fakeav | d75af48ba4af3e4cbe442dd0eecb670e91fd33d1d63889c6d0b1b0254d1a4268

General

Target

d2f88bebf8a507dd920c0db21e01220c.exe
Size

2.8MB
MD5

d2f88bebf8a507dd920c0db21e01220c
SHA1

8bdf7fbeb6dbc58cdbf3334385a36970b0875217
SHA256

d75af48ba4af3e4cbe442dd0eecb670e91fd33d1d63889c6d0b1b0254d1a4268
SHA512

5d3dba13f719630cc3347b41f7653b89fc7b074cae2a541c8c87add6efd6c7f83757cd69d5e7534ece166b476b85505b04bf95eaaeb508f2d7d7f89b15e79e93
SSDEEP

49152:67N1ahCb0V7N1ahCN0V7N1ahCY0V7N1ahCH0:67O7A7l7

Score

10^/10

fakeav fakeav persistence spyware

Malware Config

Signatures

FakeAV, RogueAntivirus
FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.
fakeav spyware fakeav

FakeAV payload 3 IoCs

fakeav spyware

Processes:

resource	yara_rule
\Windows\SysWOW64\lssmon.exe	fakeav
behavioral1/memory/3032-21-0x0000000000400000-0x00000000004C1000-memory.dmp	fakeav
behavioral1/memory/2804-27-0x0000000000400000-0x00000000004C1000-memory.dmp	fakeav

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE

Executes dropped EXE 64 IoCs

Processes:

srtsrv32.exelssmon.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

pid	process
2496	srtsrv32.exe
2804	lssmon.exe
2408	LSASSMGR.EXE
2568	LSASSMGR.EXE
2416	LSASSMGR.EXE
2860	LSASSMGR.EXE
2384	LSASSMGR.EXE
2044	LSASSMGR.EXE
904	LSASSMGR.EXE
2720	LSASSMGR.EXE
2736	LSASSMGR.EXE
2440	LSASSMGR.EXE
2016	LSASSMGR.EXE
1392	LSASSMGR.EXE
1916	LSASSMGR.EXE
2236	LSASSMGR.EXE
760	LSASSMGR.EXE
540	LSASSMGR.EXE
2208	LSASSMGR.EXE
2212	LSASSMGR.EXE
1584	LSASSMGR.EXE
1272	LSASSMGR.EXE
2296	LSASSMGR.EXE
2960	LSASSMGR.EXE
2988	LSASSMGR.EXE
1872	LSASSMGR.EXE
2052	LSASSMGR.EXE
1172	LSASSMGR.EXE
2184	LSASSMGR.EXE
3060	LSASSMGR.EXE
1152	LSASSMGR.EXE
1920	LSASSMGR.EXE
1896	LSASSMGR.EXE
1328	LSASSMGR.EXE
948	LSASSMGR.EXE
1728	LSASSMGR.EXE
1904	LSASSMGR.EXE
2948	LSASSMGR.EXE
564	LSASSMGR.EXE
1724	LSASSMGR.EXE
2832	LSASSMGR.EXE
2972	LSASSMGR.EXE
2660	LSASSMGR.EXE
2084	LSASSMGR.EXE
892	LSASSMGR.EXE
3036	LSASSMGR.EXE
1704	LSASSMGR.EXE
2616	LSASSMGR.EXE
2608	LSASSMGR.EXE
2944	LSASSMGR.EXE
2536	LSASSMGR.EXE
2776	LSASSMGR.EXE
2792	LSASSMGR.EXE
2668	LSASSMGR.EXE
2688	LSASSMGR.EXE
2540	LSASSMGR.EXE
2516	LSASSMGR.EXE
2568	LSASSMGR.EXE
2476	LSASSMGR.EXE
2460	LSASSMGR.EXE
2868	LSASSMGR.EXE
2860	LSASSMGR.EXE
884	LSASSMGR.EXE
808	LSASSMGR.EXE

Loads dropped DLL 64 IoCs

Processes:

d2f88bebf8a507dd920c0db21e01220c.exesrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

pid	process
3032	d2f88bebf8a507dd920c0db21e01220c.exe
3032	d2f88bebf8a507dd920c0db21e01220c.exe
3032	d2f88bebf8a507dd920c0db21e01220c.exe
2496	srtsrv32.exe
2496	srtsrv32.exe
2408	LSASSMGR.EXE
2408	LSASSMGR.EXE
2568	LSASSMGR.EXE
2568	LSASSMGR.EXE
2416	LSASSMGR.EXE
2416	LSASSMGR.EXE
2860	LSASSMGR.EXE
2860	LSASSMGR.EXE
2384	LSASSMGR.EXE
2384	LSASSMGR.EXE
2044	LSASSMGR.EXE
2044	LSASSMGR.EXE
904	LSASSMGR.EXE
904	LSASSMGR.EXE
2720	LSASSMGR.EXE
2720	LSASSMGR.EXE
2736	LSASSMGR.EXE
2736	LSASSMGR.EXE
2440	LSASSMGR.EXE
2440	LSASSMGR.EXE
2016	LSASSMGR.EXE
2016	LSASSMGR.EXE
1392	LSASSMGR.EXE
1392	LSASSMGR.EXE
1916	LSASSMGR.EXE
1916	LSASSMGR.EXE
2236	LSASSMGR.EXE
2236	LSASSMGR.EXE
760	LSASSMGR.EXE
760	LSASSMGR.EXE
540	LSASSMGR.EXE
540	LSASSMGR.EXE
2208	LSASSMGR.EXE
2208	LSASSMGR.EXE
2212	LSASSMGR.EXE
2212	LSASSMGR.EXE
1584	LSASSMGR.EXE
1584	LSASSMGR.EXE
1272	LSASSMGR.EXE
1272	LSASSMGR.EXE
2296	LSASSMGR.EXE
2296	LSASSMGR.EXE
2960	LSASSMGR.EXE
2960	LSASSMGR.EXE
2988	LSASSMGR.EXE
2988	LSASSMGR.EXE
1872	LSASSMGR.EXE
1872	LSASSMGR.EXE
2052	LSASSMGR.EXE
2052	LSASSMGR.EXE
1172	LSASSMGR.EXE
1172	LSASSMGR.EXE
2184	LSASSMGR.EXE
2184	LSASSMGR.EXE
3060	LSASSMGR.EXE
3060	LSASSMGR.EXE
1152	LSASSMGR.EXE
1152	LSASSMGR.EXE
1920	LSASSMGR.EXE

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE

Drops file in System32 directory 64 IoCs

Processes:

LSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

description	ioc	process
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE

Drops file in Program Files directory 64 IoCs

Processes:

LSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE

Drops file in Windows directory 1 IoCs

Processes:

d2f88bebf8a507dd920c0db21e01220c.exe

description ioc process

File created C:\Windows\divx32.dll d2f88bebf8a507dd920c0db21e01220c.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\divx32.dll	d2f88bebf8a507dd920c0db21e01220c.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

d2f88bebf8a507dd920c0db21e01220c.exesrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

description	pid	process	target process
PID 3032 wrote to memory of 2496	3032	d2f88bebf8a507dd920c0db21e01220c.exe	srtsrv32.exe
PID 3032 wrote to memory of 2496	3032	d2f88bebf8a507dd920c0db21e01220c.exe	srtsrv32.exe
PID 3032 wrote to memory of 2496	3032	d2f88bebf8a507dd920c0db21e01220c.exe	srtsrv32.exe
PID 3032 wrote to memory of 2496	3032	d2f88bebf8a507dd920c0db21e01220c.exe	srtsrv32.exe
PID 3032 wrote to memory of 2804	3032	d2f88bebf8a507dd920c0db21e01220c.exe	lssmon.exe
PID 3032 wrote to memory of 2804	3032	d2f88bebf8a507dd920c0db21e01220c.exe	lssmon.exe
PID 3032 wrote to memory of 2804	3032	d2f88bebf8a507dd920c0db21e01220c.exe	lssmon.exe
PID 3032 wrote to memory of 2804	3032	d2f88bebf8a507dd920c0db21e01220c.exe	lssmon.exe
PID 2496 wrote to memory of 2408	2496	srtsrv32.exe	LSASSMGR.EXE
PID 2496 wrote to memory of 2408	2496	srtsrv32.exe	LSASSMGR.EXE
PID 2496 wrote to memory of 2408	2496	srtsrv32.exe	LSASSMGR.EXE
PID 2496 wrote to memory of 2408	2496	srtsrv32.exe	LSASSMGR.EXE
PID 2408 wrote to memory of 2568	2408	LSASSMGR.EXE	LSASSMGR.EXE
PID 2408 wrote to memory of 2568	2408	LSASSMGR.EXE	LSASSMGR.EXE
PID 2408 wrote to memory of 2568	2408	LSASSMGR.EXE	LSASSMGR.EXE
PID 2408 wrote to memory of 2568	2408	LSASSMGR.EXE	LSASSMGR.EXE
PID 2568 wrote to memory of 2416	2568	LSASSMGR.EXE	LSASSMGR.EXE
PID 2568 wrote to memory of 2416	2568	LSASSMGR.EXE	LSASSMGR.EXE
PID 2568 wrote to memory of 2416	2568	LSASSMGR.EXE	LSASSMGR.EXE
PID 2568 wrote to memory of 2416	2568	LSASSMGR.EXE	LSASSMGR.EXE
PID 2416 wrote to memory of 2860	2416	LSASSMGR.EXE	LSASSMGR.EXE
PID 2416 wrote to memory of 2860	2416	LSASSMGR.EXE	LSASSMGR.EXE
PID 2416 wrote to memory of 2860	2416	LSASSMGR.EXE	LSASSMGR.EXE
PID 2416 wrote to memory of 2860	2416	LSASSMGR.EXE	LSASSMGR.EXE
PID 2860 wrote to memory of 2384	2860	LSASSMGR.EXE	LSASSMGR.EXE
PID 2860 wrote to memory of 2384	2860	LSASSMGR.EXE	LSASSMGR.EXE
PID 2860 wrote to memory of 2384	2860	LSASSMGR.EXE	LSASSMGR.EXE
PID 2860 wrote to memory of 2384	2860	LSASSMGR.EXE	LSASSMGR.EXE
PID 2384 wrote to memory of 2044	2384	LSASSMGR.EXE	LSASSMGR.EXE
PID 2384 wrote to memory of 2044	2384	LSASSMGR.EXE	LSASSMGR.EXE
PID 2384 wrote to memory of 2044	2384	LSASSMGR.EXE	LSASSMGR.EXE
PID 2384 wrote to memory of 2044	2384	LSASSMGR.EXE	LSASSMGR.EXE
PID 2044 wrote to memory of 904	2044	LSASSMGR.EXE	LSASSMGR.EXE
PID 2044 wrote to memory of 904	2044	LSASSMGR.EXE	LSASSMGR.EXE
PID 2044 wrote to memory of 904	2044	LSASSMGR.EXE	LSASSMGR.EXE
PID 2044 wrote to memory of 904	2044	LSASSMGR.EXE	LSASSMGR.EXE
PID 904 wrote to memory of 2720	904	LSASSMGR.EXE	LSASSMGR.EXE
PID 904 wrote to memory of 2720	904	LSASSMGR.EXE	LSASSMGR.EXE
PID 904 wrote to memory of 2720	904	LSASSMGR.EXE	LSASSMGR.EXE
PID 904 wrote to memory of 2720	904	LSASSMGR.EXE	LSASSMGR.EXE
PID 2720 wrote to memory of 2736	2720	LSASSMGR.EXE	LSASSMGR.EXE
PID 2720 wrote to memory of 2736	2720	LSASSMGR.EXE	LSASSMGR.EXE
PID 2720 wrote to memory of 2736	2720	LSASSMGR.EXE	LSASSMGR.EXE
PID 2720 wrote to memory of 2736	2720	LSASSMGR.EXE	LSASSMGR.EXE
PID 2736 wrote to memory of 2440	2736	LSASSMGR.EXE	LSASSMGR.EXE
PID 2736 wrote to memory of 2440	2736	LSASSMGR.EXE	LSASSMGR.EXE
PID 2736 wrote to memory of 2440	2736	LSASSMGR.EXE	LSASSMGR.EXE
PID 2736 wrote to memory of 2440	2736	LSASSMGR.EXE	LSASSMGR.EXE
PID 2440 wrote to memory of 2016	2440	LSASSMGR.EXE	LSASSMGR.EXE
PID 2440 wrote to memory of 2016	2440	LSASSMGR.EXE	LSASSMGR.EXE
PID 2440 wrote to memory of 2016	2440	LSASSMGR.EXE	LSASSMGR.EXE
PID 2440 wrote to memory of 2016	2440	LSASSMGR.EXE	LSASSMGR.EXE
PID 2016 wrote to memory of 1392	2016	LSASSMGR.EXE	LSASSMGR.EXE
PID 2016 wrote to memory of 1392	2016	LSASSMGR.EXE	LSASSMGR.EXE
PID 2016 wrote to memory of 1392	2016	LSASSMGR.EXE	LSASSMGR.EXE
PID 2016 wrote to memory of 1392	2016	LSASSMGR.EXE	LSASSMGR.EXE
PID 1392 wrote to memory of 1916	1392	LSASSMGR.EXE	LSASSMGR.EXE
PID 1392 wrote to memory of 1916	1392	LSASSMGR.EXE	LSASSMGR.EXE
PID 1392 wrote to memory of 1916	1392	LSASSMGR.EXE	LSASSMGR.EXE
PID 1392 wrote to memory of 1916	1392	LSASSMGR.EXE	LSASSMGR.EXE
PID 1916 wrote to memory of 2236	1916	LSASSMGR.EXE	LSASSMGR.EXE
PID 1916 wrote to memory of 2236	1916	LSASSMGR.EXE	LSASSMGR.EXE
PID 1916 wrote to memory of 2236	1916	LSASSMGR.EXE	LSASSMGR.EXE
PID 1916 wrote to memory of 2236	1916	LSASSMGR.EXE	LSASSMGR.EXE

C:\Users\Admin\AppData\Local\Temp\d2f88bebf8a507dd920c0db21e01220c.exe
"C:\Users\Admin\AppData\Local\Temp\d2f88bebf8a507dd920c0db21e01220c.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\SysWOW64\srtsrv32.exe
"C:\Windows\system32\srtsrv32.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
4⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2236

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
18⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:540

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
19⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:2208

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3060

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
33⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1896

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
34⤵
- Executes dropped EXE
PID:1328

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
35⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
36⤵
- Executes dropped EXE
PID:1728

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
37⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
38⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
39⤵
- Executes dropped EXE
PID:564

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
40⤵
- Executes dropped EXE
PID:1724

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
41⤵
- Executes dropped EXE
PID:2832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
42⤵
- Executes dropped EXE
PID:2972

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
43⤵
- Executes dropped EXE
PID:2660

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
44⤵
- Executes dropped EXE
PID:2084

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
45⤵
- Executes dropped EXE
PID:892

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
46⤵
- Executes dropped EXE
PID:3036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
47⤵
- Sets file execution options in registry
- Executes dropped EXE
PID:1704

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
48⤵
- Executes dropped EXE
PID:2616

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
49⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:2608

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
50⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2944

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
51⤵
- Executes dropped EXE
PID:2536

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
52⤵
- Executes dropped EXE
PID:2776

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
54⤵
- Sets file execution options in registry
- Executes dropped EXE
PID:2668

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
55⤵
- Executes dropped EXE
PID:2688

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
56⤵
- Executes dropped EXE
PID:2540

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2516

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
58⤵
- Executes dropped EXE
PID:2568

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
59⤵
- Executes dropped EXE
PID:2476

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
60⤵
- Sets file execution options in registry
- Executes dropped EXE
PID:2460

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
61⤵
- Executes dropped EXE
PID:2868

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
62⤵
- Executes dropped EXE
PID:2860

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
63⤵
- Executes dropped EXE
PID:884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
64⤵
- Executes dropped EXE
PID:808

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
65⤵
- Drops file in System32 directory
PID:576

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
66⤵
- Drops file in Program Files directory
PID:1500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
67⤵
- Adds Run key to start application
PID:2716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
68⤵
PID:2712

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
69⤵
- Drops file in Program Files directory
PID:2732

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
70⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
71⤵
PID:2024

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
72⤵
PID:1952

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
73⤵
PID:2312

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
74⤵
- Sets file execution options in registry
PID:2228

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
75⤵
- Drops file in Program Files directory
PID:2020

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
76⤵
- Sets file execution options in registry
- Drops file in System32 directory
PID:2236

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
77⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:756

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
78⤵
PID:2220

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
79⤵
PID:1680

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
80⤵
PID:364

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
81⤵
PID:2292

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
82⤵
- Sets file execution options in registry
- Drops file in Program Files directory
PID:2304

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
83⤵
PID:1012

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
84⤵
- Sets file execution options in registry
PID:1824

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
85⤵
PID:3064

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
86⤵
- Sets file execution options in registry
PID:1384

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
87⤵
- Drops file in Program Files directory
PID:1716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
88⤵
PID:1944

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
89⤵
- Drops file in Program Files directory
PID:1744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
90⤵
PID:2068

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
91⤵
- Adds Run key to start application
PID:2796

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
92⤵
PID:1820

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
93⤵
PID:1416

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
94⤵
- Adds Run key to start application
PID:1324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
95⤵
- Drops file in System32 directory
PID:1372

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
96⤵
- Drops file in System32 directory
PID:1828

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
97⤵
PID:3024

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
98⤵
PID:2116

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
99⤵
PID:1460

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
100⤵
PID:2060

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
101⤵
PID:2164

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
102⤵
- Drops file in System32 directory
PID:1312

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
103⤵
- Drops file in System32 directory
PID:3008

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
104⤵
PID:3004

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
105⤵
- Adds Run key to start application
PID:896

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
106⤵
PID:2108

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
107⤵
- Adds Run key to start application
PID:1600

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
108⤵
PID:2968

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
109⤵
PID:1704

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
110⤵
- Sets file execution options in registry
PID:2628

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
111⤵
PID:2604

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
112⤵
PID:2512

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
113⤵
PID:2556

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
114⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
115⤵
- Sets file execution options in registry
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3032

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
116⤵
PID:2564

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
117⤵
- Sets file execution options in registry
PID:2344

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
118⤵
PID:2404

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
119⤵
- Sets file execution options in registry
PID:2444

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
120⤵
PID:2480

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
121⤵
- Adds Run key to start application
PID:3056

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
122⤵
PID:2872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
123⤵
PID:324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
124⤵
PID:268

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
125⤵
- Sets file execution options in registry
PID:1104

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
126⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1124

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
127⤵
PID:832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
128⤵
PID:2708

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
129⤵
- Drops file in Program Files directory
PID:2680

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
130⤵
- Drops file in System32 directory
PID:2756

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
131⤵
PID:2040

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
132⤵
PID:1788

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
133⤵
PID:1656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
134⤵
- Sets file execution options in registry
PID:1464

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
135⤵
- Adds Run key to start application
PID:2216

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
136⤵
PID:1392

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
137⤵
PID:1528

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
138⤵
PID:1752

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
139⤵
- Adds Run key to start application
PID:760

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
140⤵
- Adds Run key to start application
PID:1700

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
141⤵
- Drops file in Program Files directory
PID:2016

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
142⤵
PID:1584

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
143⤵
PID:2304

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
144⤵
PID:624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
145⤵
- Drops file in System32 directory
PID:2820

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
146⤵
- Drops file in System32 directory
PID:2996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
147⤵
PID:1932

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
148⤵
PID:2052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
149⤵
PID:1172

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
150⤵
- Sets file execution options in registry
PID:1744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
151⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2180

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
152⤵
PID:3060

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
153⤵
PID:1820

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
154⤵
PID:1416

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
155⤵
- Drops file in Program Files directory
PID:1324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
156⤵
PID:1588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
157⤵
- Sets file execution options in registry
PID:1996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
158⤵
- Drops file in System32 directory
PID:1968

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
159⤵
PID:2116

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
160⤵
PID:1460

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
161⤵
PID:2060

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
162⤵
PID:2164

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
163⤵
PID:1312

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
164⤵
- Adds Run key to start application
PID:816

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
165⤵
PID:3004

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
166⤵
- Sets file execution options in registry
PID:1960

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
167⤵
PID:1604

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
168⤵
PID:2272

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
169⤵
PID:2620

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
170⤵
- Sets file execution options in registry
PID:2592

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
171⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2944

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
172⤵
- Drops file in System32 directory
PID:2640

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
173⤵
PID:2136

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
174⤵
PID:2976

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
175⤵
PID:2668

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
176⤵
PID:2520

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
177⤵
- Sets file execution options in registry
- Drops file in System32 directory
PID:2636

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
178⤵
- Drops file in System32 directory
PID:2340

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
179⤵
PID:2516

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
180⤵
PID:2508

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
181⤵
PID:2420

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
182⤵
- Adds Run key to start application
PID:2004

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
183⤵
PID:1660

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
184⤵
PID:440

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
185⤵
PID:884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
186⤵
- Adds Run key to start application
PID:604

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
187⤵
- Drops file in Program Files directory
PID:2492

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
188⤵
PID:904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
189⤵
- Adds Run key to start application
PID:2748

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
190⤵
- Drops file in Program Files directory
PID:2240

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
191⤵
- Sets file execution options in registry
PID:2772

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
192⤵
PID:2744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
193⤵
PID:2024

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
194⤵
- Adds Run key to start application
PID:2580

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
195⤵
PID:2232

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
196⤵
PID:804

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
197⤵
PID:744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
198⤵
PID:1912

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
199⤵
PID:992

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
200⤵
PID:2208

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
201⤵
PID:2080

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
202⤵
PID:1584

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
203⤵
PID:1824

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
204⤵
- Drops file in Program Files directory
PID:1260

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
205⤵
PID:3000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
206⤵
PID:2000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
207⤵
- Sets file execution options in registry
PID:280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
208⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1172

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
209⤵
PID:1744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
210⤵
PID:2932

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
211⤵
PID:3060

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
212⤵
PID:1920

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
213⤵
PID:1416

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
214⤵
- Drops file in System32 directory
PID:1324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
215⤵
- Sets file execution options in registry
PID:2464

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
216⤵
PID:1728

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
217⤵
- Adds Run key to start application
PID:1968

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
218⤵
- Drops file in Program Files directory
PID:2116

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
219⤵
- Drops file in System32 directory
PID:1460

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
220⤵
- Adds Run key to start application
- Drops file in Program Files directory
PID:2060

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
221⤵
PID:2972

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
222⤵
PID:792

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
223⤵
PID:1936

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
224⤵
PID:3004

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
225⤵
PID:1960

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
226⤵
PID:2940

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
227⤵
PID:1352

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
228⤵
PID:2648

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
229⤵
PID:2084

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
230⤵
- Adds Run key to start application
PID:2512

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
231⤵
PID:2912

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
232⤵
PID:2428

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
233⤵
PID:2104

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
234⤵
PID:2668

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
235⤵
PID:2344

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
236⤵
PID:2404

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
237⤵
PID:2444

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
238⤵
PID:2524

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
239⤵
- Adds Run key to start application
PID:2476

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
240⤵
- Drops file in Program Files directory
PID:2420

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
241⤵
PID:2380

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
242⤵
PID:1000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
243⤵
PID:440

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
244⤵
PID:808

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
245⤵
PID:1500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
246⤵
- Drops file in Program Files directory
PID:2716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
247⤵
PID:2504

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
248⤵
PID:2768

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
249⤵
- Drops file in System32 directory
PID:1632

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
250⤵
- Sets file execution options in registry
PID:2772

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
251⤵
PID:1952

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
252⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
253⤵
PID:2160

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
254⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1640

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
255⤵
- Drops file in System32 directory
PID:1916

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
256⤵
- Sets file execution options in registry
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1216

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
257⤵
PID:2440

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
258⤵
- Drops file in Program Files directory
PID:2280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
259⤵
PID:2016

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
260⤵
- Drops file in Program Files directory
PID:2080

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
261⤵
PID:2584

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
262⤵
- Adds Run key to start application
PID:1824

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
263⤵
PID:2284

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
264⤵
PID:1816

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
265⤵
PID:3016

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
266⤵
- Sets file execution options in registry
- Drops file in System32 directory
PID:436

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
267⤵
PID:3012

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
268⤵
PID:1256

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
269⤵
PID:1972

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
270⤵
PID:1628

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
271⤵
- Adds Run key to start application
PID:1064

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
272⤵
PID:1892

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
273⤵
- Drops file in Program Files directory
PID:1548

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
274⤵
PID:3024

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
275⤵
PID:1996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
276⤵
PID:2128

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
277⤵
PID:2176

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
278⤵
- Drops file in Program Files directory
PID:2120

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
279⤵
PID:2164

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
280⤵
- Adds Run key to start application
PID:1756

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
281⤵
- Drops file in System32 directory
PID:2852

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
282⤵
PID:896

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
283⤵
- Sets file execution options in registry
PID:3004

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
284⤵
- Drops file in System32 directory
PID:1608

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
285⤵
- Adds Run key to start application
PID:2532

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
286⤵
- Sets file execution options in registry
PID:2612

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
287⤵
PID:876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
288⤵
- Adds Run key to start application
PID:2608

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
289⤵
- Drops file in Program Files directory
PID:2676

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
290⤵
PID:2804

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
291⤵
PID:2656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
292⤵
- Drops file in Program Files directory
PID:2408

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
293⤵
- Sets file execution options in registry
PID:2564

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
294⤵
PID:2400

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
295⤵
PID:2396

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
296⤵
- Sets file execution options in registry
PID:2468

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
297⤵
- Sets file execution options in registry
PID:2892

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
298⤵
- Drops file in System32 directory
PID:2348

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
299⤵
PID:532

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
300⤵
- Drops file in Program Files directory
PID:2420

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
301⤵
PID:1660

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
302⤵
PID:1508

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
303⤵
PID:440

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
304⤵
PID:808

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
305⤵
- Adds Run key to start application
- Drops file in Program Files directory
PID:1500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
306⤵
- Sets file execution options in registry
PID:2716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
307⤵
PID:2504

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
308⤵
PID:2768

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
309⤵
PID:2168

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
310⤵
- Drops file in System32 directory
PID:1656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
311⤵
PID:1464

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
312⤵
- Adds Run key to start application
PID:1988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
313⤵
PID:1244

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
314⤵
PID:2172

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
315⤵
- Sets file execution options in registry
PID:2500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
316⤵
PID:760

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
317⤵
PID:996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
318⤵
PID:1700

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
319⤵
PID:2072

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
320⤵
- Drops file in System32 directory
PID:1584

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
321⤵
PID:2584

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
322⤵
PID:1872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
323⤵
PID:2808

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
324⤵
PID:1932

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
325⤵
PID:2000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
326⤵
PID:400

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
327⤵
PID:1652

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
328⤵
- Drops file in Program Files directory
PID:836

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
329⤵
PID:1972

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
330⤵
PID:2056

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
331⤵
PID:1064

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
332⤵
- Drops file in Program Files directory
PID:1892

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
333⤵
PID:1548

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
334⤵
- Sets file execution options in registry
- Drops file in System32 directory
PID:3024

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
335⤵
PID:2948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
336⤵
- Sets file execution options in registry
PID:1092

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
337⤵
PID:2984

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
338⤵
PID:2120

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
339⤵
- Sets file execution options in registry
PID:1764

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
340⤵
PID:1736

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
341⤵
PID:892

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
342⤵
- Sets file execution options in registry
PID:2956

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
343⤵
PID:1708

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
344⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2272

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
345⤵
PID:2200

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
346⤵
PID:1352

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
347⤵
PID:2084

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
348⤵
- Sets file execution options in registry
PID:1740

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
349⤵
PID:2640

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
350⤵
PID:2136

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
351⤵
PID:2976

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
352⤵
PID:2704

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
353⤵
PID:2204

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
354⤵
PID:2340

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
355⤵
PID:2516

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
356⤵
- Sets file execution options in registry
PID:2620

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
357⤵
PID:2892

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
358⤵
- Drops file in System32 directory
PID:2452

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
359⤵
- Sets file execution options in registry
PID:1648

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
360⤵
PID:268

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
361⤵
- Drops file in System32 directory
PID:1660

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
362⤵
PID:1508

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
363⤵
PID:2708

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
364⤵
- Drops file in System32 directory
PID:2416

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
365⤵
PID:1500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
366⤵
PID:2716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
367⤵
- Sets file execution options in registry
PID:2240

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
368⤵
- Adds Run key to start application
PID:2744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
369⤵
- Drops file in Program Files directory
PID:2024

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
370⤵
PID:2580

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
371⤵
- Drops file in Program Files directory
PID:2216

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
372⤵
PID:2020

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
373⤵
PID:1528

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
374⤵
PID:1216

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
375⤵
PID:2076

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
376⤵
- Drops file in System32 directory
PID:540

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
377⤵
- Drops file in Program Files directory
PID:1272

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
378⤵
PID:2256

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
379⤵
PID:364

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
380⤵
PID:2220

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
381⤵
PID:2816

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
382⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
383⤵
PID:1808

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
384⤵
PID:280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
385⤵
PID:1100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
386⤵
PID:400

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
387⤵
- Drops file in Program Files directory
PID:2028

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
388⤵
PID:3012

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
389⤵
PID:836

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
390⤵
PID:1016

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
391⤵
PID:948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
392⤵
PID:240

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
393⤵
- Drops file in Program Files directory
PID:2464

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
394⤵
- Adds Run key to start application
PID:1548

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
395⤵
PID:1408

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
396⤵
PID:2948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
397⤵
- Adds Run key to start application
PID:2824

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
398⤵
PID:2308

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
399⤵
- Sets file execution options in registry
- Drops file in Program Files directory
PID:2252

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
400⤵
PID:1312

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
401⤵
- Sets file execution options in registry
- Adds Run key to start application
- Drops file in System32 directory
PID:1736

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
402⤵
PID:1712

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
403⤵
PID:2956

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
404⤵
- Drops file in System32 directory
PID:1960

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
405⤵
PID:1604

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
406⤵
PID:2612

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
407⤵
PID:2140

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
408⤵
PID:2084

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
409⤵
PID:2912

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
410⤵
- Drops file in Program Files directory
PID:2428

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
411⤵
- Drops file in Program Files directory
PID:2572

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
412⤵
PID:2668

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
413⤵
- Sets file execution options in registry
PID:864

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
414⤵
PID:2204

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
415⤵
PID:2340

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
416⤵
PID:2516

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
417⤵
PID:2620

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
418⤵
PID:2892

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
419⤵
- Adds Run key to start application
PID:1044

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
420⤵
PID:1164

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
421⤵
- Adds Run key to start application
PID:2472

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
422⤵
PID:1660

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
423⤵
PID:2764

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
424⤵
- Sets file execution options in registry
- Drops file in Program Files directory
PID:2720

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
425⤵
PID:2752

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
426⤵
- Adds Run key to start application
PID:2504

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
427⤵
PID:1788

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
428⤵
PID:604

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
429⤵
- Sets file execution options in registry
PID:2168

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
430⤵
- Drops file in Program Files directory
PID:1656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
431⤵
- Adds Run key to start application
PID:1988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
432⤵
- Sets file execution options in registry
- Drops file in Program Files directory
PID:1392

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
433⤵
PID:2172

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
434⤵
- Drops file in Program Files directory
PID:1912

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
435⤵
PID:760

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
436⤵
- Sets file execution options in registry
PID:1624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
437⤵
- Drops file in System32 directory
PID:2296

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
438⤵
- Drops file in System32 directory
PID:2208

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
439⤵
PID:3064

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
440⤵
- Sets file execution options in registry
PID:2080

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
441⤵
- Sets file execution options in registry
PID:1824

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
442⤵
PID:2584

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
443⤵
PID:1872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
444⤵
- Drops file in Program Files directory
PID:1808

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
445⤵
- Drops file in Program Files directory
PID:2184

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
446⤵
PID:872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
447⤵
- Drops file in System32 directory
PID:2148

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
448⤵
- Drops file in Program Files directory
PID:1256

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
449⤵
- Sets file execution options in registry
- Drops file in System32 directory
PID:2180

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
450⤵
PID:1972

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
451⤵
PID:2924

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
452⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
453⤵
- Adds Run key to start application
PID:1372

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
454⤵
PID:1884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
455⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1004

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
456⤵
- Adds Run key to start application
PID:908

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
457⤵
- Sets file execution options in registry
PID:2128

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
458⤵
PID:2948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
459⤵
PID:2368

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
460⤵
PID:2308

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
461⤵
- Adds Run key to start application
PID:3008

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
462⤵
PID:1664

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
463⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2852

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
464⤵
PID:892

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
465⤵
PID:1708

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
466⤵
PID:2552

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
467⤵
PID:2592

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
468⤵
- Adds Run key to start application
PID:1604

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
469⤵
PID:2776

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
470⤵
PID:2536

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
471⤵
PID:2804

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
472⤵
- Drops file in Program Files directory
PID:2448

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
473⤵
PID:2656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
474⤵
PID:2540

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
475⤵
PID:2400

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
476⤵
PID:2404

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
477⤵
- Drops file in Program Files directory
PID:2864

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
478⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
479⤵
PID:2004

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
480⤵
- Drops file in Program Files directory
PID:2868

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
481⤵
- Adds Run key to start application
PID:1044

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
482⤵
- Sets file execution options in registry
PID:1164

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
483⤵
PID:2472

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
484⤵
- Drops file in System32 directory
PID:2724

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
485⤵
- Adds Run key to start application
PID:2492

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
486⤵
PID:2416

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
487⤵
- Sets file execution options in registry
PID:2748

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
488⤵
- Adds Run key to start application
- Drops file in Program Files directory
PID:2716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
489⤵
PID:2768

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
490⤵
PID:2744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
491⤵
PID:2312

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
492⤵
PID:804

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
493⤵
PID:1988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
494⤵
PID:1392

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
495⤵
- Drops file in Program Files directory
PID:2172

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
496⤵
PID:1912

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
497⤵
PID:2280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
498⤵
- Adds Run key to start application
PID:624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
499⤵
- Drops file in System32 directory
PID:2300

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
500⤵
PID:1876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
501⤵
PID:364

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
502⤵
PID:304

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
503⤵
PID:1944

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
504⤵
- Adds Run key to start application
PID:1716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
505⤵
PID:1156

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
506⤵
PID:280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
507⤵
- Sets file execution options in registry
PID:2124

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
508⤵
PID:2988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
509⤵
PID:1256

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
510⤵
PID:1620

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
511⤵
- Adds Run key to start application
PID:1920

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
512⤵
PID:1672

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
513⤵
PID:1888

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
514⤵
PID:240

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
515⤵
PID:632

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
516⤵
- Sets file execution options in registry
PID:1004

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
517⤵
PID:1776

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
518⤵
PID:2128

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
519⤵
- Drops file in Program Files directory
PID:936

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
520⤵
PID:2164

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
521⤵
PID:2972

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
522⤵
PID:2188

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
523⤵
PID:2032

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
524⤵
- Sets file execution options in registry
PID:816

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
525⤵
PID:1608

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
526⤵
PID:2600

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
527⤵
PID:2200

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
528⤵
- Drops file in System32 directory
PID:2512

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
529⤵
PID:2528

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
530⤵
PID:2496

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
531⤵
- Adds Run key to start application
PID:2912

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
532⤵
PID:2952

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
533⤵
PID:2572

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
534⤵
PID:2456

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
535⤵
PID:3032

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
536⤵
PID:2444

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
537⤵
- Adds Run key to start application
PID:2976

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
538⤵
- Adds Run key to start application
PID:2908

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
539⤵
PID:2864

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
540⤵
- Drops file in System32 directory
PID:324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
541⤵
PID:2860

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
542⤵
- Drops file in Program Files directory
PID:268

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
543⤵
PID:2692

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
544⤵
- Adds Run key to start application
PID:1508

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
545⤵
- Drops file in System32 directory
PID:2388

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
546⤵
PID:2712

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
547⤵
PID:2664

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
548⤵
PID:2848

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
549⤵
- Drops file in Program Files directory
PID:1940

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
550⤵
PID:2736

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
551⤵
PID:1788

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
552⤵
PID:2336

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
553⤵
- Sets file execution options in registry
PID:2036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
554⤵
PID:1632

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
555⤵
PID:744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
556⤵
- Sets file execution options in registry
PID:756

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
557⤵
PID:2680

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
558⤵
PID:1752

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
559⤵
PID:2296

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
560⤵
PID:1700

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
561⤵
PID:3068

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
562⤵
PID:2288

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
563⤵
PID:2080

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
564⤵
PID:2220

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
565⤵
PID:2808

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
566⤵
PID:2052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
567⤵
PID:2068

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
568⤵
PID:1100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
569⤵
PID:280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
570⤵
PID:2992

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
571⤵
PID:2988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
572⤵
PID:1256

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
573⤵
PID:1620

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
574⤵
PID:1972

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
575⤵
PID:1900

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
576⤵
PID:1904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
577⤵
PID:960

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
578⤵
PID:2116

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
579⤵
PID:564

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
580⤵
PID:2784

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
581⤵
PID:2948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
582⤵
PID:2176

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
583⤵
PID:2308

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
584⤵
PID:792

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
585⤵
PID:2844

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
586⤵
PID:1600

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
587⤵
PID:2032

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
588⤵
PID:816

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
589⤵
PID:1608

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
590⤵
PID:2600

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
591⤵
PID:1604

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
592⤵
PID:2140

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
593⤵
PID:2536

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
594⤵
PID:2968

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
595⤵
PID:2912

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
596⤵
PID:2564

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
597⤵
PID:2540

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
598⤵
PID:2412

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
599⤵
PID:2404

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
600⤵
PID:932

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
601⤵
PID:528

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
602⤵
PID:2348

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
603⤵
PID:2864

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
604⤵
PID:1648

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
605⤵
PID:1124

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
606⤵
PID:884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
607⤵
PID:2420

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
608⤵
PID:832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
609⤵
PID:1500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
610⤵
PID:2708

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
611⤵
PID:3040

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
612⤵
PID:2040

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
613⤵
PID:2716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
614⤵
PID:1036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
615⤵
PID:1212

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
616⤵
PID:2312

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
617⤵
PID:804

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
618⤵
PID:1472

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
619⤵
PID:1528

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
620⤵
PID:2172

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
621⤵
PID:1676

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
622⤵
PID:2280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
623⤵
PID:624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
624⤵
PID:1624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
625⤵
PID:1876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
626⤵
PID:364

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
627⤵
PID:2816

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
628⤵
PID:2812

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
629⤵
PID:1716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
630⤵
PID:872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
631⤵
PID:1152

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
632⤵
PID:2996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
633⤵
PID:2148

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
634⤵
PID:2964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
635⤵
PID:2372

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
636⤵
PID:1064

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
637⤵
PID:1972

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
638⤵
PID:1588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
639⤵
PID:2464

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
640⤵
PID:1484

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
641⤵
PID:1996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
642⤵
PID:2116

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
643⤵
PID:564

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
644⤵
PID:2784

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
645⤵
PID:2948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
646⤵
PID:2176

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
647⤵
PID:2308

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
648⤵
PID:792

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
649⤵
PID:2844

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
650⤵
PID:1600

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
651⤵
PID:2032

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
652⤵
PID:2164

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
653⤵
PID:2548

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
654⤵
PID:876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
655⤵
PID:2556

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
656⤵
PID:2788

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
657⤵
PID:2536

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
658⤵
PID:2596

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
659⤵
PID:2636

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
660⤵
PID:2688

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
661⤵
PID:2456

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
662⤵
PID:2436

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
663⤵
PID:944

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
664⤵
PID:932

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
665⤵
PID:528

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
666⤵
PID:2348

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
667⤵
PID:2864

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
668⤵
PID:1648

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
669⤵
PID:1124

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
670⤵
PID:884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
671⤵
PID:1508

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
672⤵
PID:832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
673⤵
PID:2712

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
674⤵
PID:1000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
675⤵
PID:2848

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
676⤵
PID:2040

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
677⤵
PID:1984

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
678⤵
PID:1036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
679⤵
PID:2336

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
680⤵
PID:2312

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
681⤵
PID:804

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
682⤵
PID:744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
683⤵
PID:1908

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
684⤵
PID:760

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
685⤵
PID:2088

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
686⤵
PID:2800

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
687⤵
PID:2152

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
688⤵
PID:3064

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
689⤵
PID:1584

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
690⤵
PID:1520

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
691⤵
PID:1172

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
692⤵
PID:436

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
693⤵
PID:3016

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
694⤵
PID:2000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
695⤵
PID:1152

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
696⤵
PID:2996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
697⤵
PID:2148

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
698⤵
PID:2964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
699⤵
PID:2372

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
700⤵
PID:1064

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
701⤵
PID:1328

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
702⤵
PID:2212

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
703⤵
PID:888

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
704⤵
PID:948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
705⤵
PID:1996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
706⤵
PID:1004

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
707⤵
PID:1776

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
708⤵
PID:2696

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
709⤵
PID:2948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
710⤵
PID:2176

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
711⤵
PID:2972

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
712⤵
PID:1056

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
713⤵
PID:2844

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
714⤵
PID:2616

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
715⤵
PID:1352

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
716⤵
PID:2608

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
717⤵
PID:2944

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
718⤵
PID:2776

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
719⤵
PID:2624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
720⤵
PID:2792

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
721⤵
PID:2408

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
722⤵
PID:2332

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
723⤵
PID:2564

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
724⤵
PID:2540

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
725⤵
PID:2460

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
726⤵
PID:2444

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
727⤵
PID:2516

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
728⤵
PID:2452

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
729⤵
PID:324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
730⤵
PID:1880

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
731⤵
PID:268

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
732⤵
PID:2880

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
733⤵
PID:2472

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
734⤵
PID:1660

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
735⤵
PID:2732

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
736⤵
PID:2416

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
737⤵
PID:2504

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
738⤵
PID:3040

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
739⤵
PID:2848

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
740⤵
PID:2040

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
741⤵
PID:2376

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
742⤵
PID:1656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
743⤵
PID:2012

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
744⤵
PID:1916

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
745⤵
PID:2580

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
746⤵
PID:1392

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
747⤵
PID:1908

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
748⤵
PID:760

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
749⤵
PID:2088

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
750⤵
PID:3068

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
751⤵
PID:1988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
752⤵
PID:1876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
753⤵
PID:1384

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
754⤵
PID:2808

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
755⤵
PID:1872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
756⤵
PID:400

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
757⤵
PID:1048

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
758⤵
PID:2840

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
759⤵
PID:2260

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
760⤵
PID:332

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
761⤵
PID:2936

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
762⤵
PID:2816

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
763⤵
PID:764

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
764⤵
PID:2196

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
765⤵
PID:1228

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
766⤵
PID:1680

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
767⤵
PID:632

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
768⤵
PID:1820

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
769⤵
PID:1504

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
770⤵
PID:1324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
771⤵
PID:2120

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
772⤵
PID:1888

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
773⤵
PID:680

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
774⤵
PID:1312

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
775⤵
PID:2308

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
776⤵
PID:1720

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
777⤵
PID:1600

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
778⤵
PID:2032

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
779⤵
PID:2560

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
780⤵
PID:2548

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
781⤵
PID:876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
782⤵
PID:2496

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
783⤵
PID:2968

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
784⤵
PID:2792

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
785⤵
PID:2408

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
786⤵
PID:2332

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
787⤵
PID:2340

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
788⤵
PID:2428

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
789⤵
PID:944

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
790⤵
PID:2872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
791⤵
PID:588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
792⤵
PID:2868

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
793⤵
PID:2864

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
794⤵
PID:1648

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
795⤵
PID:2692

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
796⤵
PID:2880

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
797⤵
PID:2388

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
798⤵
PID:668

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
799⤵
PID:2884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
800⤵
PID:2752

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
801⤵
PID:2928

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
802⤵
PID:2768

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
803⤵
PID:1788

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
804⤵
PID:2008

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
805⤵
PID:2036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
806⤵
PID:2096

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
807⤵
PID:2500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
808⤵
PID:1612

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
809⤵
PID:996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
810⤵
PID:2748

C:\Windows\SysWOW64\lssmon.exe
"C:\Windows\system32\lssmon.exe"
2⤵
- Executes dropped EXE
PID:2804

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\lssmon.exe
Filesize
2.8MB

MD5
7e200076f3efd38f404bdcc83c800103

SHA1
01d2e5750c4095b4ec43bb6185053ea3981bd30f

SHA256
0b8de9d2ad9c308d07cab272c875b48dc94922ca6d8d636d8eb2cf3ea40ab79b

SHA512
4186b3642a1cdd2f722b8c8af90298057d5068bf68409128ccf5f6c1c447be29c65bc98e81207946a864538db8a822bbf2570e68b6f67c4ae43160a08f50458f

Download Submit
\Windows\SysWOW64\srtsrv32.exe
Filesize
17KB

MD5
9db3a8af96f82eddb98e6f55bb04a7c8

SHA1
514733e575be31fe4b259e7e829bd919ddf12727

SHA256
5c5a15f3f8581eb497ab168aa08d1b3558aad1e5d9af24ff47c9ec8cbfba5093

SHA512
9da9ed7ce9a9c6cb41c93d0ed575b241ff682a531a4f9f60e4d9884d0707d61a7f7d77519ff89b75c92bad8bdb3bba065feecfe09c60b334bd0820555e4c1626

Download Submit
memory/2804-24-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2804-27-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3032-0-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/3032-21-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads