⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        196⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        197⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        198⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        199⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        200⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        201⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        202⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        203⤵
        
        PID:908
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        204⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        205⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        206⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        207⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        208⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        209⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        210⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        211⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        212⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        213⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        214⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        215⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        216⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        217⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        218⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        219⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        220⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        221⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        222⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        223⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        224⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        225⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        226⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        227⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        228⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        229⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        230⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        231⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        232⤵
        
        PID:372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        233⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        234⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        235⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        236⤵
        
        PID:424
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        237⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        238⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        239⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        240⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        241⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        242⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        243⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        244⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        245⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        246⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        247⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        248⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        249⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        250⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        251⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        252⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        253⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        254⤵
        
        PID:424
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        255⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        256⤵
        
        PID:1676
- C:\Windows\SysWOW64\lssmon.exe
  "C:\Windows\system32\lssmon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\srtsrv32.exe
    "C:\Windows\system32\srtsrv32.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      Executes dropped EXE
      PID:2076
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2156
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:744
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        30⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        31⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        32⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        33⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        34⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        35⤵
        
        PID:196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        36⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        37⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        38⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        39⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        40⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        41⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        42⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        43⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        44⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        45⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        46⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        47⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        48⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        49⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        50⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        51⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        52⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        53⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        54⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        55⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        56⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        57⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        58⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        59⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        60⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        61⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        62⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        63⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        64⤵
        
        PID:912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        65⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        66⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        67⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        68⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        69⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        70⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        71⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        72⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        73⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        74⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        75⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        76⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        77⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        78⤵
        
        PID:792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        79⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        80⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        81⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        82⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        83⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        84⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        85⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        86⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        87⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        88⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        89⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        90⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        91⤵
        
        PID:912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        92⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        93⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        94⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        95⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        96⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        97⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        98⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        99⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        100⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        101⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        102⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        103⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        104⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        105⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        106⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        107⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        108⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        109⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        110⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        111⤵
        
        PID:424
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        112⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        113⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        114⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        115⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        116⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        117⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        118⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        119⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        120⤵
        
        PID:192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        121⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        122⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        123⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        124⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        125⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        126⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        127⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        128⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        129⤵
        Executes dropped EXE
        
        PID:1144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        130⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        131⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        132⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        133⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        134⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        135⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        136⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        137⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        138⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        139⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        140⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        141⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        142⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        143⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        144⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        145⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        146⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        147⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        148⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        149⤵
        
        PID:748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        150⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        151⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        152⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        153⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        154⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        155⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        156⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        157⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        158⤵
        
        PID:216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        159⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        160⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        161⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        162⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        163⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        164⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        165⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        166⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        167⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        168⤵
        
        PID:620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        169⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        170⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        171⤵
        
        PID:372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        172⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        173⤵
        
        PID:216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        174⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        175⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        176⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        177⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        178⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        179⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        180⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        181⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        182⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        183⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        184⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        185⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        186⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        187⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        188⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        189⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        190⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        191⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        192⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        193⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        194⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        195⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        196⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        197⤵
        
        PID:772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        198⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        199⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        200⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        201⤵
        
        PID:792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        202⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        203⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        204⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        205⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        206⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        207⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        208⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        209⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        210⤵
        
        PID:200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        211⤵
        
        PID:912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        212⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        213⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        214⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        215⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        216⤵
        
        PID:908
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        217⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        218⤵
        
        PID:200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        219⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        220⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        221⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        222⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        223⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        224⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        225⤵
        
        PID:200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        226⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        227⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        228⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        229⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        230⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        231⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        232⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        233⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        234⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        235⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        236⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        237⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        238⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        239⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        240⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        241⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        242⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        243⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        244⤵
        
        PID:216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        245⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        246⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        247⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        248⤵
        
        PID:192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        249⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        250⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        251⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        252⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        253⤵
        Drops file in Program Files directory
        
        PID:2108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        254⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        255⤵
        
        PID:2732
- - C:\Windows\SysWOW64\srtsrv32.exe
    "C:\Windows\system32\srtsrv32.exe"
    3⤵
    PID:204
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2120
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3400
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        30⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        31⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        32⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        33⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        34⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        35⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        36⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        37⤵
        
        PID:912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        38⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        39⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        40⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        41⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2416
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        42⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        43⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        44⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        45⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        46⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        47⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        48⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        49⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        50⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        52⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        53⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        54⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        55⤵
        
        PID:912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        56⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        57⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        58⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        59⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        60⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        61⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        62⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        63⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        64⤵
        
        PID:192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        65⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        66⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        67⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        68⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        69⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        70⤵
        
        PID:216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        71⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        72⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        73⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        74⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        75⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        76⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        77⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        78⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        79⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        80⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        81⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        82⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2616
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        83⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        84⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        85⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        86⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        87⤵
        
        PID:912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        88⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        89⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        90⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        91⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        92⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        93⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        94⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        95⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        96⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        97⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        98⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        99⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        100⤵
        
        PID:620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        101⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        102⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        103⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        104⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        105⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        106⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        107⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        108⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        109⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        110⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        111⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        112⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        113⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        114⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        115⤵
        
        PID:196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        116⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        117⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        118⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        119⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        120⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        121⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        122⤵
        Executes dropped EXE
        
        PID:200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        123⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        124⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        125⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        126⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        127⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        128⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        129⤵
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        130⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        131⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        132⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        133⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        134⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        135⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        136⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        137⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        138⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        139⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        140⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        141⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        142⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        143⤵
        
        PID:912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        144⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        145⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        146⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        147⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        148⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        149⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        150⤵
        
        PID:196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        151⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        152⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        153⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        154⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        155⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3292
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        156⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        157⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        158⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        159⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        160⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        161⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        162⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        163⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        164⤵
        
        PID:424
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        165⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        166⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        167⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        168⤵
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        169⤵
        
        PID:192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        170⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        171⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        172⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        173⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        174⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        175⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        176⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        177⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        178⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        179⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        180⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        181⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        182⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        183⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        184⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        185⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        186⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        187⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        188⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        189⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        190⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        191⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        192⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        193⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        194⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        195⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        196⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        197⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        198⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        199⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        200⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        201⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        202⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        203⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        204⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        205⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        206⤵
        
        PID:216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        207⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        208⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        209⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        210⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        211⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        212⤵
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        213⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        214⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        215⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        216⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        217⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        218⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        219⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        220⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        221⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        222⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        223⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        224⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        225⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        226⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        227⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        228⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        229⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        230⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        231⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        232⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        233⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        234⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        235⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        236⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        237⤵
        
        PID:372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        238⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        239⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        240⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        241⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        242⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        243⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        244⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        245⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        246⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        247⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        248⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        249⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        250⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        251⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        252⤵
        
        PID:772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        253⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        254⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        255⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        256⤵
        
        PID:748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        257⤵
        
        PID:3936
- - C:\Windows\SysWOW64\srtsrv32.exe
    "C:\Windows\system32\srtsrv32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2508
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 1084
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1672

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3520
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:204
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2304
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2708
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2664
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        30⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        31⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        32⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        33⤵
        Drops file in Program Files directory
        
        PID:1820
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        35⤵
        
        PID:424
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        37⤵
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        38⤵
        
        PID:200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        39⤵
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        40⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        41⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        42⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        43⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        44⤵
        
        PID:192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        45⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        46⤵
        
        PID:196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        47⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        48⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        49⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        50⤵
        
        PID:216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        51⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        52⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        53⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        54⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        55⤵
        
        PID:216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        56⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        57⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        58⤵
        Drops file in Program Files directory
        
        PID:1324
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        59⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        60⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        61⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        62⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        63⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        64⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        65⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        66⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        67⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        68⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        69⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        70⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        71⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        72⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        73⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        74⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        75⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        76⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        77⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        78⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        79⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        80⤵
        
        PID:216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        81⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        82⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        83⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        84⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        85⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        86⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        87⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        88⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        89⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        90⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        91⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        92⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        93⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        94⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        95⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        96⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        97⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        98⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        99⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        100⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        101⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        102⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        103⤵
        
        PID:792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        104⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        105⤵
        
        PID:372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        106⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        107⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        108⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        109⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        110⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        111⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        112⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        113⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        114⤵
        
        PID:196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        115⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4008
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        116⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        117⤵
        
        PID:216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        118⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        119⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        120⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        121⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        122⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        123⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        124⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        125⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        126⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        127⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        128⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        129⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        130⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        131⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        132⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        133⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        134⤵
        
        PID:192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        135⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        136⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        137⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        138⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        139⤵
        Executes dropped EXE
        
        PID:2736
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        140⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        141⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        142⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        143⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        144⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        145⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        146⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        147⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        148⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        149⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        150⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        151⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        152⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        153⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        154⤵
        
        PID:792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        155⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        156⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:1496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        157⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        158⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        159⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        160⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        161⤵
        
        PID:792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        162⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        163⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        164⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        165⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        166⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        167⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        168⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        169⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        170⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        171⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        172⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        173⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        174⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        175⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        176⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        177⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        178⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        179⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        180⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        181⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        182⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        183⤵
        
        PID:372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        184⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        185⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        186⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        187⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        188⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        189⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        190⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        191⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        192⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        193⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        194⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        195⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        196⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        197⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        198⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        199⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        200⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        201⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        202⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        203⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        204⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        205⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        206⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        207⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        208⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        209⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        210⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        211⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        212⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        213⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        214⤵
        
        PID:792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        215⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        216⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        217⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        218⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        219⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        220⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        221⤵
        
        PID:792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        222⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        223⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        224⤵
        
        PID:424
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        225⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        226⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        227⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        228⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        229⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        230⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        231⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        232⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        233⤵
        
        PID:908
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        234⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        235⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        236⤵
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        237⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        238⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        239⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        240⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        241⤵
        
        PID:620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        242⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        243⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        244⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        245⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        246⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        247⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        248⤵
        
        PID:620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        249⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        250⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        251⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        252⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        253⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        254⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        255⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        256⤵
        
        PID:2152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1828-114-0x00000000004D0000-0x000000000061A000-memory.dmp

Filesize
1.3MB

Download
memory/2480-143-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download