24a8ae0afc0fa09fd732d6ad5e8b8f16ebb631655ef150a6b69678d7cd2d302e

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d83ee4bb3af4c3064ea44ba7d36c054.exe
Size

4KB
MD5

1d83ee4bb3af4c3064ea44ba7d36c054
SHA1

07c40f4cae242cf1acafd28b2a4694b618832966
SHA256

24a8ae0afc0fa09fd732d6ad5e8b8f16ebb631655ef150a6b69678d7cd2d302e
SHA512

149a37a932d42d0a5db8a3fae0222d205efa54d619254f3377ea8961cce0e079dcc76ddb451699435715885fcfd480c94d8d1f452dfef7f6e08fa8077dc05a1b
SSDEEP

96:cbXhyzUyAmhgm9HtTb5EjSq9UeBPuXpPAN0Z4g45PylFo:cbXhG/A7mHfOPOOm5xwUFo

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2044	lsass.exe
2836	lsass.exe
2692	lsass.exe
2820	lsass.exe
2724	lsass.exe
2596	lsass.exe
3016	lsass.exe
1052	lsass.exe
1692	lsass.exe
2688	lsass.exe
1836	lsass.exe
2200	lsass.exe
2216	lsass.exe
1960	lsass.exe
1216	lsass.exe
2376	lsass.exe
604	lsass.exe
1508	lsass.exe
848	lsass.exe
408	lsass.exe
2412	lsass.exe
2520	lsass.exe
2464	lsass.exe
920	lsass.exe
1076	lsass.exe
2084	lsass.exe
572	lsass.exe
1812	lsass.exe
3012	lsass.exe
2136	lsass.exe
1624	lsass.exe
808	lsass.exe
2696	lsass.exe
2952	lsass.exe
2592	lsass.exe
2948	lsass.exe
2612	lsass.exe
2628	lsass.exe
2708	lsass.exe
2660	lsass.exe
3032	lsass.exe
880	lsass.exe
768	lsass.exe
2792	lsass.exe
1988	lsass.exe
1944	lsass.exe
1976	lsass.exe
2208	lsass.exe
2024	lsass.exe
2504	lsass.exe
3004	lsass.exe
2308	lsass.exe
2388	lsass.exe
3036	lsass.exe
544	lsass.exe
712	lsass.exe
596	lsass.exe
2164	lsass.exe
2508	lsass.exe
444	lsass.exe
844	lsass.exe
2020	lsass.exe
1868	lsass.exe
1028	lsass.exe

Loads dropped DLL 64 IoCs

pid	Process
2252	1d83ee4bb3af4c3064ea44ba7d36c054.exe
2252	1d83ee4bb3af4c3064ea44ba7d36c054.exe
2044	lsass.exe
2044	lsass.exe
2836	lsass.exe
2836	lsass.exe
2692	lsass.exe
2692	lsass.exe
2820	lsass.exe
2820	lsass.exe
2724	lsass.exe
2724	lsass.exe
2596	lsass.exe
2596	lsass.exe
3016	lsass.exe
3016	lsass.exe
1052	lsass.exe
1052	lsass.exe
1692	lsass.exe
1692	lsass.exe
2688	lsass.exe
2688	lsass.exe
1836	lsass.exe
1836	lsass.exe
2200	lsass.exe
2200	lsass.exe
2216	lsass.exe
2216	lsass.exe
1960	lsass.exe
1960	lsass.exe
1216	lsass.exe
1216	lsass.exe
2376	lsass.exe
2376	lsass.exe
604	lsass.exe
604	lsass.exe
604	lsass.exe
1508	lsass.exe
1508	lsass.exe
848	lsass.exe
848	lsass.exe
408	lsass.exe
408	lsass.exe
408	lsass.exe
2412	lsass.exe
2412	lsass.exe
2520	lsass.exe
2520	lsass.exe
2464	lsass.exe
2464	lsass.exe
920	lsass.exe
920	lsass.exe
1076	lsass.exe
1076	lsass.exe
2084	lsass.exe
2084	lsass.exe
572	lsass.exe
572	lsass.exe
1812	lsass.exe
1812	lsass.exe
3012	lsass.exe
3012	lsass.exe
2136	lsass.exe
2136	lsass.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	1d83ee4bb3af4c3064ea44ba7d36c054.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	conhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS-Outlook = "\"C:\\Windows\\system32\\dll\\lsass.exe\""	Process not Found

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	conhost.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\dll	Process not Found
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	Process not Found
File created	C:\Windows\SysWOW64\dll\lsass.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	conhost.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	conhost.exe
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\dll	Process not Found
File created	C:\Windows\SysWOW64\dll\lsass.exe	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2044	2252	1d83ee4bb3af4c3064ea44ba7d36c054.exe	29
PID 2252 wrote to memory of 2044	2252	1d83ee4bb3af4c3064ea44ba7d36c054.exe	29
PID 2252 wrote to memory of 2044	2252	1d83ee4bb3af4c3064ea44ba7d36c054.exe	29
PID 2252 wrote to memory of 2044	2252	1d83ee4bb3af4c3064ea44ba7d36c054.exe	29
PID 2044 wrote to memory of 2836	2044	lsass.exe	31
PID 2044 wrote to memory of 2836	2044	lsass.exe	31
PID 2044 wrote to memory of 2836	2044	lsass.exe	31
PID 2044 wrote to memory of 2836	2044	lsass.exe	31
PID 2836 wrote to memory of 2692	2836	lsass.exe	33
PID 2836 wrote to memory of 2692	2836	lsass.exe	33
PID 2836 wrote to memory of 2692	2836	lsass.exe	33
PID 2836 wrote to memory of 2692	2836	lsass.exe	33
PID 2692 wrote to memory of 2820	2692	lsass.exe	35
PID 2692 wrote to memory of 2820	2692	lsass.exe	35
PID 2692 wrote to memory of 2820	2692	lsass.exe	35
PID 2692 wrote to memory of 2820	2692	lsass.exe	35
PID 2820 wrote to memory of 2724	2820	lsass.exe	37
PID 2820 wrote to memory of 2724	2820	lsass.exe	37
PID 2820 wrote to memory of 2724	2820	lsass.exe	37
PID 2820 wrote to memory of 2724	2820	lsass.exe	37
PID 2724 wrote to memory of 2596	2724	lsass.exe	39
PID 2724 wrote to memory of 2596	2724	lsass.exe	39
PID 2724 wrote to memory of 2596	2724	lsass.exe	39
PID 2724 wrote to memory of 2596	2724	lsass.exe	39
PID 2596 wrote to memory of 3016	2596	lsass.exe	41
PID 2596 wrote to memory of 3016	2596	lsass.exe	41
PID 2596 wrote to memory of 3016	2596	lsass.exe	41
PID 2596 wrote to memory of 3016	2596	lsass.exe	41
PID 3016 wrote to memory of 1052	3016	lsass.exe	43
PID 3016 wrote to memory of 1052	3016	lsass.exe	43
PID 3016 wrote to memory of 1052	3016	lsass.exe	43
PID 3016 wrote to memory of 1052	3016	lsass.exe	43
PID 1052 wrote to memory of 1692	1052	lsass.exe	45
PID 1052 wrote to memory of 1692	1052	lsass.exe	45
PID 1052 wrote to memory of 1692	1052	lsass.exe	45
PID 1052 wrote to memory of 1692	1052	lsass.exe	45
PID 1692 wrote to memory of 2688	1692	lsass.exe	47
PID 1692 wrote to memory of 2688	1692	lsass.exe	47
PID 1692 wrote to memory of 2688	1692	lsass.exe	47
PID 1692 wrote to memory of 2688	1692	lsass.exe	47
PID 2688 wrote to memory of 1836	2688	lsass.exe	49
PID 2688 wrote to memory of 1836	2688	lsass.exe	49
PID 2688 wrote to memory of 1836	2688	lsass.exe	49
PID 2688 wrote to memory of 1836	2688	lsass.exe	49
PID 1836 wrote to memory of 2200	1836	lsass.exe	51
PID 1836 wrote to memory of 2200	1836	lsass.exe	51
PID 1836 wrote to memory of 2200	1836	lsass.exe	51
PID 1836 wrote to memory of 2200	1836	lsass.exe	51
PID 2200 wrote to memory of 2216	2200	lsass.exe	53
PID 2200 wrote to memory of 2216	2200	lsass.exe	53
PID 2200 wrote to memory of 2216	2200	lsass.exe	53
PID 2200 wrote to memory of 2216	2200	lsass.exe	53
PID 2216 wrote to memory of 1960	2216	lsass.exe	55
PID 2216 wrote to memory of 1960	2216	lsass.exe	55
PID 2216 wrote to memory of 1960	2216	lsass.exe	55
PID 2216 wrote to memory of 1960	2216	lsass.exe	55
PID 1960 wrote to memory of 1216	1960	lsass.exe	57
PID 1960 wrote to memory of 1216	1960	lsass.exe	57
PID 1960 wrote to memory of 1216	1960	lsass.exe	57
PID 1960 wrote to memory of 1216	1960	lsass.exe	57
PID 1216 wrote to memory of 2376	1216	lsass.exe	59
PID 1216 wrote to memory of 2376	1216	lsass.exe	59
PID 1216 wrote to memory of 2376	1216	lsass.exe	59
PID 1216 wrote to memory of 2376	1216	lsass.exe	59

C:\Users\Admin\AppData\Local\Temp\1d83ee4bb3af4c3064ea44ba7d36c054.exe
"C:\Users\Admin\AppData\Local\Temp\1d83ee4bb3af4c3064ea44ba7d36c054.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\SysWOW64\dll\lsass.exe
  "C:\Windows\system32\dll\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\dll\lsass.exe
    "C:\Windows\system32\dll\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\dll\lsass.exe
      "C:\Windows\system32\dll\lsass.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2820
      - C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2376
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:604
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1508
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:848
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:408
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2412
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2520
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2464
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:920
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1076
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2084
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:572
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1812
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3012
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2136
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        32⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        33⤵
        Executes dropped EXE
        
        PID:808
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        34⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        35⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        36⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        37⤵
        Executes dropped EXE
        
        PID:2948
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        38⤵
        Executes dropped EXE
        
        PID:2612
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        39⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        40⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        41⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        42⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        43⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        44⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        45⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        46⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        47⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1944
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        48⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        50⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2024
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        52⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        53⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        54⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        55⤵
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        56⤵
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        57⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        58⤵
        Executes dropped EXE
        
        PID:596
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        59⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        60⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        61⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        62⤵
        Executes dropped EXE
        
        PID:844
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        63⤵
        Executes dropped EXE
        
        PID:2020
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        64⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        65⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        66⤵
        
        PID:588
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        67⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        68⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        69⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        70⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        71⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        72⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        73⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        74⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        75⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        76⤵
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        77⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        78⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        79⤵
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        80⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        81⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        82⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        83⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        43⤵
        Drops file in System32 directory
        
        PID:1764
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        44⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        21⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        22⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        23⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        24⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        25⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        26⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        27⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        28⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        29⤵
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        30⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        31⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        32⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        33⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        34⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        35⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        36⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        37⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        38⤵
        Adds Run key to start application
        
        PID:2820
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        39⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        40⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        41⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        42⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        43⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        44⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        45⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        46⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        47⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        48⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        49⤵
        Adds Run key to start application
        
        PID:2488
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        50⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        51⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        52⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        53⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        54⤵
        
        PID:928
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        55⤵
        
        PID:608
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        56⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        57⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        58⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        59⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        60⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        61⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        62⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        63⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        64⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        65⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        66⤵
        
        PID:972
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        67⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        68⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        69⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        70⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        71⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        72⤵
        
        PID:896
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        73⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        74⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        75⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        76⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        77⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        78⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        79⤵
        Adds Run key to start application
        
        PID:2744
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        80⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        81⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        82⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        83⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        84⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        85⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        86⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        87⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        88⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        89⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        90⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        91⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        92⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        93⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        94⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        95⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        96⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        97⤵
        Adds Run key to start application
        
        PID:268
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        98⤵
        Drops file in System32 directory
        
        PID:788
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        99⤵
        
        PID:916
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        100⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        101⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        102⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        103⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        104⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        105⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        106⤵
        Adds Run key to start application
        
        PID:1512
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        107⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        108⤵
        
        PID:588
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        109⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        110⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        111⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        112⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        113⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        114⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        115⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        116⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        117⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        118⤵
        Adds Run key to start application
        
        PID:808
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        119⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        120⤵
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        121⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        122⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        123⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        124⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        125⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        126⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        127⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        128⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        129⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        130⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        131⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        132⤵
        
        PID:328
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        133⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        134⤵
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        135⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        136⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        137⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        138⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        139⤵
        
        PID:560
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        140⤵
        
        PID:400
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        141⤵
        
        PID:788
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        142⤵
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        143⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        144⤵
        
        PID:604
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        145⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        146⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        147⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        148⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        149⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        150⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        151⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        152⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        153⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        154⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        155⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        156⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        157⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        158⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        159⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        160⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        161⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        162⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        163⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2704
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        164⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        165⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        166⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        167⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        168⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        169⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        170⤵
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        171⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        172⤵
        Adds Run key to start application
        
        PID:2104
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        173⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        174⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        175⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        176⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        177⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        178⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        179⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        180⤵
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        181⤵
        
        PID:608
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        182⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        183⤵
        
        PID:400
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        184⤵
        
        PID:788
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        185⤵
        
        PID:916
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        186⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        187⤵
        Drops file in System32 directory
        
        PID:604
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        188⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        189⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        190⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        191⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        192⤵
        
        PID:920
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        193⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        194⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        195⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        196⤵
        
        PID:856
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        197⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        198⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        199⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        200⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        201⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        202⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        203⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        204⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        205⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        206⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        207⤵
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        208⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        209⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        210⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        211⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        212⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        213⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        214⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        215⤵
        Adds Run key to start application
        
        PID:2912
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        216⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        217⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        218⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        219⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        220⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        221⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        222⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        223⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        224⤵
        
        PID:652
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        225⤵
        
        PID:580
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        226⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        227⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        228⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        229⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        230⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        231⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        232⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        233⤵
        Adds Run key to start application
        
        PID:1852
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        234⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        235⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        236⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        237⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        238⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        239⤵
        
        PID:896
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        240⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        241⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        242⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        243⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        244⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        245⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        246⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        247⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        248⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        249⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        250⤵
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        251⤵
        
        PID:496
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        252⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        253⤵
        
        PID:556
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        254⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        255⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        256⤵
        Adds Run key to start application
        
        PID:2104
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        257⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        258⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        259⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        260⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        261⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        262⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        263⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        264⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        265⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        266⤵
        Adds Run key to start application
        
        PID:652
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        267⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        268⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        269⤵
        
        PID:916
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        270⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        271⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        272⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        273⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        274⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        275⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        276⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        277⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        278⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        279⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        280⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        281⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        282⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        283⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        284⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        285⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        286⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        287⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        288⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        289⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        290⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        291⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        292⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        293⤵
        Adds Run key to start application
        
        PID:1988
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        294⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        295⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        296⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        297⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        298⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        299⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        300⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        301⤵
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        302⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        303⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        304⤵
        
        PID:596
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        305⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        306⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        307⤵
        Adds Run key to start application
        
        PID:444
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        308⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        309⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        310⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        311⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        312⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        313⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        314⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        315⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        316⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        317⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        318⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        319⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        320⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        321⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        322⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        323⤵
        Adds Run key to start application
        
        PID:2720
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        324⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        325⤵
        Adds Run key to start application
        
        PID:1328
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        326⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        327⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        328⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        329⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        330⤵
        
        PID:864
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        331⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        332⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        333⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        334⤵
        Drops file in System32 directory
        
        PID:776
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        335⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        336⤵
        Adds Run key to start application
        
        PID:3020
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        337⤵
        
        PID:688
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        338⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        339⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        340⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        341⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        342⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        343⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        344⤵
        
        PID:964
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        345⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        346⤵
        
        PID:844
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        347⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        348⤵
        
        PID:852
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        349⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        350⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        351⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        352⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        353⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        354⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        355⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        356⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        357⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        358⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        359⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        360⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        361⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        362⤵
        
        PID:320
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        363⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        364⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        365⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        366⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        367⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        368⤵
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        369⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        370⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        371⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        372⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        373⤵
        
        PID:544
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        374⤵
        
        PID:820
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        375⤵
        
        PID:580
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        376⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        377⤵
        Adds Run key to start application
        
        PID:408
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        378⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        379⤵
        Drops file in System32 directory
        
        PID:1828
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        380⤵
        Drops file in System32 directory
        
        PID:1556
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        381⤵
        
        PID:964
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        382⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        383⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        384⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        385⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        386⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        387⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        388⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        389⤵
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        390⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        391⤵
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        392⤵
        
        PID:808
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        393⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        394⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        395⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        396⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        397⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        398⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        399⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        400⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        401⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        402⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        403⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        404⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        405⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        406⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        407⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        408⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        409⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        410⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        411⤵
        
        PID:600
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        412⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        413⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        414⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        415⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        416⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        417⤵
        
        PID:628
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        418⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        419⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        420⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        421⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        422⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        423⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        424⤵
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        425⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        426⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        427⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        428⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        429⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        430⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        431⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        432⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        433⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        434⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        435⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        436⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        437⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        438⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        439⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        440⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        441⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        442⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        443⤵
        
        PID:820
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        444⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        445⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        446⤵
        Adds Run key to start application
        
        PID:1508
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        447⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        448⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        449⤵
        Adds Run key to start application
        
        PID:1040
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        450⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        451⤵
        
        PID:920
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        452⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        453⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        454⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        455⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        456⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        457⤵
        Adds Run key to start application
        
        PID:1056
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        458⤵
        Adds Run key to start application
        
        PID:1736
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        459⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        460⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        461⤵
        
        PID:856
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        462⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        463⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        464⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        465⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        466⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        467⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        468⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        469⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        470⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        471⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        472⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        473⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        474⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        475⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        476⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        477⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        478⤵
        
        PID:580
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        479⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        480⤵
        
        PID:604
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        481⤵
        Drops file in System32 directory
        
        PID:2112
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        482⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        483⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        484⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        485⤵
        
        PID:772
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        486⤵
        
        PID:628
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        487⤵
        
        PID:948
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        488⤵
        Adds Run key to start application
        
        PID:1628
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        489⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        490⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        491⤵
        Drops file in System32 directory
        
        PID:2840
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        492⤵
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        493⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        494⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        495⤵
        
        PID:900
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        496⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        497⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        498⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        499⤵
        
        PID:676
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        500⤵
        
        PID:556
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        501⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        502⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        503⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        504⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        505⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        506⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        507⤵
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        508⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        509⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        510⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        511⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        512⤵
        
        PID:652
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        513⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        514⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        515⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        516⤵
        
        PID:600
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        517⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        518⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        519⤵
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        520⤵
        Drops file in System32 directory
        
        PID:108
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        521⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        522⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        523⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        524⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        525⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        526⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        527⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        528⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        529⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        530⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        531⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        532⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        533⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        534⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        535⤵
        
        PID:676
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        536⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        537⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        538⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        539⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        540⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        541⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        542⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        543⤵
        
        PID:544
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        544⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        545⤵
        
        PID:400
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        546⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        547⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        548⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        549⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        550⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        551⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        552⤵
        Drops file in System32 directory
        
        PID:780
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        553⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        554⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        555⤵
        
        PID:572
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        556⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        557⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        558⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        559⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        560⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        561⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        562⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        563⤵
        
        PID:808
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        564⤵
        
        PID:972
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        565⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        566⤵
        
        PID:356
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        567⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        568⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        569⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        570⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        571⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        572⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        573⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        574⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        575⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        576⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        577⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        578⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        579⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        580⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        581⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        582⤵
        
        PID:408
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        583⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        584⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        585⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        586⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        587⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        588⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        589⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        590⤵
        
        PID:572
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        591⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        592⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        593⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        594⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        595⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        596⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        597⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        598⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        599⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        600⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        601⤵
        Adds Run key to start application
        
        PID:2720
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        602⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        603⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        604⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        605⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        606⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        607⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        608⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        609⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        610⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        611⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        612⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        613⤵
        
        PID:560
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        614⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        615⤵
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        616⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        617⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        618⤵
        
        PID:600
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        619⤵
        
        PID:588
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        620⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        621⤵
        
        PID:108
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        622⤵
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        623⤵
        
        PID:960
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        624⤵
        
        PID:712
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        625⤵
        
        PID:572
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        626⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        627⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        628⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        629⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        630⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        631⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        632⤵
        
        PID:972
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        633⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        634⤵
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        635⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        636⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        637⤵
        
        PID:320
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        638⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        639⤵
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        640⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        641⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        642⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        643⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        644⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        645⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        646⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        647⤵
        
        PID:820
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        648⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        649⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        650⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        651⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        652⤵
        Drops file in System32 directory
        
        PID:1444
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        653⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        654⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        655⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        656⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        657⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        658⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        659⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        660⤵
        Adds Run key to start application
        
        PID:1812
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        661⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        662⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        663⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        664⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        665⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        666⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        667⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        668⤵
        
        PID:772
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        669⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        670⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        671⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        672⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        673⤵
        
        PID:676
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        674⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        675⤵
        Adds Run key to start application
        
        PID:2808
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        676⤵
        
        PID:864
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        677⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        678⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        679⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        680⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        681⤵
        
        PID:688
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        682⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        683⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        684⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        685⤵
        Adds Run key to start application
        
        PID:1100
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        686⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        687⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        688⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        689⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        690⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        691⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        692⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        693⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        694⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        695⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        696⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        697⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        698⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        699⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        700⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        701⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        702⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        703⤵
        
        PID:808
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        704⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        705⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        706⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        707⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        708⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        709⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        710⤵
        
        PID:676
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        711⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        712⤵
        
        PID:328
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        713⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        714⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        715⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        716⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        717⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        718⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        719⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        720⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        721⤵
        
        PID:916
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        722⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        723⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        724⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        725⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        726⤵
        
        PID:588
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        727⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        728⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        729⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        730⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        731⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        732⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        733⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        734⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        735⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        736⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        737⤵
        Adds Run key to start application
        
        PID:1564
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        738⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        739⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        740⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        741⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        742⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        743⤵
        
        PID:496
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        744⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        745⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        746⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        747⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        748⤵
        
        PID:768
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        749⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        750⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        751⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        752⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        753⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        754⤵
        
        PID:688
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        755⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        756⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        757⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        758⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        759⤵
        
        PID:916
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        760⤵
        
        PID:788
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        761⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        762⤵
        
        PID:844
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        763⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        764⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        765⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        766⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        767⤵
        Drops file in System32 directory
        
        PID:1124
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        768⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        769⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        770⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        771⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        772⤵
        
        PID:780
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        773⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        774⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        775⤵
        
        PID:856
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        776⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        777⤵
        
        PID:972
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        778⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        779⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        780⤵
        
        PID:880
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        781⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        782⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        783⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        784⤵
        
        PID:676
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        785⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        786⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        787⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        788⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        789⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        790⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        791⤵
        
        PID:484
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        792⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        793⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        794⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        795⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        796⤵
        
        PID:916
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        797⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        798⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        799⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        800⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        801⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        802⤵
        
        PID:628
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        803⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        804⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        805⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        806⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        807⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        808⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        809⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        810⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        811⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        812⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        813⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        814⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        815⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        816⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        817⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        818⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        819⤵
        Drops file in System32 directory
        
        PID:1272
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        820⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        821⤵
        Adds Run key to start application
        
        PID:2004
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        822⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        823⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        824⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        825⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        826⤵
        Adds Run key to start application
        
        PID:2296
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        827⤵
        
        PID:652
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        828⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        829⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        830⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        831⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        832⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        833⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        834⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        835⤵
        
        PID:588
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        836⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        837⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        838⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        839⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        840⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        841⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        842⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        843⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        844⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        845⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        846⤵
        Adds Run key to start application
        
        PID:1728
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        847⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        848⤵
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        849⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        850⤵
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        851⤵
        Adds Run key to start application
        
        PID:1032
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        852⤵
        
        PID:556
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        853⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        854⤵
        Adds Run key to start application
        
        PID:2608
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        855⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        856⤵
        
        PID:864
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        857⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        858⤵
        
        PID:768
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        859⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        860⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        861⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        862⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        863⤵
        
        PID:820
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        864⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        865⤵
        
        PID:652
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        866⤵
        Drops file in System32 directory
        
        PID:484
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        867⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        868⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        869⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        870⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        871⤵
        
        PID:844
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        872⤵
        
        PID:600
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        873⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        874⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        875⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        876⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\dll\lsass.exe
        
        "C:\Windows\system32\dll\lsass.exe"
        877⤵
        
        PID:1672

C:\Windows\SysWOW64\dll\lsass.exe
"C:\Windows\system32\dll\lsass.exe"
1⤵
PID:1768
- C:\Windows\SysWOW64\dll\lsass.exe
  "C:\Windows\system32\dll\lsass.exe"
  2⤵
  - Drops file in System32 directory
  PID:2312

C:\Windows\SysWOW64\dll\lsass.exe
"C:\Windows\system32\dll\lsass.exe"
1⤵
PID:2504
- C:\Windows\SysWOW64\dll\lsass.exe
  "C:\Windows\system32\dll\lsass.exe"
  2⤵
  PID:2268

C:\Windows\SysWOW64\dll\lsass.exe
"C:\Windows\system32\dll\lsass.exe"
1⤵
PID:848

C:\Windows\SysWOW64\dll\lsass.exe
"C:\Windows\system32\dll\lsass.exe"
1⤵
PID:2896

C:\Windows\SysWOW64\dll\lsass.exe
"C:\Windows\system32\dll\lsass.exe"
1⤵
PID:2512

C:\Windows\SysWOW64\dll\lsass.exe
"C:\Windows\system32\dll\lsass.exe"
1⤵
PID:1400

C:\Windows\SysWOW64\dll\lsass.exe
"C:\Windows\system32\dll\lsass.exe"
1⤵
PID:484

C:\Windows\SysWOW64\dll\lsass.exe
"C:\Windows\system32\dll\lsass.exe"
1⤵
PID:1312

C:\Windows\SysWOW64\dll\lsass.exe
"C:\Windows\system32\dll\lsass.exe"
1⤵
PID:2144

C:\Windows\SysWOW64\dll\lsass.exe
"C:\Windows\system32\dll\lsass.exe"
1⤵
PID:2224

C:\Windows\SysWOW64\dll\lsass.exe
"C:\Windows\system32\dll\lsass.exe"
1⤵
PID:1992

C:\Windows\SysWOW64\dll\lsass.exe
"C:\Windows\system32\dll\lsass.exe"
1⤵
PID:1800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1607456505-1567900341-1567921168-94679192221013569511091880905-1182088433117377312"
1⤵
- Adds Run key to start application
PID:2672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-426950752-238003074-2052140212-118855087112271945511026605671679055635433207738"
1⤵
PID:2224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "905408316538231332-1561823912-169091124632482335712353460331685244387-2066949796"
1⤵
PID:2868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4227510296743643411794286526-966429406-2837533111865903457-966627657-1005571129"
1⤵
PID:2864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-31707622121207856541367311-4479242521590111005-19793840691725766181-972728673"
1⤵
PID:2844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-807414305-1103152581183005256334003409014071254581123661769-1728597005856830976"
1⤵
PID:2200

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "194392049920686139131299327560-1373178665-1476863390-324115269275086907-470011091"
1⤵
- Drops file in System32 directory
PID:1960

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1335350512-20202773420707698981506459781-1620362321616548663-2140062071-702917245"
1⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "250678922-1051305857-14106449481720811490-1083214412-1779663687-1126600026-1729018405"
1⤵
PID:1064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1221076011608703596-644336909-543891491-34263743-2136351371-850500268670841287"
1⤵
PID:2828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1335369918-931402667-1934485119-1370071617-13868564214468881110448887641103741525"
1⤵
- Adds Run key to start application
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "90568221-519809587-34591483618253989021670649276-1948986954-15481826311504741191"
1⤵
PID:2684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-56526130018604433697253038720612050362126697849-1881169189653178962903683670"
1⤵
- Drops file in System32 directory
PID:1940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-155440790911682370521376786464-396377742223214081216383585-227312805558251825"
1⤵
PID:2056

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "497937081543939036-934671412-153867115888702752-692544963-12498456641235111539"
1⤵
PID:1968

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14053072209673988222011470033-103399452827692241458748363-902816735130624589"
1⤵
PID:808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1296367086120389503-656862744-809283194935135714-625722797-282331176-975676032"
1⤵
PID:1972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-726956714-14590058362031711343-116308774-1634380183-877725423344125033-129976710"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19414070145919100162007154694-2009889224-144481454620961159831851415410-1708103953"
1⤵
PID:1984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1409120074116838180517677153172536708481392537473-1960492808-1950015942674553015"
1⤵
PID:2880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1651485050-580707565-1485786188-9120784741226482003-1387289770-3822092231615397761"
1⤵
PID:1036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1351932695163625340671568410-1626754206-1925037226-644732217801572556-205967088"
1⤵
PID:1648

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-109657988-11118938692010451978992351280-1962170739-1760180169482014692115930201"
1⤵
PID:1336

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1928878422168349434111041586061696633217376555060-290414974-1325994310-1460324099"
1⤵
PID:1344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16941100-190333392389851818-430251158-880915083-1328540363-2057031058-2005113662"
1⤵
PID:1988

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "579118226-89400226747301791218630443-649456436996022586-2433052631510405956"
1⤵
- Adds Run key to start application
PID:2236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "218639897-1348649226-20518237644416901752130645364-1944651756661716232-217703298"
1⤵
PID:820

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1505525408-100467636811781339661262384383502374287-1081162672-1317898799-1084669872"
1⤵
PID:604

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-112579459167359920713655019-1891449181070035547-5291844732119839880225350961"
1⤵
PID:1548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1113593590-1356002614-1040035363342851543918677591816638370-744061579-1602056541"
1⤵
PID:2216

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1247104266170980106914172572941317252002-1547515084-1664340047-137434898-288617824"
1⤵
- Drops file in System32 directory
PID:2860

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1643568217-20626549582063342721-88691156204882716611085929941963438259-966931560"
1⤵
PID:556

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-124791998511982075858671197721474770189176551689510216257731834417539-309385433"
1⤵
PID:2284

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20467094061822459345-1874767921780426593806649142-558875768235993631406003220"
1⤵
PID:808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8135733882038856002-19051604331192582130139711195824687409-1156987286608558287"
1⤵
PID:2444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11913806351825212453-1091070061-665985835180367193-1760132121-332417676403197092"
1⤵
- Adds Run key to start application
PID:400

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1441016916-648877910609427858497215449-1555004665-784868747525027341-347750913"
1⤵
PID:2204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1327045856286208057-1934184062-8811976401854603604-7796068021437750495-1261309365"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1336668983-1779582984-75183069514139245396753672642028621582725943-2055612029"
1⤵
PID:408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-826309576302786794-86734781711460938728208836838635653742502190821369986762"
1⤵
PID:1612

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "254461833-1376041262622070776-890324201-1492201814-891680470-1868374560-1594226243"
1⤵
PID:2704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19988027081401583776660464580-1095723419-4519998201801076646211517107-645397394"
1⤵
- Adds Run key to start application
PID:2632

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-346517529397799978685005984-785908920845745022071875426-1640547399-1603739009"
1⤵
PID:2796

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1833857122-260227608-1900651812-360264039-12914151411918637482-1987503456271094039"
1⤵
PID:2580

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17196612091676417198-1685264947-753896518-20426177672026146337-1949336652-782885066"
1⤵
PID:320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2033310621-318892250101251211620965976491829486701-1690760829-1858892374-1431505227"
1⤵
PID:2688

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1673786402442643605-2745693501407765119-1235661840-931079086-382105681955016506"
1⤵
PID:2540

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-944052916-429522544147617952090902157-20238671901112057027-1533136962-1167488686"
1⤵
PID:1524

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12966927132013522925-427059373875375558410362296-858078094-5528968341554022056"
1⤵
PID:2160

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-676501410176943019486014755214972094241318497122111230799-350725413-2087658174"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-605838193142222901517796466-12076420802382540921304821022-1964774293-65760226"
1⤵
PID:1836

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14107023602010042599-18351238134278306631618769292-668958759-8437556282142656230"
1⤵
PID:1148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13625580821225240690-22706159216607406111515696603173905005111049797131679346598"
1⤵
PID:1940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1816389718-9112680591355305830-141185833214587773259630577375090991812096975360"
1⤵
PID:1528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1071225651942270513-1415576010-391670928294124851333600974-3370795491973424324"
1⤵
PID:2752

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2147329763-398485941-368407408-6221929271817709301170708675-12671231-1773860193"
1⤵
PID:2544

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14378837141471988519151081263-1848436943-1150978380-11914947701120491967674396123"
1⤵
PID:1492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "474445036-1186207332-7132029741036682411397823064-182135149515126362441359311516"
1⤵
PID:2168

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-405813896380575523-1471968893-1544690038-988340647-19771966661907939051-1530980167"
1⤵
PID:3064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2023599798-2118141663-1444305674754857711736121804-20745593551055799616-372277144"
1⤵
PID:2868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-861526053-982011700-408302180-877770297-831886601-1113353838-14150094161807674735"
1⤵
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "841326442736802159961361002-2028858265-3882331-808728089-2288535231218761417"
1⤵
PID:972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13581887831872331216108408998617188306412024593486-591972233-20971342711468151646"
1⤵
PID:1824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "129069918-13430203441110104972-7312306582961194031211453166707277431-1295476268"
1⤵
PID:1596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5197622751669932505466415110-57858418916298550011072868432-505048146-1366655495"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "20751064158515409231025998733-2005093226-15090209971521186848427255069-978482645"
1⤵
- Adds Run key to start application
PID:2268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "659954322-1890753373138846982721003765211886777784803556324-1524853696-1062948159"
1⤵
PID:1748

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-154666234-3648389212088115690561915890-15778840202027102053-640634400-181866925"
1⤵
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dll\lsass.exe

Filesize
4KB

MD5
1d83ee4bb3af4c3064ea44ba7d36c054

SHA1
07c40f4cae242cf1acafd28b2a4694b618832966

SHA256
24a8ae0afc0fa09fd732d6ad5e8b8f16ebb631655ef150a6b69678d7cd2d302e

SHA512
149a37a932d42d0a5db8a3fae0222d205efa54d619254f3377ea8961cce0e079dcc76ddb451699435715885fcfd480c94d8d1f452dfef7f6e08fa8077dc05a1b

Download Submit
memory/408-114-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/408-111-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/408-115-0x0000000000450000-0x0000000000452000-memory.dmp

Filesize
8KB

Download
memory/408-126-0x0000000000450000-0x0000000000457000-memory.dmp

Filesize
28KB

Download
memory/408-116-0x0000000000450000-0x0000000000457000-memory.dmp

Filesize
28KB

Download
memory/444-183-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/444-174-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/444-175-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/544-166-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/572-128-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/604-100-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/712-177-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/712-168-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/768-153-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/848-109-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/848-232-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/920-122-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1028-181-0x00000000004A0000-0x00000000004A7000-memory.dmp

Filesize
28KB

Download
memory/1076-124-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1216-90-0x00000000026E0000-0x00000000026E7000-memory.dmp

Filesize
28KB

Download
memory/1216-89-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1272-193-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1400-226-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1508-123-0x0000000000490000-0x0000000000497000-memory.dmp

Filesize
28KB

Download
memory/1508-106-0x0000000000490000-0x0000000000497000-memory.dmp

Filesize
28KB

Download
memory/1508-104-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1624-138-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1676-240-0x00000000004A0000-0x00000000004A7000-memory.dmp

Filesize
28KB

Download
memory/1692-82-0x0000000001D80000-0x0000000001D87000-memory.dmp

Filesize
28KB

Download
memory/1692-57-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1692-59-0x0000000001D80000-0x0000000001D87000-memory.dmp

Filesize
28KB

Download
memory/1740-244-0x00000000026E0000-0x00000000026E7000-memory.dmp

Filesize
28KB

Download
memory/1764-207-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1836-68-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1852-238-0x0000000000310000-0x0000000000317000-memory.dmp

Filesize
28KB

Download
memory/1868-179-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1944-156-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1944-157-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/1992-212-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1992-214-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2044-18-0x00000000004A0000-0x00000000004A7000-memory.dmp

Filesize
28KB

Download
memory/2044-12-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2044-17-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2044-55-0x00000000004A0000-0x00000000004A7000-memory.dmp

Filesize
28KB

Download
memory/2100-185-0x0000000000390000-0x0000000000397000-memory.dmp

Filesize
28KB

Download
memory/2136-132-0x00000000004A0000-0x00000000004A7000-memory.dmp

Filesize
28KB

Download
memory/2136-131-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2144-221-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2164-172-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/2164-170-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/2164-171-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2216-81-0x00000000005B0000-0x00000000005B7000-memory.dmp

Filesize
28KB

Download
memory/2216-79-0x00000000005B0000-0x00000000005B7000-memory.dmp

Filesize
28KB

Download
memory/2252-11-0x0000000000830000-0x0000000000837000-memory.dmp

Filesize
28KB

Download
memory/2252-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2252-9-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2376-94-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2376-96-0x0000000001C80000-0x0000000001C87000-memory.dmp

Filesize
28KB

Download
memory/2404-235-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2404-233-0x00000000004A0000-0x00000000004A2000-memory.dmp

Filesize
8KB

Download
memory/2412-118-0x0000000000360000-0x0000000000367000-memory.dmp

Filesize
28KB

Download
memory/2412-117-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2464-121-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/2464-120-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2504-219-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2512-228-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2520-119-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2596-41-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2596-42-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/2596-44-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/2612-146-0x00000000004A0000-0x00000000004A7000-memory.dmp

Filesize
28KB

Download
memory/2672-200-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/2688-64-0x0000000001CC0000-0x0000000001CC7000-memory.dmp

Filesize
28KB

Download
memory/2688-63-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2692-28-0x00000000004A0000-0x00000000004A7000-memory.dmp

Filesize
28KB

Download
memory/2692-27-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2704-195-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2704-197-0x0000000000840000-0x0000000000847000-memory.dmp

Filesize
28KB

Download
memory/2708-148-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2708-149-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/2724-38-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/2724-69-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/2724-37-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2724-203-0x0000000000840000-0x0000000000847000-memory.dmp

Filesize
28KB

Download
memory/2788-209-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2820-31-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2820-33-0x0000000000490000-0x0000000000497000-memory.dmp

Filesize
28KB

Download
memory/2836-22-0x00000000026E0000-0x00000000026E7000-memory.dmp

Filesize
28KB

Download
memory/2836-60-0x00000000026E0000-0x00000000026E7000-memory.dmp

Filesize
28KB

Download
memory/2836-21-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2896-229-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2952-142-0x00000000003D0000-0x00000000003D7000-memory.dmp

Filesize
28KB

Download
memory/2952-141-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3012-130-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3016-49-0x0000000001C80000-0x0000000001C87000-memory.dmp

Filesize
28KB

Download
memory/3016-75-0x0000000001C80000-0x0000000001C87000-memory.dmp

Filesize
28KB

Download
memory/3032-151-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads