Analysis
-
max time kernel
101s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
17-04-2024 16:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f62ba4a31fa8919cf6113f4cd1743b99_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f62ba4a31fa8919cf6113f4cd1743b99_JaffaCakes118.exe
Resource
win10v2004-20240412-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f62ba4a31fa8919cf6113f4cd1743b99_JaffaCakes118.exe
-
Size
17KB
-
MD5
f62ba4a31fa8919cf6113f4cd1743b99
-
SHA1
c4f264a51314256f8e237906475a807a9f4ae51d
-
SHA256
805851ca3b2e516b6f42bb2914bb1952fc21031ed18bb98d1c9719aff64231a3
-
SHA512
78cd016bb96db62de8b860fd255d067e6c1a5713f4438308a4f1067db763dab803742938567dd14dc8cca366f1b0d734044364e10b57aee5745b84cd4a57469a
-
SSDEEP
384:xFB7ugHLcmZO2Zp+Nye8pqrmub8TyztsDN:xHrHLoKK8o8TyJc
Score
8/10
Malware Config
Signatures
-
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE Key value queried \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation LSASSMGR.EXE -
Executes dropped EXE 64 IoCs
pid Process 2644 LSASSMGR.EXE 4224 LSASSMGR.EXE 3360 LSASSMGR.EXE 5064 LSASSMGR.EXE 2192 LSASSMGR.EXE 3740 LSASSMGR.EXE 4912 LSASSMGR.EXE 3504 LSASSMGR.EXE 1324 LSASSMGR.EXE 4944 LSASSMGR.EXE 3988 LSASSMGR.EXE 4724 LSASSMGR.EXE 3672 LSASSMGR.EXE 2132 LSASSMGR.EXE 64 LSASSMGR.EXE 3532 LSASSMGR.EXE 4296 LSASSMGR.EXE 3100 LSASSMGR.EXE 896 LSASSMGR.EXE 3220 LSASSMGR.EXE 4348 LSASSMGR.EXE 1820 LSASSMGR.EXE 2360 LSASSMGR.EXE 4036 LSASSMGR.EXE 4476 LSASSMGR.EXE 5060 LSASSMGR.EXE 3936 LSASSMGR.EXE 4140 LSASSMGR.EXE 4060 LSASSMGR.EXE 3616 LSASSMGR.EXE 3052 LSASSMGR.EXE 3176 LSASSMGR.EXE 4628 LSASSMGR.EXE 624 LSASSMGR.EXE 1620 LSASSMGR.EXE 2440 LSASSMGR.EXE 3192 LSASSMGR.EXE 2060 LSASSMGR.EXE 2492 LSASSMGR.EXE 2772 LSASSMGR.EXE 4124 LSASSMGR.EXE 4280 LSASSMGR.EXE 4296 LSASSMGR.EXE 4460 LSASSMGR.EXE 3140 LSASSMGR.EXE 4352 LSASSMGR.EXE 5044 LSASSMGR.EXE 4604 LSASSMGR.EXE 3864 LSASSMGR.EXE 5068 LSASSMGR.EXE 4224 LSASSMGR.EXE 3976 LSASSMGR.EXE 2104 LSASSMGR.EXE 4052 LSASSMGR.EXE 2780 LSASSMGR.EXE 4260 LSASSMGR.EXE 2444 LSASSMGR.EXE 1604 LSASSMGR.EXE 1160 LSASSMGR.EXE 4132 LSASSMGR.EXE 2848 LSASSMGR.EXE 3980 LSASSMGR.EXE 856 LSASSMGR.EXE 4288 LSASSMGR.EXE -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2644 1760 f62ba4a31fa8919cf6113f4cd1743b99_JaffaCakes118.exe 86 PID 1760 wrote to memory of 2644 1760 f62ba4a31fa8919cf6113f4cd1743b99_JaffaCakes118.exe 86 PID 1760 wrote to memory of 2644 1760 f62ba4a31fa8919cf6113f4cd1743b99_JaffaCakes118.exe 86 PID 2644 wrote to memory of 4224 2644 LSASSMGR.EXE 87 PID 2644 wrote to memory of 4224 2644 LSASSMGR.EXE 87 PID 2644 wrote to memory of 4224 2644 LSASSMGR.EXE 87 PID 4224 wrote to memory of 3360 4224 LSASSMGR.EXE 88 PID 4224 wrote to memory of 3360 4224 LSASSMGR.EXE 88 PID 4224 wrote to memory of 3360 4224 LSASSMGR.EXE 88 PID 3360 wrote to memory of 5064 3360 LSASSMGR.EXE 89 PID 3360 wrote to memory of 5064 3360 LSASSMGR.EXE 89 PID 3360 wrote to memory of 5064 3360 LSASSMGR.EXE 89 PID 5064 wrote to memory of 2192 5064 LSASSMGR.EXE 90 PID 5064 wrote to memory of 2192 5064 LSASSMGR.EXE 90 PID 5064 wrote to memory of 2192 5064 LSASSMGR.EXE 90 PID 2192 wrote to memory of 3740 2192 LSASSMGR.EXE 91 PID 2192 wrote to memory of 3740 2192 LSASSMGR.EXE 91 PID 2192 wrote to memory of 3740 2192 LSASSMGR.EXE 91 PID 3740 wrote to memory of 4912 3740 LSASSMGR.EXE 93 PID 3740 wrote to memory of 4912 3740 LSASSMGR.EXE 93 PID 3740 wrote to memory of 4912 3740 LSASSMGR.EXE 93 PID 4912 wrote to memory of 3504 4912 LSASSMGR.EXE 94 PID 4912 wrote to memory of 3504 4912 LSASSMGR.EXE 94 PID 4912 wrote to memory of 3504 4912 LSASSMGR.EXE 94 PID 3504 wrote to memory of 1324 3504 LSASSMGR.EXE 96 PID 3504 wrote to memory of 1324 3504 LSASSMGR.EXE 96 PID 3504 wrote to memory of 1324 3504 LSASSMGR.EXE 96 PID 1324 wrote to memory of 4944 1324 LSASSMGR.EXE 98 PID 1324 wrote to memory of 4944 1324 LSASSMGR.EXE 98 PID 1324 wrote to memory of 4944 1324 LSASSMGR.EXE 98 PID 4944 wrote to memory of 3988 4944 LSASSMGR.EXE 99 PID 4944 wrote to memory of 3988 4944 LSASSMGR.EXE 99 PID 4944 wrote to memory of 3988 4944 LSASSMGR.EXE 99 PID 3988 wrote to memory of 4724 3988 LSASSMGR.EXE 100 PID 3988 wrote to memory of 4724 3988 LSASSMGR.EXE 100 PID 3988 wrote to memory of 4724 3988 LSASSMGR.EXE 100 PID 4724 wrote to memory of 3672 4724 LSASSMGR.EXE 102 PID 4724 wrote to memory of 3672 4724 LSASSMGR.EXE 102 PID 4724 wrote to memory of 3672 4724 LSASSMGR.EXE 102 PID 3672 wrote to memory of 2132 3672 LSASSMGR.EXE 103 PID 3672 wrote to memory of 2132 3672 LSASSMGR.EXE 103 PID 3672 wrote to memory of 2132 3672 LSASSMGR.EXE 103 PID 2132 wrote to memory of 64 2132 LSASSMGR.EXE 104 PID 2132 wrote to memory of 64 2132 LSASSMGR.EXE 104 PID 2132 wrote to memory of 64 2132 LSASSMGR.EXE 104 PID 64 wrote to memory of 3532 64 LSASSMGR.EXE 105 PID 64 wrote to memory of 3532 64 LSASSMGR.EXE 105 PID 64 wrote to memory of 3532 64 LSASSMGR.EXE 105 PID 3532 wrote to memory of 4296 3532 LSASSMGR.EXE 134 PID 3532 wrote to memory of 4296 3532 LSASSMGR.EXE 134 PID 3532 wrote to memory of 4296 3532 LSASSMGR.EXE 134 PID 4296 wrote to memory of 3100 4296 LSASSMGR.EXE 107 PID 4296 wrote to memory of 3100 4296 LSASSMGR.EXE 107 PID 4296 wrote to memory of 3100 4296 LSASSMGR.EXE 107 PID 3100 wrote to memory of 896 3100 LSASSMGR.EXE 108 PID 3100 wrote to memory of 896 3100 LSASSMGR.EXE 108 PID 3100 wrote to memory of 896 3100 LSASSMGR.EXE 108 PID 896 wrote to memory of 3220 896 LSASSMGR.EXE 109 PID 896 wrote to memory of 3220 896 LSASSMGR.EXE 109 PID 896 wrote to memory of 3220 896 LSASSMGR.EXE 109 PID 3220 wrote to memory of 4348 3220 LSASSMGR.EXE 110 PID 3220 wrote to memory of 4348 3220 LSASSMGR.EXE 110 PID 3220 wrote to memory of 4348 3220 LSASSMGR.EXE 110 PID 4348 wrote to memory of 1820 4348 LSASSMGR.EXE 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\f62ba4a31fa8919cf6113f4cd1743b99_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f62ba4a31fa8919cf6113f4cd1743b99_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"9⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"12⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"18⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"20⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"22⤵
- Sets file execution options in registry
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"23⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
PID:1820 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"24⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4036 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"26⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"27⤵
- Executes dropped EXE
PID:5060 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"28⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3936 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"29⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:4140 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"30⤵
- Executes dropped EXE
PID:4060 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"31⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3176 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"34⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4628 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"35⤵
- Checks computer location settings
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"36⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1620 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"37⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3192 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"39⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2060 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"40⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"41⤵
- Sets file execution options in registry
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"42⤵
- Checks computer location settings
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"43⤵
- Checks computer location settings
- Executes dropped EXE
PID:4280 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4296 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"45⤵
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"46⤵
- Executes dropped EXE
PID:3140 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4352 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"48⤵
- Executes dropped EXE
PID:5044 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"49⤵
- Checks computer location settings
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"50⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"51⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"52⤵
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"53⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"54⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"55⤵
- Executes dropped EXE
PID:4052 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"56⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"57⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4260 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"58⤵
- Checks computer location settings
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"59⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"60⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"61⤵
- Executes dropped EXE
PID:4132 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"62⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"63⤵
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
PID:3980 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"64⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"65⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4288 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"66⤵PID:3160
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"67⤵PID:2752
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"68⤵PID:4216
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"69⤵PID:1908
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"70⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4748 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"71⤵PID:4972
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"72⤵PID:400
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"73⤵
- Adds Run key to start application
- Drops file in Program Files directory
PID:4616 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"74⤵
- Adds Run key to start application
PID:432 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"75⤵
- Sets file execution options in registry
- Drops file in Program Files directory
PID:3792 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"76⤵PID:4528
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"77⤵PID:2356
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"78⤵PID:4368
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"79⤵
- Drops file in Program Files directory
PID:3536 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"80⤵PID:3936
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"81⤵
- Drops file in Program Files directory
PID:2192 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"82⤵PID:4148
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"83⤵
- Sets file execution options in registry
PID:5024 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"84⤵
- Adds Run key to start application
PID:4636 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"85⤵PID:4632
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"86⤵PID:4532
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"87⤵PID:4424
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"88⤵PID:3176
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"89⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"90⤵
- Drops file in System32 directory
PID:3400 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"91⤵PID:1496
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"92⤵PID:2212
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"93⤵
- Sets file execution options in registry
PID:2060 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"94⤵
- Drops file in Program Files directory
PID:3940 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"95⤵
- Sets file execution options in registry
PID:2772 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"96⤵PID:3704
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"97⤵
- Adds Run key to start application
PID:980 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"98⤵
- Drops file in Program Files directory
PID:4032 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"99⤵
- Sets file execution options in registry
- Drops file in System32 directory
PID:4176 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"100⤵PID:1332
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"101⤵PID:4980
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"102⤵
- Checks computer location settings
PID:2528 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"103⤵PID:4152
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"104⤵
- Adds Run key to start application
PID:4928 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"105⤵PID:3908
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"106⤵PID:2180
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"107⤵PID:1112
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"108⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5064 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"109⤵
- Drops file in Program Files directory
PID:1876 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"110⤵
- Drops file in Program Files directory
PID:3216 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"111⤵
- Checks computer location settings
PID:2740 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"112⤵
- Sets file execution options in registry
PID:4420 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"113⤵PID:3052
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"114⤵PID:4484
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"115⤵PID:5084
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"116⤵PID:800
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"117⤵PID:3804
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"118⤵
- Adds Run key to start application
PID:4580 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"119⤵PID:1700
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"120⤵PID:3192
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"121⤵
- Sets file execution options in registry
- Drops file in Program Files directory
PID:3672
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-