Analysis
-
max time kernel
133s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2024, 14:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac239fe392b0c8117bf8d1f52ea9afc8.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
ac239fe392b0c8117bf8d1f52ea9afc8.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
ac239fe392b0c8117bf8d1f52ea9afc8.exe
-
Size
17KB
-
MD5
ac239fe392b0c8117bf8d1f52ea9afc8
-
SHA1
fd09c04bf643a9a41866f72783cfa756601e730b
-
SHA256
272409100f02e297f540b1b92643e54dc1c6a1738ddfc971f8ac14b26a2e146d
-
SHA512
8bee79bc548f7724cc328b14b9da57a930495f24191eda5f3b1cafda3e3ade10e5bb2a5e0de7c5d38fef7a8da67a4b6539965530acddc2ddd2f3cc3832fa5eb5
-
SSDEEP
384:wFmRJ/4ccmZO2Zp+Nye8pqrmub8TyztsDN:wof4coKK8o8TyJc
Score
8/10
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE -
Executes dropped EXE 64 IoCs
pid Process 4632 LSASSMGR.EXE 3104 LSASSMGR.EXE 2828 LSASSMGR.EXE 2332 LSASSMGR.EXE 3812 LSASSMGR.EXE 2196 LSASSMGR.EXE 4788 LSASSMGR.EXE 400 LSASSMGR.EXE 2208 LSASSMGR.EXE 2884 LSASSMGR.EXE 1208 LSASSMGR.EXE 336 LSASSMGR.EXE 2508 LSASSMGR.EXE 1004 LSASSMGR.EXE 2788 LSASSMGR.EXE 2108 LSASSMGR.EXE 2128 LSASSMGR.EXE 1152 LSASSMGR.EXE 3136 LSASSMGR.EXE 3376 LSASSMGR.EXE 1248 LSASSMGR.EXE 4576 LSASSMGR.EXE 1080 LSASSMGR.EXE 1208 LSASSMGR.EXE 2428 LSASSMGR.EXE 2740 LSASSMGR.EXE 4612 LSASSMGR.EXE 1156 LSASSMGR.EXE 2292 LSASSMGR.EXE 1292 LSASSMGR.EXE 1060 LSASSMGR.EXE 4596 LSASSMGR.EXE 116 LSASSMGR.EXE 4512 LSASSMGR.EXE 3480 LSASSMGR.EXE 4408 LSASSMGR.EXE 4444 LSASSMGR.EXE 4536 LSASSMGR.EXE 4232 LSASSMGR.EXE 1208 LSASSMGR.EXE 4048 LSASSMGR.EXE 3316 LSASSMGR.EXE 2428 LSASSMGR.EXE 3776 LSASSMGR.EXE 3132 LSASSMGR.EXE 4564 LSASSMGR.EXE 4388 LSASSMGR.EXE 5080 LSASSMGR.EXE 3300 LSASSMGR.EXE 5100 LSASSMGR.EXE 1796 LSASSMGR.EXE 2196 LSASSMGR.EXE 2652 LSASSMGR.EXE 4972 LSASSMGR.EXE 3680 LSASSMGR.EXE 4408 LSASSMGR.EXE 1744 LSASSMGR.EXE 1036 LSASSMGR.EXE 3384 LSASSMGR.EXE 4500 LSASSMGR.EXE 4912 backgroundTaskHost.exe 3424 LSASSMGR.EXE 824 LSASSMGR.EXE 2448 LSASSMGR.EXE -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" ac239fe392b0c8117bf8d1f52ea9afc8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1000 wrote to memory of 4632 1000 ac239fe392b0c8117bf8d1f52ea9afc8.exe 97 PID 1000 wrote to memory of 4632 1000 ac239fe392b0c8117bf8d1f52ea9afc8.exe 97 PID 1000 wrote to memory of 4632 1000 ac239fe392b0c8117bf8d1f52ea9afc8.exe 97 PID 4632 wrote to memory of 3104 4632 LSASSMGR.EXE 98 PID 4632 wrote to memory of 3104 4632 LSASSMGR.EXE 98 PID 4632 wrote to memory of 3104 4632 LSASSMGR.EXE 98 PID 3104 wrote to memory of 2828 3104 LSASSMGR.EXE 99 PID 3104 wrote to memory of 2828 3104 LSASSMGR.EXE 99 PID 3104 wrote to memory of 2828 3104 LSASSMGR.EXE 99 PID 2828 wrote to memory of 2332 2828 LSASSMGR.EXE 100 PID 2828 wrote to memory of 2332 2828 LSASSMGR.EXE 100 PID 2828 wrote to memory of 2332 2828 LSASSMGR.EXE 100 PID 2332 wrote to memory of 3812 2332 LSASSMGR.EXE 101 PID 2332 wrote to memory of 3812 2332 LSASSMGR.EXE 101 PID 2332 wrote to memory of 3812 2332 LSASSMGR.EXE 101 PID 3812 wrote to memory of 2196 3812 LSASSMGR.EXE 102 PID 3812 wrote to memory of 2196 3812 LSASSMGR.EXE 102 PID 3812 wrote to memory of 2196 3812 LSASSMGR.EXE 102 PID 2196 wrote to memory of 4788 2196 LSASSMGR.EXE 103 PID 2196 wrote to memory of 4788 2196 LSASSMGR.EXE 103 PID 2196 wrote to memory of 4788 2196 LSASSMGR.EXE 103 PID 4788 wrote to memory of 400 4788 LSASSMGR.EXE 104 PID 4788 wrote to memory of 400 4788 LSASSMGR.EXE 104 PID 4788 wrote to memory of 400 4788 LSASSMGR.EXE 104 PID 400 wrote to memory of 2208 400 LSASSMGR.EXE 105 PID 400 wrote to memory of 2208 400 LSASSMGR.EXE 105 PID 400 wrote to memory of 2208 400 LSASSMGR.EXE 105 PID 2208 wrote to memory of 2884 2208 LSASSMGR.EXE 106 PID 2208 wrote to memory of 2884 2208 LSASSMGR.EXE 106 PID 2208 wrote to memory of 2884 2208 LSASSMGR.EXE 106 PID 2884 wrote to memory of 1208 2884 LSASSMGR.EXE 122 PID 2884 wrote to memory of 1208 2884 LSASSMGR.EXE 122 PID 2884 wrote to memory of 1208 2884 LSASSMGR.EXE 122 PID 1208 wrote to memory of 336 1208 LSASSMGR.EXE 108 PID 1208 wrote to memory of 336 1208 LSASSMGR.EXE 108 PID 1208 wrote to memory of 336 1208 LSASSMGR.EXE 108 PID 336 wrote to memory of 2508 336 LSASSMGR.EXE 109 PID 336 wrote to memory of 2508 336 LSASSMGR.EXE 109 PID 336 wrote to memory of 2508 336 LSASSMGR.EXE 109 PID 2508 wrote to memory of 1004 2508 LSASSMGR.EXE 110 PID 2508 wrote to memory of 1004 2508 LSASSMGR.EXE 110 PID 2508 wrote to memory of 1004 2508 LSASSMGR.EXE 110 PID 1004 wrote to memory of 2788 1004 LSASSMGR.EXE 111 PID 1004 wrote to memory of 2788 1004 LSASSMGR.EXE 111 PID 1004 wrote to memory of 2788 1004 LSASSMGR.EXE 111 PID 2788 wrote to memory of 2108 2788 LSASSMGR.EXE 113 PID 2788 wrote to memory of 2108 2788 LSASSMGR.EXE 113 PID 2788 wrote to memory of 2108 2788 LSASSMGR.EXE 113 PID 2108 wrote to memory of 2128 2108 LSASSMGR.EXE 114 PID 2108 wrote to memory of 2128 2108 LSASSMGR.EXE 114 PID 2108 wrote to memory of 2128 2108 LSASSMGR.EXE 114 PID 2128 wrote to memory of 1152 2128 LSASSMGR.EXE 115 PID 2128 wrote to memory of 1152 2128 LSASSMGR.EXE 115 PID 2128 wrote to memory of 1152 2128 LSASSMGR.EXE 115 PID 1152 wrote to memory of 3136 1152 LSASSMGR.EXE 117 PID 1152 wrote to memory of 3136 1152 LSASSMGR.EXE 117 PID 1152 wrote to memory of 3136 1152 LSASSMGR.EXE 117 PID 3136 wrote to memory of 3376 3136 LSASSMGR.EXE 118 PID 3136 wrote to memory of 3376 3136 LSASSMGR.EXE 118 PID 3136 wrote to memory of 3376 3136 LSASSMGR.EXE 118 PID 3376 wrote to memory of 1248 3376 LSASSMGR.EXE 119 PID 3376 wrote to memory of 1248 3376 LSASSMGR.EXE 119 PID 3376 wrote to memory of 1248 3376 LSASSMGR.EXE 119 PID 1248 wrote to memory of 4576 1248 LSASSMGR.EXE 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac239fe392b0c8117bf8d1f52ea9afc8.exe"C:\Users\Admin\AppData\Local\Temp\ac239fe392b0c8117bf8d1f52ea9afc8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"7⤵
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"8⤵
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"10⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"12⤵PID:1208
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"14⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"16⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"17⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"20⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"21⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"22⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"23⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:4576 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"24⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1080 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"25⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"26⤵PID:2428
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"27⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"28⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"29⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"30⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:2292 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"31⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1292 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"32⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"33⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"34⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:116 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4512 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"36⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3480 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"37⤵PID:4408
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"38⤵
- Executes dropped EXE
PID:4444 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"39⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4536 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"40⤵
- Sets file execution options in registry
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"41⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1208 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"42⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4048 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"43⤵
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
PID:3316 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"44⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2428 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"45⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3776 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3132 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"47⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4564 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"48⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4388 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"49⤵
- Executes dropped EXE
PID:5080 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"50⤵
- Checks computer location settings
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"51⤵
- Sets file execution options in registry
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"52⤵PID:1796
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"53⤵PID:2196
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"54⤵PID:2652
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"55⤵
- Checks computer location settings
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"56⤵PID:3680
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"57⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"58⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"59⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3384 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:4500 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"62⤵PID:4912
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"63⤵
- Executes dropped EXE
PID:3424 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"64⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"66⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"67⤵
- Sets file execution options in registry
- Drops file in System32 directory
PID:3224 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"68⤵
- Sets file execution options in registry
- Adds Run key to start application
PID:2952 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"69⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4784 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"70⤵PID:4980
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"71⤵
- Sets file execution options in registry
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"72⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"73⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"74⤵
- Checks computer location settings
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"75⤵PID:1708
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"76⤵PID:1368
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"77⤵
- Checks computer location settings
- Adds Run key to start application
PID:3204 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"78⤵PID:3240
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"79⤵PID:2992
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"80⤵
- Drops file in Program Files directory
PID:2964 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"81⤵PID:1032
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"82⤵PID:3604
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"83⤵
- Checks computer location settings
- Drops file in Program Files directory
PID:1672 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"84⤵PID:4904
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"85⤵PID:4396
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"86⤵PID:1432
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"87⤵PID:2264
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"88⤵PID:4788
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"89⤵PID:2000
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"90⤵PID:3096
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"91⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3680 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"92⤵PID:3828
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"93⤵PID:544
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"94⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:4540 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"95⤵
- Checks computer location settings
PID:3460 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"96⤵PID:336
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"97⤵
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
PID:3080 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"98⤵
- Sets file execution options in registry
- Checks computer location settings
- Drops file in System32 directory
PID:3776 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"99⤵
- Sets file execution options in registry
PID:2028 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"100⤵PID:2296
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"101⤵
- Sets file execution options in registry
PID:4124 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"102⤵PID:1152
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"103⤵PID:4980
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"104⤵PID:116
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"105⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3480 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"106⤵
- Drops file in System32 directory
PID:816 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"107⤵PID:3096
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"108⤵
- Sets file execution options in registry
- Checks computer location settings
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"109⤵PID:4552
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"110⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"111⤵
- Adds Run key to start application
- Drops file in Program Files directory
PID:3772 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"112⤵PID:2616
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"113⤵PID:4080
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"114⤵PID:632
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"115⤵PID:4368
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"116⤵PID:4388
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"117⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"118⤵PID:4428
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"119⤵
- Drops file in System32 directory
PID:4512 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"120⤵
- Drops file in Program Files directory
PID:4980 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"121⤵
- Drops file in System32 directory
PID:116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-