fakeav | 2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639

Analysis

max time kernel
158s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
09-03-2022 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639.exe
Size

724KB
MD5

0157ca9826104cfe332625475c99ceea
SHA1

d772f88a920d21dd01a89d7fbabda1ae3157a02a
SHA256

2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639
SHA512

d26e8e72d073bce10fa4eaf9ea27535550ea3ae8e157570d2a749af8824c7fa0092819979b1f8c19fdd472af94d50a0c7e686ae99da28a8132359b9313885daa

Score

10^/10

fakeav fakeav persistence spyware

Malware Config

Signatures

FakeAV, RogueAntivirus
FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.
fakeav spyware fakeav

FakeAV payload 2 IoCs

fakeav spyware

resource	yara_rule
behavioral2/files/0x000400000001e7c9-138.dat	fakeav
behavioral2/files/0x000400000001e7c9-135.dat	fakeav

Executes dropped EXE 64 IoCs

pid	Process
5080	srtsrv32.exe
4012	LSASSMGR.EXE
392	lssmon.exe
64	LSASSMGR.EXE
1820	srtsrv32.exe
1452	srtsrv32.exe
3924	srtsrv32.exe
3368	LSASSMGR.EXE
4824	LSASSMGR.EXE
4912	LSASSMGR.EXE
4888	LSASSMGR.EXE
4748	LSASSMGR.EXE
4740	LSASSMGR.EXE
2440	LSASSMGR.EXE
2400	LSASSMGR.EXE
2092	LSASSMGR.EXE
2404	LSASSMGR.EXE
3376	LSASSMGR.EXE
3548	LSASSMGR.EXE
228	LSASSMGR.EXE
3436	LSASSMGR.EXE
4940	LSASSMGR.EXE
5104	LSASSMGR.EXE
444	LSASSMGR.EXE
5000	LSASSMGR.EXE
2788	LSASSMGR.EXE
752	LSASSMGR.EXE
512	LSASSMGR.EXE
4744	LSASSMGR.EXE
4192	LSASSMGR.EXE
2176	LSASSMGR.EXE
2460	LSASSMGR.EXE
1040	LSASSMGR.EXE
3336	LSASSMGR.EXE
3644	LSASSMGR.EXE
1508	LSASSMGR.EXE
1800	LSASSMGR.EXE
2796	LSASSMGR.EXE
2016	LSASSMGR.EXE
3632	LSASSMGR.EXE
376	LSASSMGR.EXE
4936	LSASSMGR.EXE
4196	LSASSMGR.EXE
3792	LSASSMGR.EXE
4820	LSASSMGR.EXE
1708	LSASSMGR.EXE
4132	LSASSMGR.EXE
4344	LSASSMGR.EXE
64	LSASSMGR.EXE
1392	LSASSMGR.EXE
4848	LSASSMGR.EXE
1452	LSASSMGR.EXE
364	LSASSMGR.EXE
4808	LSASSMGR.EXE
4688	LSASSMGR.EXE
2332	LSASSMGR.EXE
1560	LSASSMGR.EXE
4092	LSASSMGR.EXE
2260	LSASSMGR.EXE
2392	LSASSMGR.EXE
3528	LSASSMGR.EXE
2296	LSASSMGR.EXE
4324	LSASSMGR.EXE
2440	LSASSMGR.EXE

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	srtsrv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	srtsrv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	lssmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	srtsrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	srtsrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lssmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	srtsrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	wmiprvse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\srtsrv32.exe	2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639.exe
File opened for modification	C:\Windows\SysWOW64\spool.exe	srtsrv32.exe
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	wmiprvse.exe
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	wmiprvse.exe
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\spool.exe	srtsrv32.exe
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	srtsrv32.exe
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	wmiprvse.exe
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	srtsrv32.exe
File created	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	srtsrv32.exe
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\divx32.dll	2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4580	392	WerFault.exe	79

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 5080	3268	2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639.exe	78
PID 3268 wrote to memory of 5080	3268	2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639.exe	78
PID 3268 wrote to memory of 5080	3268	2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639.exe	78
PID 5080 wrote to memory of 4012	5080	srtsrv32.exe	80
PID 5080 wrote to memory of 4012	5080	srtsrv32.exe	80
PID 5080 wrote to memory of 4012	5080	srtsrv32.exe	80
PID 3268 wrote to memory of 392	3268	2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639.exe	79
PID 3268 wrote to memory of 392	3268	2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639.exe	79
PID 3268 wrote to memory of 392	3268	2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639.exe	79
PID 4012 wrote to memory of 64	4012	LSASSMGR.EXE	81
PID 4012 wrote to memory of 64	4012	LSASSMGR.EXE	81
PID 4012 wrote to memory of 64	4012	LSASSMGR.EXE	81
PID 392 wrote to memory of 1820	392	lssmon.exe	82
PID 392 wrote to memory of 1820	392	lssmon.exe	82
PID 392 wrote to memory of 1820	392	lssmon.exe	82
PID 392 wrote to memory of 1452	392	lssmon.exe	83
PID 392 wrote to memory of 1452	392	lssmon.exe	83
PID 392 wrote to memory of 1452	392	lssmon.exe	83
PID 392 wrote to memory of 3924	392	lssmon.exe	84
PID 392 wrote to memory of 3924	392	lssmon.exe	84
PID 392 wrote to memory of 3924	392	lssmon.exe	84
PID 64 wrote to memory of 3368	64	LSASSMGR.EXE	86
PID 64 wrote to memory of 3368	64	LSASSMGR.EXE	86
PID 64 wrote to memory of 3368	64	LSASSMGR.EXE	86
PID 1820 wrote to memory of 4824	1820	srtsrv32.exe	87
PID 1820 wrote to memory of 4824	1820	srtsrv32.exe	87
PID 1820 wrote to memory of 4824	1820	srtsrv32.exe	87
PID 3924 wrote to memory of 4912	3924	srtsrv32.exe	89
PID 3924 wrote to memory of 4912	3924	srtsrv32.exe	89
PID 3924 wrote to memory of 4912	3924	srtsrv32.exe	89
PID 1452 wrote to memory of 4888	1452	srtsrv32.exe	88
PID 1452 wrote to memory of 4888	1452	srtsrv32.exe	88
PID 1452 wrote to memory of 4888	1452	srtsrv32.exe	88
PID 3368 wrote to memory of 4748	3368	LSASSMGR.EXE	90
PID 3368 wrote to memory of 4748	3368	LSASSMGR.EXE	90
PID 3368 wrote to memory of 4748	3368	LSASSMGR.EXE	90
PID 4912 wrote to memory of 4740	4912	LSASSMGR.EXE	91
PID 4912 wrote to memory of 4740	4912	LSASSMGR.EXE	91
PID 4912 wrote to memory of 4740	4912	LSASSMGR.EXE	91
PID 4824 wrote to memory of 2440	4824	LSASSMGR.EXE	93
PID 4824 wrote to memory of 2440	4824	LSASSMGR.EXE	93
PID 4824 wrote to memory of 2440	4824	LSASSMGR.EXE	93
PID 4888 wrote to memory of 2400	4888	LSASSMGR.EXE	92
PID 4888 wrote to memory of 2400	4888	LSASSMGR.EXE	92
PID 4888 wrote to memory of 2400	4888	LSASSMGR.EXE	92
PID 4740 wrote to memory of 2404	4740	LSASSMGR.EXE	95
PID 4740 wrote to memory of 2404	4740	LSASSMGR.EXE	95
PID 4740 wrote to memory of 2404	4740	LSASSMGR.EXE	95
PID 4748 wrote to memory of 2092	4748	LSASSMGR.EXE	94
PID 4748 wrote to memory of 2092	4748	LSASSMGR.EXE	94
PID 4748 wrote to memory of 2092	4748	LSASSMGR.EXE	94
PID 2400 wrote to memory of 3376	2400	LSASSMGR.EXE	148
PID 2400 wrote to memory of 3376	2400	LSASSMGR.EXE	148
PID 2400 wrote to memory of 3376	2400	LSASSMGR.EXE	148
PID 2440 wrote to memory of 3548	2440	LSASSMGR.EXE	99
PID 2440 wrote to memory of 3548	2440	LSASSMGR.EXE	99
PID 2440 wrote to memory of 3548	2440	LSASSMGR.EXE	99
PID 2404 wrote to memory of 228	2404	LSASSMGR.EXE	97
PID 2404 wrote to memory of 228	2404	LSASSMGR.EXE	97
PID 2404 wrote to memory of 228	2404	LSASSMGR.EXE	97
PID 2092 wrote to memory of 3436	2092	LSASSMGR.EXE	98
PID 2092 wrote to memory of 3436	2092	LSASSMGR.EXE	98
PID 2092 wrote to memory of 3436	2092	LSASSMGR.EXE	98
PID 3548 wrote to memory of 4940	3548	LSASSMGR.EXE	102

C:\Users\Admin\AppData\Local\Temp\2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639.exe
"C:\Users\Admin\AppData\Local\Temp\2bf04ce35bac2c2321b71d8ab392195133ce2cf942d9c9c4f597e7b299a23639.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\SysWOW64\srtsrv32.exe
  "C:\Windows\system32\srtsrv32.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:64
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3368
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3436
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:444
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4744
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:1040
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        
        PID:1800
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:376
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        Executes dropped EXE
        
        PID:64
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:408
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        Drops file in Program Files directory
        
        PID:5084
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        30⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        31⤵
        Adds Run key to start application
        
        PID:4156
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        32⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        33⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        34⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2648
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        35⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        36⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        37⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        38⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        39⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        40⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        41⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        42⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        43⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        44⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        45⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        46⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        47⤵
        Checks computer location settings
        
        PID:2712
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        48⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        49⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        50⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        51⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        52⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        53⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        54⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        55⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        56⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        57⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        58⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        59⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        60⤵
        
        PID:376
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        61⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        62⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        63⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        64⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        65⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        66⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        67⤵
        
        PID:544
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        68⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        69⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        70⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        71⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        72⤵
        
        PID:748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        73⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        74⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        75⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        76⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        77⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        78⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        79⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        80⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        81⤵
        
        PID:408
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        82⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        83⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        84⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        85⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        86⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        87⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        88⤵
        
        PID:220
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        89⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        90⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        91⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:1632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        92⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        93⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        94⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        95⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        96⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        97⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        98⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        99⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        100⤵
        
        PID:228
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        101⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        102⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        103⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        104⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        105⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        106⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        107⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        108⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        109⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        110⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        111⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        112⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        113⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        114⤵
        Checks computer location settings
        
        PID:3632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        115⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        116⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        117⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        118⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        119⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        120⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        121⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        122⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        123⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        124⤵
        
        PID:392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        125⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        126⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        127⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        128⤵
        Checks computer location settings
        Drops file in Program Files directory
        
        PID:1792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        129⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        130⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        131⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        132⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        133⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        134⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        135⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        136⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        137⤵
        
        PID:940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        138⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        139⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        140⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        141⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        142⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        143⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Program Files directory
        
        PID:4324
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        144⤵
        
        PID:532
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        145⤵
        
        PID:476
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        146⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        147⤵
        
        PID:720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        148⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        149⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        150⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        151⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        152⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        153⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        154⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        155⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        156⤵
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:3120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        157⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        158⤵
        
        PID:752
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        159⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        160⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        161⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        162⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        163⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        164⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        165⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        166⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        167⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        168⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        169⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        170⤵
        
        PID:476
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        171⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        172⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        173⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        174⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        175⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        176⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        177⤵
        
        PID:364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        178⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        179⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2260
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        180⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        181⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        182⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        183⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        184⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        185⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        186⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        187⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        188⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        189⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        190⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        191⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        192⤵
        
        PID:632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        193⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        194⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        195⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        196⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        197⤵
        
        PID:860
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        198⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        199⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        200⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        201⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        202⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        203⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        204⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        205⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        206⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        207⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3188
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        208⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        209⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        210⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        211⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        212⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        213⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        214⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        215⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        216⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        217⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        218⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        219⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        220⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        221⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        222⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        223⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        224⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        225⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        226⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        227⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        228⤵
        Checks computer location settings
        
        PID:1756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        229⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        230⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        231⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        232⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        233⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        234⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        235⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        236⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        237⤵
        Checks computer location settings
        
        PID:5016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        238⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        239⤵
        Checks computer location settings
        Drops file in Program Files directory
        
        PID:4756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        240⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        241⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        242⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:116
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        243⤵
        Adds Run key to start application
        
        PID:3908
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        244⤵
        
        PID:480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        245⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        246⤵
        
        PID:392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        247⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        248⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        249⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        250⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        251⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        252⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        253⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        254⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        255⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        256⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        257⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        258⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        259⤵
        
        PID:4820
- C:\Windows\SysWOW64\lssmon.exe
  "C:\Windows\system32\lssmon.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Windows\SysWOW64\srtsrv32.exe
    "C:\Windows\system32\srtsrv32.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:2440
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3336
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Program Files directory
        
        PID:4132
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        30⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        31⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:1084
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        32⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        33⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        34⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        35⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        36⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        37⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        38⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        39⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        40⤵
        Drops file in Program Files directory
        
        PID:3540
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        41⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        42⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        43⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        44⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        45⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        46⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        47⤵
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        48⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        49⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        50⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        51⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        52⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        53⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        54⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        55⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        56⤵
        
        PID:400
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        58⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        59⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        60⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        61⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        62⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        63⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        64⤵
        
        PID:664
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        65⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        66⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        67⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        68⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        69⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        70⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        71⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        72⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        73⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        74⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        75⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        76⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        77⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        78⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        79⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        80⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        81⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        82⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        83⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        84⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        85⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        86⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        87⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        88⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        89⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        90⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        91⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        92⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        93⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        94⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        95⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        96⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        97⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        98⤵
        
        PID:432
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        99⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in Program Files directory
        
        PID:376
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        100⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        101⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        102⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        103⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        104⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        105⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        106⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        107⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        108⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        109⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        110⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        111⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        112⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        113⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        114⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        115⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        116⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        117⤵
        
        PID:476
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        118⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        119⤵
        
        PID:868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        120⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        121⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        122⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        123⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        124⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        125⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        126⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        127⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        128⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        129⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        130⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        131⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        132⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        133⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        134⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        135⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        136⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        137⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        138⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        139⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        140⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        141⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        142⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        143⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        144⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        145⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        146⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        147⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        148⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        149⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        150⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        151⤵
        
        PID:532
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        152⤵
        
        PID:476
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        153⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        154⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        155⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        156⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        157⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        158⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        159⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        160⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        161⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        162⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3376
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        163⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        164⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        165⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        166⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        167⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        168⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        169⤵
        
        PID:740
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        170⤵
        Drops file in Program Files directory
        
        PID:3368
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        171⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        172⤵
        
        PID:852
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        173⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        174⤵
        
        PID:632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        175⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        176⤵
        
        PID:544
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        177⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        178⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        179⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        180⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        181⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        182⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        183⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        184⤵
        Checks computer location settings
        Drops file in Program Files directory
        
        PID:4596
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        185⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        186⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        187⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        188⤵
        
        PID:804
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        189⤵
        
        PID:764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        190⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        191⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        192⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        193⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        194⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        195⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        196⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        197⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        198⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        199⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        200⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        201⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        202⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        203⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        204⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        205⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        206⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        207⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        208⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        209⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        210⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        211⤵
        Checks computer location settings
        
        PID:2044
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        212⤵
        
        PID:432
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        213⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        214⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        215⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        216⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        217⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        218⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        219⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        220⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        221⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        222⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        223⤵
        
        PID:228
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        224⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        225⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        226⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        227⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        228⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        229⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        230⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        231⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2900
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        232⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        233⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        234⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        235⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        236⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        237⤵
        
        PID:952
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        238⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        239⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        240⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        241⤵
        Adds Run key to start application
        
        PID:3172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        242⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        243⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        244⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        245⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        246⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        247⤵
        
        PID:532
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        248⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        249⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        250⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        251⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        252⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        253⤵
        
        PID:1060
- - C:\Windows\SysWOW64\srtsrv32.exe
    "C:\Windows\system32\srtsrv32.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5104
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        Executes dropped EXE
        
        PID:512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:1508
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4820
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:112
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4652
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4168
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        30⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        31⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        32⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        33⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        34⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        35⤵
        
        PID:624
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        36⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        37⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        38⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        39⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        40⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        41⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        42⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        43⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        44⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        45⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        46⤵
        
        PID:376
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        47⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        49⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        50⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        51⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        52⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        53⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        54⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        55⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        56⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        57⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        58⤵
        Executes dropped EXE
        
        PID:3632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        59⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        60⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        61⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        62⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        63⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        64⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        65⤵
        Checks computer location settings
        
        PID:2788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        66⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        67⤵
        
        PID:828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        68⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        69⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        70⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        71⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        72⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        73⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        74⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        75⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        76⤵
        Checks computer location settings
        
        PID:1772
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        77⤵
        
        PID:480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        78⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        79⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        80⤵
        
        PID:952
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        81⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        82⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        83⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        84⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        85⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        86⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        87⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        88⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        89⤵
        
        PID:752
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        90⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        91⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        92⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        93⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        94⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        95⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        96⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        97⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        98⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        99⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        100⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        101⤵
        
        PID:392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        102⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        103⤵
        
        PID:400
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        104⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        105⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        106⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        107⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        108⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        109⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        110⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        111⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        112⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        113⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        114⤵
        
        PID:912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        115⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        116⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        117⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        118⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        119⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        120⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        121⤵
        Checks computer location settings
        
        PID:4472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        122⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        123⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        124⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        125⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        126⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        127⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        128⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        129⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        130⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        131⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        132⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        133⤵
        
        PID:476
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        134⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        135⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        136⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        137⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        138⤵
        
        PID:732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        139⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        140⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        141⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        142⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        143⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        144⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        145⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        146⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        147⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        148⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        149⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        150⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        151⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        152⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        153⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        154⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        155⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        156⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        157⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        158⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        159⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        160⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        161⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        162⤵
        Checks computer location settings
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:1096
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        163⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        164⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        165⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        166⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        167⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        168⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        169⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        170⤵
        
        PID:868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        171⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        172⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        173⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        174⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        175⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        176⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        177⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        178⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        179⤵
        
        PID:228
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        180⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        181⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        182⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        183⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        184⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        185⤵
        
        PID:912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        186⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        187⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        188⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        189⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        190⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        191⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        192⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        193⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        194⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        195⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        196⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        197⤵
        
        PID:940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        198⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        199⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        200⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        201⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3084
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        202⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        203⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        204⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        205⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        206⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        207⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        208⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        209⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        210⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        211⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        212⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        213⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        214⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        215⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        216⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        217⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        218⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        219⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        220⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        221⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        222⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        223⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        224⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        225⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        226⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        227⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        228⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        229⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        230⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        231⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        232⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        233⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        234⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        235⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        236⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        237⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        238⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        239⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        240⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        241⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        242⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        243⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        244⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        245⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        246⤵
        
        PID:748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        247⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        248⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        249⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        250⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        251⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        252⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        253⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        254⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        255⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        256⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        257⤵
        
        PID:432
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        258⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        259⤵
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:1520
- - C:\Windows\SysWOW64\srtsrv32.exe
    "C:\Windows\system32\srtsrv32.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4740
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:752
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:1708
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2332
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:664
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        Checks computer location settings
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        Adds Run key to start application
        
        PID:3544
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        30⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        31⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        32⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        33⤵
        
        PID:728
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        34⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        35⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        36⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2796
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        38⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        39⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        40⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        41⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        42⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        43⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        44⤵
        
        PID:116
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        45⤵
        
        PID:868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        46⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        47⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        48⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        49⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        50⤵
        
        PID:660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        51⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        52⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        53⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        54⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        55⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        56⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        57⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        58⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        59⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        60⤵
        
        PID:940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        61⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        62⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        63⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        64⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        65⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        66⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        67⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        68⤵
        
        PID:444
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        69⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        70⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        71⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        72⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        73⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        74⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        75⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        76⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        77⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        78⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        79⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        80⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        81⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        82⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        83⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        84⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        85⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        86⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        87⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        88⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        89⤵
        
        PID:544
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        90⤵
        
        PID:392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        91⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        92⤵
        
        PID:376
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        93⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        94⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        95⤵
        
        PID:964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        96⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        97⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        98⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        99⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        100⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        101⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        102⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        103⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        104⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        105⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        106⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        107⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        108⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        109⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        110⤵
        
        PID:632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        111⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        112⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        113⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        114⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        115⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        116⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        117⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        118⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        119⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        120⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        121⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        122⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        123⤵
        
        PID:720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        124⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        125⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        126⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        127⤵
        
        PID:824
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        128⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        129⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        130⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        131⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        132⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        133⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        134⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        135⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        136⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        137⤵
        
        PID:376
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        138⤵
        
        PID:624
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        139⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        140⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4688
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        141⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2296
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        142⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        143⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        144⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        145⤵
        
        PID:828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        146⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        147⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        148⤵
        
        PID:748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        149⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        150⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        151⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        152⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        153⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        154⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        155⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        156⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        157⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        158⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        159⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        160⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        161⤵
        Drops file in Program Files directory
        
        PID:4980
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        162⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        163⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        164⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        165⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        166⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        167⤵
        
        PID:432
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        168⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        169⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        170⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        171⤵
        
        PID:732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        172⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        173⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        174⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        175⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        176⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        177⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        178⤵
        
        PID:664
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        179⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        180⤵
        
        PID:392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        181⤵
        Drops file in Program Files directory
        
        PID:1072
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        182⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        183⤵
        
        PID:732
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        184⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        185⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        186⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        187⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        188⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        189⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        190⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        191⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        192⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        193⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        194⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        195⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        196⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        197⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        198⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        199⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        200⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        201⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        202⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        203⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        204⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        205⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        206⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        207⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        208⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        209⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        210⤵
        
        PID:964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        211⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        212⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        213⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        214⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        215⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        216⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        217⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        218⤵
        Adds Run key to start application
        Drops file in Program Files directory
        
        PID:4792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        219⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        220⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        221⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        222⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        223⤵
        
        PID:224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        224⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        225⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        226⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        227⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        228⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        229⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        230⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        231⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        232⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        233⤵
        Adds Run key to start application
        
        PID:1152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        234⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        235⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        236⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        237⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        238⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        239⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        240⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        241⤵
        
        PID:432
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        242⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        243⤵
        
        PID:860
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        244⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        245⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        246⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        247⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        248⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        249⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        250⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        251⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        252⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        253⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        254⤵
        
        PID:984
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        255⤵
        
        PID:4848
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 1156
    3⤵
    - Program crash
    PID:4580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 392 -ip 392
1⤵
PID:4460

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-140-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/3268-130-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download