Analysis
-
max time kernel
153s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 10:45
Behavioral task
behavioral1
Sample
d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe
-
Size
254KB
-
MD5
02ca579195d886766e1da94a8ea8b776
-
SHA1
6b11def6329fb8f4a463082f102a550b12eb94a7
-
SHA256
d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1
-
SHA512
3fcf954cfc782a709626c98ae657a20a961c8f394e5a7d8ad779d5477f8e313e1d908a732180f7cd38d365e3dd445e75dc54932aec4816002d4c0275f01df44d
-
SSDEEP
6144:XdPncWjs4SawEtjdkEwtmldEdl/ud+sYAdZNNMCZC74J:XZcKs4SegRIQTuJNNMCZC74J
Score
8/10
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x0008000000012346-65.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-66.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-68.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-72.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-73.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-74.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-76.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-79.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-80.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-82.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-85.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-86.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-88.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-91.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-92.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-94.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-98.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-97.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-100.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-103.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-104.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-106.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-118.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-119.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-121.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-124.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-125.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-127.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-130.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-131.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-133.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-136.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-137.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-139.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-142.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-143.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-145.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-148.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-149.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-151.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-154.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-155.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-157.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-160.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-161.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-163.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-166.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-167.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-169.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-172.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-173.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-175.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-178.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-179.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-181.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-184.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-185.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-187.dat aspack_v212_v242 behavioral1/files/0x0008000000012346-190.dat aspack_v212_v242 -
Executes dropped EXE 64 IoCs
pid Process 1720 Lcass.exe 240 Lcass.exe 468 Lcass.exe 1164 Lcass.exe 868 Lcass.exe 1048 Lcass.exe 1868 Lcass.exe 1952 Lcass.exe 844 Lcass.exe 1784 Lcass.exe 1400 Lcass.exe 1004 Lcass.exe 2036 Lcass.exe 916 Lcass.exe 964 Lcass.exe 1656 Lcass.exe 1128 Lcass.exe 268 Lcass.exe 1620 Lcass.exe 688 Lcass.exe 1332 Lcass.exe 1808 Lcass.exe 1000 Lcass.exe 768 Lcass.exe 1676 Lcass.exe 1256 Lcass.exe 1644 Lcass.exe 1780 Lcass.exe 532 Lcass.exe 1512 Lcass.exe 1212 Lcass.exe 892 Lcass.exe 1704 Lcass.exe 1572 Lcass.exe 908 Lcass.exe 792 Lcass.exe 1528 Lcass.exe 1984 Lcass.exe 1628 Lcass.exe 1592 Lcass.exe 1160 Lcass.exe 1924 Lcass.exe 1956 Lcass.exe 1256 Lcass.exe 688 Lcass.exe 968 Lcass.exe 956 Lcass.exe 1060 Lcass.exe 1608 Lcass.exe 1876 Lcass.exe 960 Lcass.exe 1764 Lcass.exe 1528 Lcass.exe 568 Lcass.exe 1324 Lcass.exe 1920 Lcass.exe 1144 Lcass.exe 1052 Lcass.exe 916 Lcass.exe 1824 Lcass.exe 1812 Lcass.exe 1928 Lcass.exe 1524 Lcass.exe 1984 Lcass.exe -
Loads dropped DLL 64 IoCs
pid Process 1716 regsvr32.exe 1640 regsvr32.exe 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 1720 Lcass.exe 1720 Lcass.exe 240 Lcass.exe 240 Lcass.exe 468 Lcass.exe 468 Lcass.exe 1164 Lcass.exe 1164 Lcass.exe 868 Lcass.exe 868 Lcass.exe 1048 Lcass.exe 1048 Lcass.exe 1868 Lcass.exe 1868 Lcass.exe 1952 Lcass.exe 1952 Lcass.exe 844 Lcass.exe 844 Lcass.exe 1784 Lcass.exe 1784 Lcass.exe 1400 Lcass.exe 1400 Lcass.exe 1004 Lcass.exe 1004 Lcass.exe 2036 Lcass.exe 2036 Lcass.exe 916 Lcass.exe 916 Lcass.exe 964 Lcass.exe 964 Lcass.exe 1656 Lcass.exe 1656 Lcass.exe 1128 Lcass.exe 1128 Lcass.exe 268 Lcass.exe 268 Lcass.exe 1620 Lcass.exe 1620 Lcass.exe 688 Lcass.exe 688 Lcass.exe 1332 Lcass.exe 1332 Lcass.exe 1808 Lcass.exe 1808 Lcass.exe 1000 Lcass.exe 1000 Lcass.exe 768 Lcass.exe 768 Lcass.exe 1676 Lcass.exe 1676 Lcass.exe 1256 Lcass.exe 1256 Lcass.exe 1644 Lcass.exe 1644 Lcass.exe 1780 Lcass.exe 1780 Lcass.exe 532 Lcass.exe 532 Lcass.exe 1512 Lcass.exe 1512 Lcass.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe File opened for modification C:\Windows\SysWOW64\Lcass.exe Lcass.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Ntsvc.ocx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\ = "_DNtSvcEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\ProgID\ = "NTService.Control.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\Version\ = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\MiscStatus regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\ = "_DNtSvc" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\ = "_DNtSvc" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\ = "{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\Mswinsck.ocx, 1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\1.0\FLAGS\ = "2" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\ = "{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\1.0\ = "Microsoft NT Service Control" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NTService.Control.1\ = "NT Service Control" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\Ntsvc.ocx, 1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP5)" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Mswinsck.ocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib\ = "{E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\ToolboxBitmap32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable regsvr32.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 1720 Lcass.exe 240 Lcass.exe 468 Lcass.exe 1164 Lcass.exe 868 Lcass.exe 1048 Lcass.exe 1868 Lcass.exe 1952 Lcass.exe 844 Lcass.exe 1784 Lcass.exe 1400 Lcass.exe 1004 Lcass.exe 2036 Lcass.exe 916 Lcass.exe 964 Lcass.exe 1656 Lcass.exe 1128 Lcass.exe 268 Lcass.exe 1620 Lcass.exe 688 Lcass.exe 1332 Lcass.exe 1808 Lcass.exe 1000 Lcass.exe 768 Lcass.exe 1676 Lcass.exe 1256 Lcass.exe 1644 Lcass.exe 1780 Lcass.exe 532 Lcass.exe 1512 Lcass.exe 1212 Lcass.exe 892 Lcass.exe 1704 Lcass.exe 1572 Lcass.exe 908 Lcass.exe 792 Lcass.exe 1528 Lcass.exe 1984 Lcass.exe 1628 Lcass.exe 1592 Lcass.exe 1160 Lcass.exe 1924 Lcass.exe 1956 Lcass.exe 1256 Lcass.exe 688 Lcass.exe 968 Lcass.exe 956 Lcass.exe 1060 Lcass.exe 1608 Lcass.exe 960 Lcass.exe 1764 Lcass.exe 1528 Lcass.exe 568 Lcass.exe 1324 Lcass.exe 1920 Lcass.exe 1144 Lcass.exe 1052 Lcass.exe 916 Lcass.exe 1824 Lcass.exe 1812 Lcass.exe 1928 Lcass.exe 1524 Lcass.exe 1984 Lcass.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1352 wrote to memory of 1716 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 28 PID 1352 wrote to memory of 1716 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 28 PID 1352 wrote to memory of 1716 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 28 PID 1352 wrote to memory of 1716 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 28 PID 1352 wrote to memory of 1716 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 28 PID 1352 wrote to memory of 1716 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 28 PID 1352 wrote to memory of 1716 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 28 PID 1352 wrote to memory of 1640 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 29 PID 1352 wrote to memory of 1640 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 29 PID 1352 wrote to memory of 1640 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 29 PID 1352 wrote to memory of 1640 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 29 PID 1352 wrote to memory of 1640 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 29 PID 1352 wrote to memory of 1640 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 29 PID 1352 wrote to memory of 1640 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 29 PID 1352 wrote to memory of 1720 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 30 PID 1352 wrote to memory of 1720 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 30 PID 1352 wrote to memory of 1720 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 30 PID 1352 wrote to memory of 1720 1352 d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe 30 PID 1720 wrote to memory of 240 1720 Lcass.exe 31 PID 1720 wrote to memory of 240 1720 Lcass.exe 31 PID 1720 wrote to memory of 240 1720 Lcass.exe 31 PID 1720 wrote to memory of 240 1720 Lcass.exe 31 PID 240 wrote to memory of 468 240 Lcass.exe 32 PID 240 wrote to memory of 468 240 Lcass.exe 32 PID 240 wrote to memory of 468 240 Lcass.exe 32 PID 240 wrote to memory of 468 240 Lcass.exe 32 PID 468 wrote to memory of 1164 468 Lcass.exe 33 PID 468 wrote to memory of 1164 468 Lcass.exe 33 PID 468 wrote to memory of 1164 468 Lcass.exe 33 PID 468 wrote to memory of 1164 468 Lcass.exe 33 PID 1164 wrote to memory of 868 1164 Lcass.exe 34 PID 1164 wrote to memory of 868 1164 Lcass.exe 34 PID 1164 wrote to memory of 868 1164 Lcass.exe 34 PID 1164 wrote to memory of 868 1164 Lcass.exe 34 PID 868 wrote to memory of 1048 868 Lcass.exe 35 PID 868 wrote to memory of 1048 868 Lcass.exe 35 PID 868 wrote to memory of 1048 868 Lcass.exe 35 PID 868 wrote to memory of 1048 868 Lcass.exe 35 PID 1048 wrote to memory of 1868 1048 Lcass.exe 36 PID 1048 wrote to memory of 1868 1048 Lcass.exe 36 PID 1048 wrote to memory of 1868 1048 Lcass.exe 36 PID 1048 wrote to memory of 1868 1048 Lcass.exe 36 PID 1868 wrote to memory of 1952 1868 Lcass.exe 37 PID 1868 wrote to memory of 1952 1868 Lcass.exe 37 PID 1868 wrote to memory of 1952 1868 Lcass.exe 37 PID 1868 wrote to memory of 1952 1868 Lcass.exe 37 PID 1952 wrote to memory of 844 1952 Lcass.exe 38 PID 1952 wrote to memory of 844 1952 Lcass.exe 38 PID 1952 wrote to memory of 844 1952 Lcass.exe 38 PID 1952 wrote to memory of 844 1952 Lcass.exe 38 PID 844 wrote to memory of 1784 844 Lcass.exe 39 PID 844 wrote to memory of 1784 844 Lcass.exe 39 PID 844 wrote to memory of 1784 844 Lcass.exe 39 PID 844 wrote to memory of 1784 844 Lcass.exe 39 PID 1784 wrote to memory of 1400 1784 Lcass.exe 40 PID 1784 wrote to memory of 1400 1784 Lcass.exe 40 PID 1784 wrote to memory of 1400 1784 Lcass.exe 40 PID 1784 wrote to memory of 1400 1784 Lcass.exe 40 PID 1400 wrote to memory of 1004 1400 Lcass.exe 41 PID 1400 wrote to memory of 1004 1400 Lcass.exe 41 PID 1400 wrote to memory of 1004 1400 Lcass.exe 41 PID 1400 wrote to memory of 1004 1400 Lcass.exe 41 PID 1004 wrote to memory of 2036 1004 Lcass.exe 42 PID 1004 wrote to memory of 2036 1004 Lcass.exe 42
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe"C:\Users\Admin\AppData\Local\Temp\d3cd484173e0d36572da35c336448e315de7d4b23453c4d1e9e0dfaa213e70d1.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s C:\Windows\system32\Mswinsck.ocx2⤵
- Loads dropped DLL
- Modifies registry class
PID:1716
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s C:\Windows\system32\Ntsvc.ocx2⤵
- Loads dropped DLL
- Modifies registry class
PID:1640
-
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2036 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:916 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:964 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i17⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1656 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1128 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i19⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:268 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i20⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1620 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i21⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:688 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i22⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1332 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1808 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1000 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i25⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:768 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i26⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1676 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i27⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1256 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i28⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1644 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1780 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i30⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:532 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i31⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1512 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i32⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1212 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i33⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:892 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1704 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i35⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1572 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i36⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:908 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i37⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:792 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i38⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1528 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1984 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i40⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i41⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1592 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i42⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1160 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i43⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1924 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i44⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1956 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i45⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1256 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i46⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:968 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i48⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:956 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i49⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1060 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i50⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1608 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i51⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:960 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i53⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1764 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1528 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:568 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1324 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i57⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1920 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1144 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i59⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1052 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i60⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:916 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i61⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1824 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i62⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1812 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i63⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1928 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i64⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i65⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i66⤵PID:1704
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i67⤵PID:1736
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i68⤵PID:532
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i69⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i70⤵
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i71⤵PID:844
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i72⤵PID:1296
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i73⤵PID:1612
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i74⤵PID:1940
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i75⤵PID:1784
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i76⤵PID:940
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i77⤵PID:1712
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i78⤵
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i79⤵PID:1120
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i80⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i81⤵PID:1624
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i82⤵PID:912
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i83⤵PID:768
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i84⤵PID:1796
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i85⤵PID:1640
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i86⤵PID:1512
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i87⤵PID:1352
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i88⤵
- Drops file in System32 directory
PID:524 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i89⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i90⤵PID:1964
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i91⤵PID:1124
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i92⤵PID:1696
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i93⤵
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i94⤵PID:992
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i95⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i96⤵PID:1484
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i97⤵PID:636
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i98⤵PID:1056
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i99⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i100⤵PID:1952
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i101⤵PID:1572
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i102⤵PID:1720
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i103⤵PID:824
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i104⤵PID:628
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i105⤵PID:804
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i106⤵PID:240
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i107⤵PID:1780
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i108⤵PID:1000
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i109⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i110⤵PID:1588
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i111⤵PID:304
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i112⤵PID:280
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i113⤵PID:1768
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i114⤵PID:468
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i115⤵PID:568
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i116⤵PID:956
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i117⤵PID:1048
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i118⤵PID:792
-
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i119⤵
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i120⤵
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Lcass.exeC:\Windows\system32\Lcass.exe /i121⤵PID:1876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-