fakeav | b0131586915d3fcdc871af8ae4cda2bf474a247f6d89582abe3dfc9237b1cba4

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2024 07:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69cc52208b7ee6dd79cd0d9bf380c8a7.exe
Size

2.8MB
MD5

69cc52208b7ee6dd79cd0d9bf380c8a7
SHA1

4bc340f26b7fc829489bea3b10959bf590b3677d
SHA256

b0131586915d3fcdc871af8ae4cda2bf474a247f6d89582abe3dfc9237b1cba4
SHA512

e1c96ed559bc63e6a2746f2f93c23e8d1f41159c71ccc09cc520ebcc7ded5dc73ec11bd5cd8316d3d695fa5d81332cd3fb56fae6b818faa2d5173b5b44196247
SSDEEP

49152:67N1ahCh0V7N1ahCi0V7N1ahCL0V7N1ahChs:67U7P7+7S

Score

10^/10

fakeav fakeav persistence spyware

Malware Config

Signatures

FakeAV, RogueAntivirus
FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.
fakeav spyware fakeav

FakeAV payload 3 IoCs

fakeav spyware

resource	yara_rule
behavioral2/memory/2556-491-0x0000000000400000-0x00000000004C1000-memory.dmp	fakeav
behavioral2/memory/2412-27-0x0000000000400000-0x00000000004C1000-memory.dmp	fakeav
behavioral2/files/0x0006000000023215-25.dat	fakeav

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	srtsrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	srtsrv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	srtsrv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	srtsrv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	srtsrv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	srtsrv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	Process not Found

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	srtsrv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	srtsrv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	srtsrv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	srtsrv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
3284	srtsrv32.exe
2556	LSASSMGR.EXE
2512	LSASSMGR.EXE
3676	LSASSMGR.EXE
4172	Process not Found
4700	srtsrv32.exe
1592	LSASSMGR.EXE
1584	srtsrv32.exe
1348	srtsrv32.exe
4792	Process not Found
2276	Process not Found
2880	Process not Found
3628	LSASSMGR.EXE
2076	LSASSMGR.EXE
1388	Process not Found
4848	Process not Found
3416	Process not Found
4948	LSASSMGR.EXE
1272	Process not Found
3272	Process not Found
1180	Process not Found
1500	Process not Found
1020	Process not Found
3676	Process not Found
1904	Process not Found
2320	Process not Found
3608	LSASSMGR.EXE
4680	Process not Found
2488	LSASSMGR.EXE
408	Process not Found
3684	Process not Found
2852	Process not Found
2624	Process not Found
1932	Process not Found
4536	LSASSMGR.EXE
5100	Process not Found
736	Process not Found
3964	LSASSMGR.EXE
4712	Process not Found
1388	Process not Found
3708	LSASSMGR.EXE
5060	Process not Found
3432	Process not Found
4832	Process not Found
3896	Process not Found
1576	Process not Found
2992	Process not Found
4144	Process not Found
3868	Process not Found
4788	Process not Found
4716	Process not Found
3532	Process not Found
1592	Process not Found
4164	Process not Found
4392	Process not Found
1132	Process not Found
1644	Process not Found
1280	Process not Found
836	Process not Found
4804	Process not Found
4304	Process not Found
2532	Process not Found
2232	Process not Found
4712	Process not Found

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\lssmon.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	srtsrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	srtsrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	srtsrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	Process not Found

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	srtsrv32.exe
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	srtsrv32.exe
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\srtsrv32.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	srtsrv32.exe
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	srtsrv32.exe
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\lssmon.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	srtsrv32.exe
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found
File created	C:\Windows\SysWOW64\lssmon.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	Process not Found
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	Process not Found

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Internet Explorer\iexplor.exe	srtsrv32.exe
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	srtsrv32.exe
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	srtsrv32.exe
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	Process not Found
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	Process not Found
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\divx32.dll	LSASSMGR.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2280	2556	WerFault.exe	198

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3284	2412	LSASSMGR.EXE	914
PID 2412 wrote to memory of 3284	2412	LSASSMGR.EXE	914
PID 2412 wrote to memory of 3284	2412	LSASSMGR.EXE	914
PID 2412 wrote to memory of 2556	2412	LSASSMGR.EXE	198
PID 2412 wrote to memory of 2556	2412	LSASSMGR.EXE	198
PID 2412 wrote to memory of 2556	2412	LSASSMGR.EXE	198
PID 3284 wrote to memory of 2512	3284	srtsrv32.exe	1024
PID 3284 wrote to memory of 2512	3284	srtsrv32.exe	1024
PID 3284 wrote to memory of 2512	3284	srtsrv32.exe	1024
PID 2512 wrote to memory of 3676	2512	Process not Found	1111
PID 2512 wrote to memory of 3676	2512	Process not Found	1111
PID 2512 wrote to memory of 3676	2512	Process not Found	1111
PID 3676 wrote to memory of 4172	3676	LSASSMGR.EXE	1234
PID 3676 wrote to memory of 4172	3676	LSASSMGR.EXE	1234
PID 3676 wrote to memory of 4172	3676	LSASSMGR.EXE	1234
PID 2556 wrote to memory of 4700	2556	Process not Found	910
PID 2556 wrote to memory of 4700	2556	Process not Found	910
PID 2556 wrote to memory of 4700	2556	Process not Found	910
PID 4172 wrote to memory of 1592	4172	Process not Found	909
PID 4172 wrote to memory of 1592	4172	Process not Found	909
PID 4172 wrote to memory of 1592	4172	Process not Found	909
PID 2556 wrote to memory of 1584	2556	Process not Found	908
PID 2556 wrote to memory of 1584	2556	Process not Found	908
PID 2556 wrote to memory of 1584	2556	Process not Found	908
PID 2556 wrote to memory of 1348	2556	Process not Found	907
PID 2556 wrote to memory of 1348	2556	Process not Found	907
PID 2556 wrote to memory of 1348	2556	Process not Found	907
PID 4700 wrote to memory of 4792	4700	srtsrv32.exe	1449
PID 4700 wrote to memory of 4792	4700	srtsrv32.exe	1449
PID 4700 wrote to memory of 4792	4700	srtsrv32.exe	1449
PID 1592 wrote to memory of 2276	1592	Process not Found	1260
PID 1592 wrote to memory of 2276	1592	Process not Found	1260
PID 1592 wrote to memory of 2276	1592	Process not Found	1260
PID 1584 wrote to memory of 2880	1584	srtsrv32.exe	1358
PID 1584 wrote to memory of 2880	1584	srtsrv32.exe	1358
PID 1584 wrote to memory of 2880	1584	srtsrv32.exe	1358
PID 1348 wrote to memory of 3628	1348	srtsrv32.exe	900
PID 1348 wrote to memory of 3628	1348	srtsrv32.exe	900
PID 1348 wrote to memory of 3628	1348	srtsrv32.exe	900
PID 4792 wrote to memory of 2076	4792	Process not Found	899
PID 4792 wrote to memory of 2076	4792	Process not Found	899
PID 4792 wrote to memory of 2076	4792	Process not Found	899
PID 2880 wrote to memory of 1388	2880	Process not Found	1739
PID 2880 wrote to memory of 1388	2880	Process not Found	1739
PID 2880 wrote to memory of 1388	2880	Process not Found	1739
PID 2276 wrote to memory of 4848	2276	Process not Found	1711
PID 2276 wrote to memory of 4848	2276	Process not Found	1711
PID 2276 wrote to memory of 4848	2276	Process not Found	1711
PID 2076 wrote to memory of 3416	2076	LSASSMGR.EXE	1558
PID 2076 wrote to memory of 3416	2076	LSASSMGR.EXE	1558
PID 2076 wrote to memory of 3416	2076	LSASSMGR.EXE	1558
PID 3628 wrote to memory of 4948	3628	LSASSMGR.EXE	895
PID 3628 wrote to memory of 4948	3628	LSASSMGR.EXE	895
PID 3628 wrote to memory of 4948	3628	LSASSMGR.EXE	895
PID 1388 wrote to memory of 1272	1388	Process not Found	1265
PID 1388 wrote to memory of 1272	1388	Process not Found	1265
PID 1388 wrote to memory of 1272	1388	Process not Found	1265
PID 4848 wrote to memory of 3272	4848	Process not Found	1563
PID 4848 wrote to memory of 3272	4848	Process not Found	1563
PID 4848 wrote to memory of 3272	4848	Process not Found	1563
PID 3416 wrote to memory of 1180	3416	Process not Found	1642
PID 3416 wrote to memory of 1180	3416	Process not Found	1642
PID 3416 wrote to memory of 1180	3416	Process not Found	1642
PID 4948 wrote to memory of 1500	4948	Process not Found	2045

C:\Users\Admin\AppData\Local\Temp\69cc52208b7ee6dd79cd0d9bf380c8a7.exe
"C:\Users\Admin\AppData\Local\Temp\69cc52208b7ee6dd79cd0d9bf380c8a7.exe"
1⤵
PID:2412
- C:\Windows\SysWOW64\lssmon.exe
  "C:\Windows\system32\lssmon.exe"
  2⤵
  PID:2556

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4848
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3272

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3608
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3684
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4312
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3924

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4680

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:2488
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1932
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1580
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:5072
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2512
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:868

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:736

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4832
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:3532
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3708
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:5104
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:5016
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:904
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:1656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3896
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3868

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:2992
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4788
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1576
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4164

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3432

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:5060
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:5104
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:928
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2140
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4148
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1300
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:380
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4188
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:3324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:836
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2232
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4364
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:232
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4164
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:1584
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:436
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2880

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4804
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4712

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:2532
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4928
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4780
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2800
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2540
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:876
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:972
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        Sets file execution options in registry
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4948
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:452
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:640
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:624
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:436
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:836
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:736
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        30⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        31⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        32⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        33⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        34⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        35⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        36⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        37⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        38⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        39⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        40⤵
        
        PID:952
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        41⤵
        
        PID:376
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        42⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        43⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        45⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        46⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        47⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        48⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        49⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        50⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        51⤵
        
        PID:8
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        52⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        53⤵
        
        PID:432
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        54⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        55⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        56⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        57⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        58⤵
        
        PID:452
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        59⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        60⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        61⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        62⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        63⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        64⤵
        
        PID:692
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        65⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        66⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        31⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:3932
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:3708
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:2564

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4304
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1520
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4296
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3504
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3360
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:3892
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4288
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4648
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2852
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:2304
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:1132

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1424
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:3592
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2980
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:1624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:2976
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3016
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:440

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:5072
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4908
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:468
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:5048
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:376

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1448

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1280
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3100
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:972
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:3896
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4692
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:2344

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1644

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:904
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:3416
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2256
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:3928
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:952
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:380
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:936
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:624
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:4740
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:1180

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:404
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4176
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4704
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:768
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:692
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2404
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:860
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:1980

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3256
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3240
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2240
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1436
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4324
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:3396
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:1012
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2396

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3396
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3536

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3260
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2800

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3040
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4704
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1524

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:220

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1632

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1500
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4536
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:5004
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2028
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:1260
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2548
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4712
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1288
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:836
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:860
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1892

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:2488

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1584
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1280
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4748
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2960

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:8

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:2548

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1396
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2472
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4864
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4152
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:4000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:452
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1960

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4200
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:5000
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2980
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:3508
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:5060
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4200

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1036
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2532

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3016

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4804
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3324
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1920
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:3192
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2532
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:432
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:952
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:956
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:4376
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:1140

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4704
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4148

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4940
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:3432
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2852
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1108
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4692
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4172
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:3964
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:448
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:232
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        Sets file execution options in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:2488
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        30⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        31⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        32⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        33⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        34⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        35⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        36⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        37⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        38⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        39⤵
        
        PID:468
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        40⤵
        
        PID:436
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        41⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        43⤵
        
        PID:4268
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:1592

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3408
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:860
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:3460
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:440
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4804
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2344
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:3768

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1260
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4200
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4764
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4460
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4152
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:1280
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:3532
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4376
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:5048
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:640
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2196

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4432
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3640
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1892

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:728

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:2648

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:972
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4648
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:116
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4536
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2848
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4780
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:768

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1688
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1912
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4748
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2604
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:3504
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2232
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:2028
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1436

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4380
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:220
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4736
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4792
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        Sets file execution options in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:2076
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:3640

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3684

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:2980
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:372
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:3412
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4884
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:3576
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:3404
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        Checks computer location settings
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Windows\SysWOW64\srtsrv32.exe
        
        "C:\Windows\system32\srtsrv32.exe"
        6⤵
        Sets file execution options in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:3284
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1020

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3596

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4392
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4172
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1184
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:3676
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:1592
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:5000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3992
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4232

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:5004

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1388
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2960
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:1756

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1632

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1964
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4948
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1424
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:3244
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2624
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4536
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1500
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4992

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:2196
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:3836
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4176

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3596
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3256
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2204
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1096

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1060
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3244
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4288
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2980
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:5016
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4372

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:2088
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4928
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4792
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:1932

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1248
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:920

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4960
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1468
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2512
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:3272
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:3676
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4172

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3940
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:936
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:3240
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4976
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2624
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:740
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:972
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:4152
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:5100
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1424
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4296
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2636
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4780
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:4884
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3708

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:5072
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  - Executes dropped EXE
  PID:2556
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:736
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2412
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:3620
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:380
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:4260
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4380
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:1756
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1144
    3⤵
    - Program crash
    PID:2280
- - C:\Windows\SysWOW64\srtsrv32.exe
    "C:\Windows\system32\srtsrv32.exe"
    3⤵
    - Sets file execution options in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:1348
- - C:\Windows\SysWOW64\srtsrv32.exe
    "C:\Windows\system32\srtsrv32.exe"
    3⤵
    - Sets file execution options in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1584
- - C:\Windows\SysWOW64\srtsrv32.exe
    "C:\Windows\system32\srtsrv32.exe"
    3⤵
    - Sets file execution options in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4700

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:5060

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3708

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4516
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4148

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3608

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1728

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4788
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4968
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2124
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:1440
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:3648
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:3360
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:376
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:4792
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:4856
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:3348
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:1020
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4324
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:936
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:3060
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:2808

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4000
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:456
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4804
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:1404
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:452
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:4164
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:1396
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:2768
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2988
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:1776
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:868
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:5048

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4728
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:624
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:3416
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4992
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:972
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:380
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        Sets file execution options in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3964
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2428
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2272
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:8
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:952
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:876
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:936
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:4876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1272
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2548
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:868
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:3488
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:876
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:860
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:4968
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:1248
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2320
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4300
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:5092
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4364
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2736
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:1500
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2672
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4404
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4940
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:404
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:468
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:5092
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:1076

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:972

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1468
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2720

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4232
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4780

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4668

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:540
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3348
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1304

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:2832
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:864
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4144
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:640
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2140
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:3940
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2936
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2680
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:5004

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1924
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4932
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4648
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2056
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:1068

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1516
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2768
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1184

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3272
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:768

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:380
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:836
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4404

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4568
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:456
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2276
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:3192
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:1576
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:740
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        
        PID:928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        30⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:4968

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:372

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1448
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3256
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1300
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4780
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:5016
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:936
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:404
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:2280
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:1592
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:3628
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:3932
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:3676
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:440
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4704

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:868
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:544
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2784
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2608
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:3396
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:3964
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:548
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:4932

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:692
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:972
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:2564
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:1644
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2320
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:436
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:432
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:936
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:728
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:768
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        30⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        31⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        32⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        33⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        34⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        35⤵
        
        PID:448
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        36⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        37⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        38⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        39⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        40⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        41⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        42⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        43⤵
        
        PID:3644
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:408
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:1032
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:928

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:2344
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1260
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4364
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4576
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4288
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:448
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:728
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:4392
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:2512
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:968
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        22⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        23⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        24⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        25⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        26⤵
        Sets file execution options in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        
        PID:3708
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        27⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        28⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        29⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        30⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        31⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        32⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        33⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        34⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        35⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        36⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        37⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        38⤵
        Sets file execution options in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        39⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        40⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        41⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        42⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        43⤵
        
        PID:2880

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:5060
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:396
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4060
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:4568
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:1520
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:2720

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1128
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4304

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4460
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2412
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1212
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2304
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4868
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:4516

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1904
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2016

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4920
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:1012
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4212
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:1688
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:2076
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:1500
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:3416

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4748

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:952

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1688
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2196
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:1500
  - - C:\Windows\SysWOW64\LSASSMGR.EXE
      "C:\Windows\system32\LSASSMGR.EXE"
      4⤵
      PID:2232
    - - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        5⤵
        
        PID:4076
      - C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        6⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        7⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        8⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        10⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        11⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        12⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        13⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        14⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        15⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        16⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        18⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        19⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        21⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        20⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        17⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\LSASSMGR.EXE
        
        "C:\Windows\system32\LSASSMGR.EXE"
        9⤵
        
        PID:768
- - C:\Windows\SysWOW64\LSASSMGR.EXE
    "C:\Windows\system32\LSASSMGR.EXE"
    3⤵
    PID:4836

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4920

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1688

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1592
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:4076

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:3016
- C:\Windows\SysWOW64\LSASSMGR.EXE
  "C:\Windows\system32\LSASSMGR.EXE"
  2⤵
  PID:2960

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:1436

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4868

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:3608

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2556 -ip 2556
1⤵
PID:1260

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\lssmon.exe

Filesize
2.8MB

MD5
28b5f09b53fe8c533f54e54a711a043e

SHA1
2fd49dffa0f306b69c9700ca3eb361e7f11e378e

SHA256
21e1ee6073e05b45ff97f139f34f5940f19c1dfb4f337bf22fa7ebc3b88a044c

SHA512
dfd4dffac5574c82a91b194e18fec7af168c3a9208dbcb1a24a4dcc00b515d079faf01542f4dcb3fc08823acc681196e050b9235d9092a2ab133a1b8cfc84bc3

Download Submit
C:\Windows\SysWOW64\srtsrv32.exe

Filesize
17KB

MD5
63d1a3e723cd29ca2fd1295b02ce6a52

SHA1
1229b1f58d34c4d2b99e53496cde36a7075077e1

SHA256
ca92cbaca2f5d0d0405bc39b429ac57cc70237f515ab3da7920b2ef8e7ffef3c

SHA512
40257ac0b1af6a0c3caa46cca55a278cdb1d62f5c7c7aecd26f7fc9e22b01401dfa5126c6eaef4cfed55647a77b16bc9a5b2765ad6f791a13a5e938089bb96b7

Download Submit
memory/2412-0-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2412-27-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/2556-34-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2556-491-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads