fakeav | e9e2ce30f0d8aa76324e75af05d24b4c0baa3cfb1926edd488f0d9d7692cb38d

General

Target

06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe
Size

2.8MB
MD5

06a96e00dea216ae3017215a97eed0e7
SHA1

e7c3fc4c295ef82dc4a375ba09e0692f1ae1c60c
SHA256

e9e2ce30f0d8aa76324e75af05d24b4c0baa3cfb1926edd488f0d9d7692cb38d
SHA512

b2e509b78ce6efe95c989e76782540752028295e41ca3a82c71756be9b5a15dfa53cbf1d8e17cbd6854a2cb510fe6b052b4b4497d39b568650352a5a0f932eb8
SSDEEP

49152:67N1ahCf0V7N1ahCH0V7N1ahC40V7N1ahCI0:67i7K7F7

Score

10^/10

fakeav fakeav persistence spyware

Malware Config

Signatures

FakeAV, RogueAntivirus
FakeAV or Rogue AntiVirus is a class of malware that displays false alert messages.
fakeav spyware fakeav

FakeAV payload 3 IoCs

fakeav spyware

Processes:

resource	yara_rule
C:\Windows\SysWOW64\lssmon.exe	fakeav
behavioral2/memory/4344-23-0x0000000000400000-0x00000000004C1000-memory.dmp	fakeav
behavioral2/memory/2972-525-0x0000000000400000-0x00000000004C1000-memory.dmp	fakeav

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	srtsrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	srtsrv32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	srtsrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe"	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe	LSASSMGR.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe	LSASSMGR.EXE

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

LSASSMGR.EXElssmon.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXELSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exesrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	lssmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	srtsrv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	srtsrv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	srtsrv32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	LSASSMGR.EXE

Executes dropped EXE 64 IoCs

Processes:

srtsrv32.exelssmon.exeLSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXEsrtsrv32.exesrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

pid	process
588	srtsrv32.exe
2972	lssmon.exe
4624	LSASSMGR.EXE
1648	srtsrv32.exe
464	LSASSMGR.EXE
1128	srtsrv32.exe
1484	srtsrv32.exe
4280	LSASSMGR.EXE
100	LSASSMGR.EXE
1612	LSASSMGR.EXE
968	LSASSMGR.EXE
2716	LSASSMGR.EXE
4032	LSASSMGR.EXE
2908	LSASSMGR.EXE
3468	LSASSMGR.EXE
3460	LSASSMGR.EXE
3544	LSASSMGR.EXE
3280	LSASSMGR.EXE
4332	LSASSMGR.EXE
2744	LSASSMGR.EXE
3992	LSASSMGR.EXE
1780	LSASSMGR.EXE
3096	LSASSMGR.EXE
2564	LSASSMGR.EXE
4056	LSASSMGR.EXE
2140	LSASSMGR.EXE
2992	LSASSMGR.EXE
1012	LSASSMGR.EXE
1708	LSASSMGR.EXE
3216	LSASSMGR.EXE
2656	LSASSMGR.EXE
996	LSASSMGR.EXE
3964	LSASSMGR.EXE
4884	LSASSMGR.EXE
1772	LSASSMGR.EXE
2952	LSASSMGR.EXE
884	LSASSMGR.EXE
4760	LSASSMGR.EXE
3516	LSASSMGR.EXE
100	LSASSMGR.EXE
2028	LSASSMGR.EXE
3536	LSASSMGR.EXE
1740	LSASSMGR.EXE
904	LSASSMGR.EXE
4964	LSASSMGR.EXE
3496	LSASSMGR.EXE
4320	LSASSMGR.EXE
2764	LSASSMGR.EXE
1680	LSASSMGR.EXE
5064	LSASSMGR.EXE
1576	LSASSMGR.EXE
4476	LSASSMGR.EXE
3392	LSASSMGR.EXE
4304	LSASSMGR.EXE
1988	LSASSMGR.EXE
880	LSASSMGR.EXE
1568	LSASSMGR.EXE
3620	LSASSMGR.EXE
5060	LSASSMGR.EXE
656	LSASSMGR.EXE
1884	LSASSMGR.EXE
4976	LSASSMGR.EXE
4324	LSASSMGR.EXE
4828	LSASSMGR.EXE

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

LSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXElssmon.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	srtsrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\lssmon.exe"	06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\lssmon.exe"	lssmon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	srtsrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	srtsrv32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE"	LSASSMGR.EXE

Drops file in System32 directory 64 IoCs

Processes:

LSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\spool.exe	srtsrv32.exe
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	srtsrv32.exe
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File opened for modification	C:\Windows\SysWOW64\spool.exe	LSASSMGR.EXE
File created	C:\Windows\SysWOW64\LSASSMGR.EXE	LSASSMGR.EXE

Drops file in Program Files directory 64 IoCs

Processes:

LSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXEsrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

description	ioc	process
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	srtsrv32.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	srtsrv32.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	srtsrv32.exe
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File created	C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplor.exe	LSASSMGR.EXE

Drops file in Windows directory 1 IoCs

Processes:

06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe

description ioc process

File created C:\Windows\divx32.dll 06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2980 2972 WerFault.exe lssmon.exe

description	ioc	process
File created	C:\Windows\divx32.dll	06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe

pid	pid_target	process	target process
2980	2972	WerFault.exe	lssmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exesrtsrv32.exelssmon.exeLSASSMGR.EXELSASSMGR.EXEsrtsrv32.exesrtsrv32.exesrtsrv32.exeLSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXELSASSMGR.EXE

description	pid	process	target process
PID 4344 wrote to memory of 588	4344	06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe	srtsrv32.exe
PID 4344 wrote to memory of 588	4344	06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe	srtsrv32.exe
PID 4344 wrote to memory of 588	4344	06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe	srtsrv32.exe
PID 4344 wrote to memory of 2972	4344	06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe	lssmon.exe
PID 4344 wrote to memory of 2972	4344	06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe	lssmon.exe
PID 4344 wrote to memory of 2972	4344	06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe	lssmon.exe
PID 588 wrote to memory of 4624	588	srtsrv32.exe	LSASSMGR.EXE
PID 588 wrote to memory of 4624	588	srtsrv32.exe	LSASSMGR.EXE
PID 588 wrote to memory of 4624	588	srtsrv32.exe	LSASSMGR.EXE
PID 2972 wrote to memory of 1648	2972	lssmon.exe	srtsrv32.exe
PID 2972 wrote to memory of 1648	2972	lssmon.exe	srtsrv32.exe
PID 2972 wrote to memory of 1648	2972	lssmon.exe	srtsrv32.exe
PID 4624 wrote to memory of 464	4624	LSASSMGR.EXE	LSASSMGR.EXE
PID 4624 wrote to memory of 464	4624	LSASSMGR.EXE	LSASSMGR.EXE
PID 4624 wrote to memory of 464	4624	LSASSMGR.EXE	LSASSMGR.EXE
PID 2972 wrote to memory of 1128	2972	lssmon.exe	LSASSMGR.EXE
PID 2972 wrote to memory of 1128	2972	lssmon.exe	LSASSMGR.EXE
PID 2972 wrote to memory of 1128	2972	lssmon.exe	LSASSMGR.EXE
PID 2972 wrote to memory of 1484	2972	lssmon.exe	srtsrv32.exe
PID 2972 wrote to memory of 1484	2972	lssmon.exe	srtsrv32.exe
PID 2972 wrote to memory of 1484	2972	lssmon.exe	srtsrv32.exe
PID 464 wrote to memory of 4280	464	LSASSMGR.EXE	LSASSMGR.EXE
PID 464 wrote to memory of 4280	464	LSASSMGR.EXE	LSASSMGR.EXE
PID 464 wrote to memory of 4280	464	LSASSMGR.EXE	LSASSMGR.EXE
PID 1648 wrote to memory of 100	1648	srtsrv32.exe	LSASSMGR.EXE
PID 1648 wrote to memory of 100	1648	srtsrv32.exe	LSASSMGR.EXE
PID 1648 wrote to memory of 100	1648	srtsrv32.exe	LSASSMGR.EXE
PID 1484 wrote to memory of 968	1484	srtsrv32.exe	LSASSMGR.EXE
PID 1484 wrote to memory of 968	1484	srtsrv32.exe	LSASSMGR.EXE
PID 1484 wrote to memory of 968	1484	srtsrv32.exe	LSASSMGR.EXE
PID 1128 wrote to memory of 1612	1128	srtsrv32.exe	LSASSMGR.EXE
PID 1128 wrote to memory of 1612	1128	srtsrv32.exe	LSASSMGR.EXE
PID 1128 wrote to memory of 1612	1128	srtsrv32.exe	LSASSMGR.EXE
PID 4280 wrote to memory of 2716	4280	LSASSMGR.EXE	LSASSMGR.EXE
PID 4280 wrote to memory of 2716	4280	LSASSMGR.EXE	LSASSMGR.EXE
PID 4280 wrote to memory of 2716	4280	LSASSMGR.EXE	LSASSMGR.EXE
PID 100 wrote to memory of 4032	100	LSASSMGR.EXE	LSASSMGR.EXE
PID 100 wrote to memory of 4032	100	LSASSMGR.EXE	LSASSMGR.EXE
PID 100 wrote to memory of 4032	100	LSASSMGR.EXE	LSASSMGR.EXE
PID 968 wrote to memory of 2908	968	LSASSMGR.EXE	LSASSMGR.EXE
PID 968 wrote to memory of 2908	968	LSASSMGR.EXE	LSASSMGR.EXE
PID 968 wrote to memory of 2908	968	LSASSMGR.EXE	LSASSMGR.EXE
PID 1612 wrote to memory of 3468	1612	LSASSMGR.EXE	LSASSMGR.EXE
PID 1612 wrote to memory of 3468	1612	LSASSMGR.EXE	LSASSMGR.EXE
PID 1612 wrote to memory of 3468	1612	LSASSMGR.EXE	LSASSMGR.EXE
PID 2716 wrote to memory of 3460	2716	LSASSMGR.EXE	LSASSMGR.EXE
PID 2716 wrote to memory of 3460	2716	LSASSMGR.EXE	LSASSMGR.EXE
PID 2716 wrote to memory of 3460	2716	LSASSMGR.EXE	LSASSMGR.EXE
PID 3468 wrote to memory of 3544	3468	LSASSMGR.EXE	LSASSMGR.EXE
PID 3468 wrote to memory of 3544	3468	LSASSMGR.EXE	LSASSMGR.EXE
PID 3468 wrote to memory of 3544	3468	LSASSMGR.EXE	LSASSMGR.EXE
PID 2908 wrote to memory of 3280	2908	LSASSMGR.EXE	LSASSMGR.EXE
PID 2908 wrote to memory of 3280	2908	LSASSMGR.EXE	LSASSMGR.EXE
PID 2908 wrote to memory of 3280	2908	LSASSMGR.EXE	LSASSMGR.EXE
PID 4032 wrote to memory of 4332	4032	LSASSMGR.EXE	LSASSMGR.EXE
PID 4032 wrote to memory of 4332	4032	LSASSMGR.EXE	LSASSMGR.EXE
PID 4032 wrote to memory of 4332	4032	LSASSMGR.EXE	LSASSMGR.EXE
PID 3460 wrote to memory of 2744	3460	LSASSMGR.EXE	LSASSMGR.EXE
PID 3460 wrote to memory of 2744	3460	LSASSMGR.EXE	LSASSMGR.EXE
PID 3460 wrote to memory of 2744	3460	LSASSMGR.EXE	LSASSMGR.EXE
PID 3280 wrote to memory of 3992	3280	LSASSMGR.EXE	LSASSMGR.EXE
PID 3280 wrote to memory of 3992	3280	LSASSMGR.EXE	LSASSMGR.EXE
PID 3280 wrote to memory of 3992	3280	LSASSMGR.EXE	LSASSMGR.EXE
PID 4332 wrote to memory of 1780	4332	LSASSMGR.EXE	LSASSMGR.EXE

C:\Users\Admin\AppData\Local\Temp\06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06a96e00dea216ae3017215a97eed0e7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4344

C:\Windows\SysWOW64\srtsrv32.exe
"C:\Windows\system32\srtsrv32.exe"
2⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
3⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
4⤵
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:464

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
6⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
7⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
8⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:4056

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
10⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:3216

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
12⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1772

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
13⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:3516

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
14⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1740

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4320

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
16⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1576

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
17⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
18⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
19⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:4828

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
20⤵
- Sets file execution options in registry
- Drops file in Program Files directory
PID:1128

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
21⤵
- Sets file execution options in registry
- Checks computer location settings
- Drops file in System32 directory
PID:5016

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
22⤵
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4812

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
23⤵
- Drops file in Program Files directory
PID:2124

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
24⤵
PID:2588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
25⤵
PID:2976

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
26⤵
PID:3108

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
27⤵
PID:832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
28⤵
PID:4336

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
29⤵
PID:3600

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
30⤵
PID:3988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
31⤵
PID:2520

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
32⤵
PID:2660

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
33⤵
PID:588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
34⤵
PID:3524

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
35⤵
PID:2052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
36⤵
PID:4472

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
37⤵
PID:3736

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
38⤵
PID:5088

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
39⤵
PID:3568

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
40⤵
PID:4684

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
41⤵
PID:1176

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
42⤵
PID:4976

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
43⤵
PID:3924

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
44⤵
PID:2028

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
45⤵
PID:2852

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
46⤵
PID:1712

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
47⤵
PID:4168

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
48⤵
PID:4624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
49⤵
PID:2656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
50⤵
PID:2948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
51⤵
PID:4744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
52⤵
PID:1008

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
53⤵
PID:4140

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
54⤵
PID:5088

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
55⤵
PID:2764

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
56⤵
PID:1044

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
57⤵
PID:3296

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
58⤵
PID:220

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
59⤵
PID:4116

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
60⤵
PID:2788

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
61⤵
PID:4336

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
62⤵
PID:1472

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
63⤵
PID:1356

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
64⤵
PID:2864

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
65⤵
PID:4748

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
66⤵
PID:4452

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
67⤵
PID:1296

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
68⤵
PID:2556

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
69⤵
PID:2024

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
70⤵
PID:964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
71⤵
PID:4168

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
72⤵
PID:4876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
73⤵
PID:2652

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
74⤵
PID:2552

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
75⤵
PID:2120

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
76⤵
PID:4780

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
77⤵
PID:1500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
78⤵
PID:5080

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
79⤵
PID:4304

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
80⤵
PID:3356

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
81⤵
PID:2192

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
82⤵
PID:3232

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
83⤵
PID:2012

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
84⤵
PID:1240

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
85⤵
PID:2456

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
86⤵
PID:3468

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
87⤵
PID:4136

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
88⤵
PID:1044

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
89⤵
PID:2864

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
90⤵
PID:4748

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
91⤵
PID:2688

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
92⤵
PID:4316

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
93⤵
PID:2216

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
94⤵
PID:4684

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
95⤵
PID:228

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
96⤵
PID:4612

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
97⤵
PID:2948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
98⤵
PID:4100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
99⤵
PID:4688

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
100⤵
PID:3160

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
101⤵
PID:4336

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
102⤵
PID:1316

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
103⤵
PID:1576

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
104⤵
PID:4612

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
105⤵
PID:1368

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
106⤵
PID:2308

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
107⤵
PID:3036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
108⤵
PID:2284

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
109⤵
PID:2612

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
110⤵
PID:3224

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
111⤵
PID:4428

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
112⤵
PID:3296

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
113⤵
PID:4512

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
114⤵
PID:1484

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
115⤵
PID:5036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
116⤵
PID:1092

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
117⤵
PID:3696

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
118⤵
PID:2852

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
119⤵
PID:1316

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
120⤵
PID:716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
121⤵
PID:4820

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
122⤵
PID:2964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
123⤵
PID:2436

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
124⤵
PID:4412

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
125⤵
PID:4628

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
126⤵
PID:4764

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
127⤵
PID:5048

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
128⤵
PID:4284

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
129⤵
PID:3196

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
130⤵
PID:1400

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
131⤵
PID:2120

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
132⤵
PID:3036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
133⤵
PID:4596

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
134⤵
PID:2456

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
135⤵
PID:804

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
136⤵
PID:2244

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
137⤵
PID:3296

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
138⤵
PID:2964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
139⤵
PID:3672

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
140⤵
PID:1240

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
141⤵
PID:3168

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
142⤵
PID:2516

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
143⤵
PID:4604

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
144⤵
PID:1576

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
145⤵
PID:3048

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
146⤵
PID:3196

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
147⤵
PID:1628

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
148⤵
PID:3044

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
149⤵
PID:2688

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
150⤵
PID:4316

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
151⤵
PID:5028

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
152⤵
PID:3520

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
153⤵
PID:4672

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
154⤵
PID:3676

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
155⤵
PID:4996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
156⤵
PID:4152

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
157⤵
PID:1560

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
158⤵
PID:396

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
159⤵
PID:3052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
160⤵
PID:4684

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
161⤵
PID:3596

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
162⤵
PID:452

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
163⤵
PID:2300

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
164⤵
PID:2436

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
165⤵
PID:2452

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
166⤵
PID:4412

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
167⤵
PID:2780

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
168⤵
PID:1732

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
169⤵
PID:2880

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
170⤵
PID:1308

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
171⤵
PID:3524

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
172⤵
PID:4028

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
173⤵
PID:4940

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
174⤵
PID:2612

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
175⤵
PID:5080

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
176⤵
PID:3104

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
177⤵
PID:3492

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
178⤵
PID:1460

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
179⤵
PID:872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
180⤵
PID:456

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
181⤵
PID:2052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
182⤵
PID:1388

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
183⤵
PID:3544

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
184⤵
PID:2172

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
185⤵
PID:1576

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
186⤵
PID:3396

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
187⤵
PID:4748

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
188⤵
PID:2012

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
189⤵
PID:4028

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
190⤵
PID:1388

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
191⤵
PID:3984

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
192⤵
PID:904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
193⤵
PID:5032

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
194⤵
PID:4200

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
195⤵
PID:860

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
196⤵
PID:4456

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
197⤵
PID:868

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
198⤵
PID:3956

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
199⤵
PID:4144

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
200⤵
PID:3696

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
201⤵
PID:4656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
202⤵
PID:4376

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
203⤵
PID:4280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
204⤵
PID:3500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
205⤵
PID:4944

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
206⤵
PID:3200

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
207⤵
PID:1548

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
208⤵
PID:804

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
209⤵
PID:4632

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
210⤵
PID:2516

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
211⤵
PID:452

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
212⤵
PID:4512

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
213⤵
PID:3036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
214⤵
PID:4116

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
215⤵
PID:2056

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
216⤵
PID:1472

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
217⤵
PID:4780

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
218⤵
PID:3804

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
219⤵
PID:3320

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
220⤵
PID:2552

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
221⤵
PID:5060

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
222⤵
PID:4420

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
223⤵
PID:1092

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
224⤵
PID:3468

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
225⤵
PID:588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
226⤵
PID:4056

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
227⤵
PID:2076

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
228⤵
PID:468

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
229⤵
PID:1296

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
230⤵
PID:4452

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
231⤵
PID:5040

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
232⤵
PID:4756

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
233⤵
PID:3620

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
234⤵
PID:4628

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
235⤵
PID:4468

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
236⤵
PID:804

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
237⤵
PID:4760

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
238⤵
PID:4744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
239⤵
PID:2036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
240⤵
PID:4280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
241⤵
PID:2704

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
242⤵
PID:3228

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
243⤵
PID:1624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
244⤵
PID:4160

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
245⤵
PID:3356

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
246⤵
PID:3096

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
247⤵
PID:1296

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
248⤵
PID:4452

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
249⤵
PID:2424

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
250⤵
PID:1784

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
251⤵
PID:3148

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
252⤵
PID:4684

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
253⤵
PID:2192

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
254⤵
PID:1780

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
255⤵
PID:1008

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
256⤵
PID:1664

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
257⤵
PID:3036

C:\Windows\SysWOW64\lssmon.exe
"C:\Windows\system32\lssmon.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\srtsrv32.exe
"C:\Windows\system32\srtsrv32.exe"
3⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
4⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
7⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1780

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
8⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3096

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
9⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1012

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
10⤵
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
PID:996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
11⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2952

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
12⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:2764

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
15⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:4476

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
16⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:880

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5060

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
18⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4976

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
19⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2120

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
20⤵
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:1092

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
21⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:8

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
22⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2384

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
23⤵
- Checks computer location settings
- Drops file in System32 directory
PID:828

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
24⤵
PID:3500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
25⤵
PID:2172

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
26⤵
PID:4672

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
27⤵
PID:2488

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
28⤵
PID:740

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
29⤵
PID:2216

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
30⤵
PID:4692

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
31⤵
PID:216

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
32⤵
PID:3236

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
33⤵
PID:2964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
34⤵
PID:1212

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
35⤵
PID:4280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
36⤵
PID:2852

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
37⤵
PID:3200

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
38⤵
PID:3520

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
39⤵
PID:2848

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
40⤵
PID:4588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
41⤵
PID:3356

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
42⤵
PID:2424

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
43⤵
PID:4280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
44⤵
PID:2556

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
45⤵
PID:904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
46⤵
PID:4572

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
47⤵
PID:2912

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
48⤵
PID:3620

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
49⤵
PID:5036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
50⤵
PID:3208

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
51⤵
PID:1596

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
52⤵
PID:4316

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
53⤵
PID:4956

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
54⤵
PID:3984

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
55⤵
PID:3100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
56⤵
PID:3168

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
57⤵
PID:4104

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
58⤵
PID:860

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
59⤵
PID:4152

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
60⤵
PID:1628

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
61⤵
PID:2852

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
62⤵
PID:3992

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
63⤵
PID:3688

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
64⤵
PID:4536

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
65⤵
PID:3236

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
66⤵
PID:468

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
67⤵
PID:2668

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
68⤵
PID:3912

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
69⤵
PID:832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
70⤵
PID:4956

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
71⤵
PID:3520

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
72⤵
PID:3688

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
73⤵
PID:4948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
74⤵
PID:4324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
75⤵
PID:656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
76⤵
PID:2228

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
77⤵
PID:1272

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
78⤵
PID:3468

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
79⤵
PID:5088

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
80⤵
PID:3116

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
81⤵
PID:1376

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
82⤵
PID:4876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
83⤵
PID:2688

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
84⤵
PID:1612

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
85⤵
PID:4964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
86⤵
PID:904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
87⤵
PID:4400

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
88⤵
PID:2964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
89⤵
PID:3576

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
90⤵
PID:1400

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
91⤵
PID:860

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
92⤵
PID:3480

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
93⤵
PID:4416

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
94⤵
PID:4372

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
95⤵
PID:880

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
96⤵
PID:3648

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
97⤵
PID:3676

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
98⤵
PID:5008

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
99⤵
PID:2220

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
100⤵
PID:3840

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
101⤵
PID:3044

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
102⤵
PID:904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
103⤵
PID:1624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
104⤵
PID:4304

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
105⤵
PID:2332

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
106⤵
PID:884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
107⤵
PID:184

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
108⤵
PID:868

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
109⤵
PID:1276

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
110⤵
PID:1580

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
111⤵
PID:2024

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
112⤵
PID:3520

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
113⤵
PID:3960

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
114⤵
PID:3396

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
115⤵
PID:3000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
116⤵
PID:3088

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
117⤵
PID:1388

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
118⤵
PID:4588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
119⤵
PID:4520

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
120⤵
PID:3448

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
121⤵
PID:624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
122⤵
PID:1400

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
123⤵
PID:860

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
124⤵
PID:3568

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
125⤵
PID:3480

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
126⤵
PID:3696

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
127⤵
PID:3932

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
128⤵
PID:2796

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
129⤵
PID:1576

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
130⤵
PID:740

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
131⤵
PID:4876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
132⤵
PID:1484

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
133⤵
PID:1092

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
134⤵
PID:5108

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
135⤵
PID:3832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
136⤵
PID:2896

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
137⤵
PID:3784

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
138⤵
PID:872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
139⤵
PID:4840

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
140⤵
PID:4748

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
141⤵
PID:3964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
142⤵
PID:3744

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
143⤵
PID:4336

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
144⤵
PID:3492

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
145⤵
PID:1376

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
146⤵
PID:1664

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
147⤵
PID:2332

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
148⤵
PID:3912

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
149⤵
PID:3536

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
150⤵
PID:4812

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
151⤵
PID:1472

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
152⤵
PID:4684

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
153⤵
PID:5068

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
154⤵
PID:1708

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
155⤵
PID:3296

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
156⤵
PID:4616

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
157⤵
PID:2052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
158⤵
PID:184

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
159⤵
PID:4032

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
160⤵
PID:2124

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
161⤵
PID:3832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
162⤵
PID:1376

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
163⤵
PID:1796

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
164⤵
PID:5084

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
165⤵
PID:1272

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
166⤵
PID:3980

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
167⤵
PID:216

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
168⤵
PID:4956

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
169⤵
PID:3876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
170⤵
PID:3320

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
171⤵
PID:872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
172⤵
PID:1628

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
173⤵
PID:4840

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
174⤵
PID:752

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
175⤵
PID:4140

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
176⤵
PID:3984

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
177⤵
PID:3220

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
178⤵
PID:2476

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
179⤵
PID:3448

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
180⤵
PID:3916

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
181⤵
PID:5040

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
182⤵
PID:4688

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
183⤵
PID:1772

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
184⤵
PID:4144

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
185⤵
PID:2780

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
186⤵
PID:4160

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
187⤵
PID:4604

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
188⤵
PID:4648

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
189⤵
PID:4064

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
190⤵
PID:4292

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
191⤵
PID:3600

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
192⤵
PID:3168

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
193⤵
PID:1472

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
194⤵
PID:1492

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
195⤵
PID:4520

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
196⤵
PID:1680

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
197⤵
PID:3576

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
198⤵
PID:1368

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
199⤵
PID:456

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
200⤵
PID:2996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
201⤵
PID:1772

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
202⤵
PID:3468

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
203⤵
PID:4348

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
204⤵
PID:1356

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
205⤵
PID:1600

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
206⤵
PID:4552

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
207⤵
PID:1868

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
208⤵
PID:2788

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
209⤵
PID:3240

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
210⤵
PID:2660

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
211⤵
PID:4428

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
212⤵
PID:3480

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
213⤵
PID:3628

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
214⤵
PID:5036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
215⤵
PID:2436

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
216⤵
PID:4532

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
217⤵
PID:4544

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
218⤵
PID:2780

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
219⤵
PID:4884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
220⤵
PID:2192

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
221⤵
PID:1444

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
222⤵
PID:1400

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
223⤵
PID:5064

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
224⤵
PID:3524

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
225⤵
PID:2788

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
226⤵
PID:4544

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
227⤵
PID:1240

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
228⤵
PID:2120

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
229⤵
PID:3480

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
230⤵
PID:2980

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
231⤵
PID:3076

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
232⤵
PID:4820

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
233⤵
PID:3100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
234⤵
PID:5108

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
235⤵
PID:2172

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
236⤵
PID:448

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
237⤵
PID:1176

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
238⤵
PID:4200

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
239⤵
PID:1460

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
240⤵
PID:1940

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
241⤵
PID:3988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
242⤵
PID:4664

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
243⤵
PID:2052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
244⤵
PID:2656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
245⤵
PID:4572

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
246⤵
PID:3000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
247⤵
PID:1444

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
248⤵
PID:4912

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
249⤵
PID:2300

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
250⤵
PID:3508

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
251⤵
PID:1772

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
252⤵
PID:4596

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
253⤵
PID:4248

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
254⤵
PID:3520

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
255⤵
PID:3000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
256⤵
PID:4964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
257⤵
PID:5048

C:\Windows\SysWOW64\srtsrv32.exe
"C:\Windows\system32\srtsrv32.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3468

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
6⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3544

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
7⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:2564

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
8⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2992

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
9⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
11⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3536

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
12⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3496

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
13⤵
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:5064

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
14⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4304

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
15⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
PID:3620

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
17⤵
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1168

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
18⤵
- Sets file execution options in registry
- Adds Run key to start application
- Drops file in System32 directory
PID:968

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
19⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
PID:4692

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
20⤵
- Sets file execution options in registry
- Adds Run key to start application
- Drops file in System32 directory
PID:3224

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
21⤵
- Sets file execution options in registry
- Drops file in Program Files directory
PID:5064

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
22⤵
PID:3392

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
23⤵
PID:468

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
24⤵
PID:2424

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
25⤵
PID:4676

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
26⤵
PID:2852

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
27⤵
PID:5108

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
28⤵
PID:4604

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
29⤵
PID:4384

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
30⤵
PID:4520

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
31⤵
PID:3960

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
32⤵
PID:4192

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
33⤵
PID:3840

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
34⤵
PID:4884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
35⤵
PID:2024

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
36⤵
PID:968

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
37⤵
PID:3496

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
38⤵
PID:3680

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
39⤵
PID:4476

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
40⤵
PID:448

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
41⤵
PID:220

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
42⤵
PID:4616

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
43⤵
PID:1388

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
44⤵
PID:3452

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
45⤵
PID:2796

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
46⤵
PID:4764

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
47⤵
PID:3168

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
48⤵
PID:2588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
49⤵
PID:1176

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
50⤵
PID:2524

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
51⤵
PID:832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
52⤵
PID:3980

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
53⤵
PID:1320

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
54⤵
PID:1356

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
55⤵
PID:3692

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
56⤵
PID:4796

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
57⤵
PID:3000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
58⤵
PID:1296

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
59⤵
PID:832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
60⤵
PID:4420

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
61⤵
PID:4816

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
62⤵
PID:5028

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
63⤵
PID:3500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
64⤵
PID:3144

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
65⤵
PID:1884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
66⤵
PID:3108

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
67⤵
PID:2120

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
68⤵
PID:3536

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
69⤵
PID:4420

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
70⤵
PID:3100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
71⤵
PID:1680

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
72⤵
PID:4840

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
73⤵
PID:4632

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
74⤵
PID:5036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
75⤵
PID:1092

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
76⤵
PID:2028

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
77⤵
PID:3180

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
78⤵
PID:4956

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
79⤵
PID:2980

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
80⤵
PID:588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
81⤵
PID:5084

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
82⤵
PID:4552

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
83⤵
PID:1528

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
84⤵
PID:3452

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
85⤵
PID:2796

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
86⤵
PID:4884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
87⤵
PID:1576

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
88⤵
PID:4168

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
89⤵
PID:4988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
90⤵
PID:4456

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
91⤵
PID:1772

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
92⤵
PID:2516

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
93⤵
PID:1624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
94⤵
PID:1872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
95⤵
PID:1356

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
96⤵
PID:3680

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
97⤵
PID:752

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
98⤵
PID:1784

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
99⤵
PID:2904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
100⤵
PID:100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
101⤵
PID:3228

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
102⤵
PID:3456

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
103⤵
PID:4684

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
104⤵
PID:3692

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
105⤵
PID:872

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
106⤵
PID:4828

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
107⤵
PID:532

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
108⤵
PID:2056

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
109⤵
PID:5040

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
110⤵
PID:2796

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
111⤵
PID:2376

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
112⤵
PID:2896

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
113⤵
PID:2424

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
114⤵
PID:4456

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
115⤵
PID:3332

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
116⤵
PID:4452

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
117⤵
PID:2516

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
118⤵
PID:3104

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
119⤵
PID:4684

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
120⤵
PID:4632

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
121⤵
PID:1044

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
122⤵
PID:4152

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
123⤵
PID:4368

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
124⤵
PID:3088

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
125⤵
PID:1988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
126⤵
PID:2140

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
127⤵
PID:1168

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
128⤵
PID:228

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
129⤵
PID:2864

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
130⤵
PID:2552

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
131⤵
PID:4756

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
132⤵
PID:3736

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
133⤵
PID:2704

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
134⤵
PID:828

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
135⤵
PID:2848

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
136⤵
PID:3448

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
137⤵
PID:1012

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
138⤵
PID:4512

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
139⤵
PID:4876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
140⤵
PID:1784

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
141⤵
PID:3984

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
142⤵
PID:4780

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
143⤵
PID:2216

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
144⤵
PID:116

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
145⤵
PID:4796

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
146⤵
PID:456

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
147⤵
PID:1740

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
148⤵
PID:4676

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
149⤵
PID:4144

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
150⤵
PID:4400

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
151⤵
PID:2376

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
152⤵
PID:4192

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
153⤵
PID:1176

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
154⤵
PID:3508

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
155⤵
PID:4688

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
156⤵
PID:4332

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
157⤵
PID:2520

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
158⤵
PID:4372

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
159⤵
PID:3876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
160⤵
PID:1600

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
161⤵
PID:3396

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
162⤵
PID:4192

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
163⤵
PID:2424

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
164⤵
PID:3508

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
165⤵
PID:2716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
166⤵
PID:3040

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
167⤵
PID:4428

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
168⤵
PID:3052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
169⤵
PID:836

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
170⤵
PID:1444

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
171⤵
PID:4848

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
172⤵
PID:4496

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
173⤵
PID:4792

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
174⤵
PID:2716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
175⤵
PID:3088

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
176⤵
PID:832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
177⤵
PID:1732

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
178⤵
PID:4324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
179⤵
PID:4064

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
180⤵
PID:1484

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
181⤵
PID:4532

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
182⤵
PID:2456

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
183⤵
PID:3932

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
184⤵
PID:3280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
185⤵
PID:2516

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
186⤵
PID:4976

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
187⤵
PID:4324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
188⤵
PID:3000

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
189⤵
PID:3460

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
190⤵
PID:3980

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
191⤵
PID:1964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
192⤵
PID:3992

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
193⤵
PID:2912

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
194⤵
PID:468

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
195⤵
PID:1012

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
196⤵
PID:4988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
197⤵
PID:4944

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
198⤵
PID:2052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
199⤵
PID:2732

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
200⤵
PID:2920

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
201⤵
PID:624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
202⤵
PID:832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
203⤵
PID:4672

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
204⤵
PID:464

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
205⤵
PID:2036

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
206⤵
PID:3920

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
207⤵
PID:4152

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
208⤵
PID:1772

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
209⤵
PID:4372

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
210⤵
PID:2324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
211⤵
PID:1316

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
212⤵
PID:2552

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
213⤵
PID:2652

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
214⤵
PID:4988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
215⤵
PID:2764

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
216⤵
PID:3240

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
217⤵
PID:828

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
218⤵
PID:1732

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
219⤵
PID:2644

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
220⤵
PID:1308

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
221⤵
PID:3272

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
222⤵
PID:5040

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
223⤵
PID:2668

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
224⤵
PID:4484

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
225⤵
PID:2460

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
226⤵
PID:2852

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
227⤵
PID:1212

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
228⤵
PID:832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
229⤵
PID:2448

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
230⤵
PID:4112

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
231⤵
PID:1368

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
232⤵
PID:4420

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
233⤵
PID:2008

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
234⤵
PID:2024

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
235⤵
PID:1492

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
236⤵
PID:2564

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
237⤵
PID:4324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
238⤵
PID:3560

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
239⤵
PID:2228

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
240⤵
PID:3952

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
241⤵
PID:4688

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
242⤵
PID:4364

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
243⤵
PID:1548

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
244⤵
PID:1780

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
245⤵
PID:4828

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
246⤵
PID:4496

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
247⤵
PID:3524

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
248⤵
PID:4280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
249⤵
PID:3224

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
250⤵
PID:4948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
251⤵
PID:2852

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
252⤵
PID:5068

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
253⤵
PID:1732

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
254⤵
PID:3196

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
255⤵
PID:3332

C:\Windows\SysWOW64\srtsrv32.exe
"C:\Windows\system32\srtsrv32.exe"
3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
6⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:3992

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
8⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2140

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
9⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1708

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
10⤵
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
PID:3964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
11⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4760

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
12⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2028

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
13⤵
- Sets file execution options in registry
- Executes dropped EXE
- Drops file in System32 directory
PID:4964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
14⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:1680

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
15⤵
- Sets file execution options in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3392

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
16⤵
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1568

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
17⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
18⤵
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1308

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
19⤵
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:2324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
20⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:1528

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
21⤵
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:5088

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
22⤵
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
23⤵
- Adds Run key to start application
- Drops file in Program Files directory
PID:2980

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
24⤵
PID:3692

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
25⤵
PID:1664

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
26⤵
PID:656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
27⤵
PID:3964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
28⤵
PID:3876

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
29⤵
PID:100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
30⤵
PID:4348

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
31⤵
PID:3052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
32⤵
PID:3492

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
33⤵
PID:212

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
34⤵
PID:1012

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
35⤵
PID:1772

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
36⤵
PID:3980

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
37⤵
PID:4816

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
38⤵
PID:2008

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
39⤵
PID:3052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
40⤵
PID:4344

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
41⤵
PID:5060

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
42⤵
PID:4892

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
43⤵
PID:4756

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
44⤵
PID:1740

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
45⤵
PID:1472

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
46⤵
PID:3280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
47⤵
PID:4536

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
48⤵
PID:4648

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
49⤵
PID:3108

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
50⤵
PID:2904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
51⤵
PID:1964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
52⤵
PID:4416

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
53⤵
PID:3932

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
54⤵
PID:2408

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
55⤵
PID:2704

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
56⤵
PID:448

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
57⤵
PID:5100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
58⤵
PID:3672

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
59⤵
PID:5040

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
60⤵
PID:3080

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
61⤵
PID:904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
62⤵
PID:2980

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
63⤵
PID:3116

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
64⤵
PID:2656

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
65⤵
PID:4264

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
66⤵
PID:3964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
67⤵
PID:3840

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
68⤵
PID:4884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
69⤵
PID:3200

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
70⤵
PID:3104

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
71⤵
PID:2408

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
72⤵
PID:2332

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
73⤵
PID:2448

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
74⤵
PID:468

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
75⤵
PID:2668

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
76⤵
PID:2952

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
77⤵
PID:2852

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
78⤵
PID:2140

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
79⤵
PID:5064

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
80⤵
PID:4988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
81⤵
PID:4832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
82⤵
PID:2052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
83⤵
PID:1092

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
84⤵
PID:832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
85⤵
PID:5096

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
86⤵
PID:1084

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
87⤵
PID:2476

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
88⤵
PID:4248

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
89⤵
PID:4324

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
90⤵
PID:2488

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
91⤵
PID:1592

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
92⤵
PID:4028

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
93⤵
PID:5040

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
94⤵
PID:4428

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
95⤵
PID:4148

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
96⤵
PID:1460

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
97⤵
PID:1484

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
98⤵
PID:184

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
99⤵
PID:220

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
100⤵
PID:4032

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
101⤵
PID:832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
102⤵
PID:804

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
103⤵
PID:4672

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
104⤵
PID:1212

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
105⤵
PID:4652

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
106⤵
PID:2712

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
107⤵
PID:3600

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
108⤵
PID:3092

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
109⤵
PID:3704

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
110⤵
PID:832

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
111⤵
PID:4284

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
112⤵
PID:3692

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
113⤵
PID:4840

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
114⤵
PID:1444

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
115⤵
PID:4008

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
116⤵
PID:2056

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
117⤵
PID:216

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
118⤵
PID:1624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
119⤵
PID:2976

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
120⤵
PID:1680

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
121⤵
PID:1596

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
122⤵
PID:4280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
123⤵
PID:3536

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
124⤵
PID:4316

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
125⤵
PID:4500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
126⤵
PID:4572

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
127⤵
PID:996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
128⤵
PID:1012

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
129⤵
PID:4512

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
130⤵
PID:2308

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
131⤵
PID:2996

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
132⤵
PID:3088

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
133⤵
PID:1988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
134⤵
PID:964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
135⤵
PID:1700

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
136⤵
PID:3076

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
137⤵
PID:2392

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
138⤵
PID:1512

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
139⤵
PID:3756

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
140⤵
PID:4692

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
141⤵
PID:904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
142⤵
PID:4104

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
143⤵
PID:1176

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
144⤵
PID:3500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
145⤵
PID:4152

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
146⤵
PID:2712

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
147⤵
PID:1240

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
148⤵
PID:4596

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
149⤵
PID:880

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
150⤵
PID:1624

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
151⤵
PID:4284

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
152⤵
PID:3208

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
153⤵
PID:2552

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
154⤵
PID:2668

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
155⤵
PID:4116

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
156⤵
PID:1900

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
157⤵
PID:5096

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
158⤵
PID:4468

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
159⤵
PID:4648

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
160⤵
PID:2448

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
161⤵
PID:3296

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
162⤵
PID:2952

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
163⤵
PID:220

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
164⤵
PID:5088

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
165⤵
PID:540

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
166⤵
PID:5100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
167⤵
PID:880

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
168⤵
PID:1648

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
169⤵
PID:3272

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
170⤵
PID:4472

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
171⤵
PID:2788

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
172⤵
PID:1784

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
173⤵
PID:2520

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
174⤵
PID:2972

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
175⤵
PID:4956

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
176⤵
PID:4168

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
177⤵
PID:2880

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
178⤵
PID:1968

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
179⤵
PID:4616

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
180⤵
PID:1276

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
181⤵
PID:1092

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
182⤵
PID:3160

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
183⤵
PID:4052

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
184⤵
PID:3696

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
185⤵
PID:4104

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
186⤵
PID:2864

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
187⤵
PID:1368

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
188⤵
PID:1612

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
189⤵
PID:4964

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
190⤵
PID:2904

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
191⤵
PID:1592

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
192⤵
PID:3180

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
193⤵
PID:2120

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
194⤵
PID:1212

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
195⤵
PID:3356

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
196⤵
PID:3396

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
197⤵
PID:4612

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
198⤵
PID:1812

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
199⤵
PID:100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
200⤵
PID:1500

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
201⤵
PID:2212

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
202⤵
PID:4632

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
203⤵
PID:2588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
204⤵
PID:1308

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
205⤵
PID:228

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
206⤵
PID:3232

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
207⤵
PID:4456

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
208⤵
PID:3516

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
209⤵
PID:3736

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
210⤵
PID:1240

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
211⤵
PID:3676

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
212⤵
PID:4580

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
213⤵
PID:116

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
214⤵
PID:4100

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
215⤵
PID:4420

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
216⤵
PID:4792

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
217⤵
PID:4028

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
218⤵
PID:748

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
219⤵
PID:1548

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
220⤵
PID:5028

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
221⤵
PID:2376

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
222⤵
PID:3924

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
223⤵
PID:4652

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
224⤵
PID:4616

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
225⤵
PID:2556

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
226⤵
PID:4948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
227⤵
PID:3424

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
228⤵
PID:1652

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
229⤵
PID:3020

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
230⤵
PID:1444

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
231⤵
PID:1664

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
232⤵
PID:4280

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
233⤵
PID:2704

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
234⤵
PID:3956

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
235⤵
PID:4344

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
236⤵
PID:4372

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
237⤵
PID:1648

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
238⤵
PID:2948

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
239⤵
PID:1596

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
240⤵
PID:1988

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
241⤵
PID:4140

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
242⤵
PID:3044

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
243⤵
PID:2612

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
244⤵
PID:588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
245⤵
PID:884

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
246⤵
PID:2588

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
247⤵
PID:1600

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
248⤵
PID:3912

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
249⤵
PID:3716

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
250⤵
PID:4532

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
251⤵
PID:2972

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
252⤵
PID:2476

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
253⤵
PID:3236

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
254⤵
PID:4976

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
255⤵
PID:3296

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
256⤵
PID:1400

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
257⤵
PID:2448

C:\Windows\SysWOW64\LSASSMGR.EXE
"C:\Windows\system32\LSASSMGR.EXE"
258⤵
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 808
3⤵
- Program crash
PID:2980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2972 -ip 2972
1⤵
PID:4616

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

2

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\lssmon.exe
Filesize
2.8MB

MD5
73579113ecad69d2810666d6a3e93b9d

SHA1
a1b6cbb09b333429db34128add254e09a93bf899

SHA256
e174378565fb23cd3af5dc448f07f41eb842682d1c4d3298abb742f5fbb16c7b

SHA512
52e536eda1b7b54876f51245197e9f6d59f318e86ba04fef4a732f9e550163308417ee9d6258a307331764cd73fc2af139ae22e48a0829e75cc6edb5325e97db

Download Submit
C:\Windows\SysWOW64\spool.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\srtsrv32.exe
Filesize
17KB

MD5
ac64264c144db02d6131ed49c705700c

SHA1
74e860593b589e1af0c793866e244b93538ceb9d

SHA256
ff514f91673302a508a56253adde88c23496a5eb6e271d7d564f59b4e6bdd9d4

SHA512
ac9105a3c2db8c5ffb0efd059f1fa0e5f4609c69b0dedf72843aa02c69b70eaaadebc0dc19485c21da1054d8264f8c58880f809d15925739501e9586c3c15ff8

Download Submit
memory/2972-28-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2972-525-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4344-0-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4344-23-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads