Analysis
-
max time kernel
12s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 09:12
Behavioral task
behavioral1
Sample
ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe
Resource
win7-20240729-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe
-
Size
2.8MB
-
MD5
ee0c9bb326750db7697cd87371470a1e
-
SHA1
cb197e29bf6bb403fcf79fe7aee86eece75c5df5
-
SHA256
37d79bda0a1d71695dcd5ff94dd37427f1fef23a031f2118cdb3ec0a60d70903
-
SHA512
2b169d5d3cc8d9588162694c9b43c90c9e319fa3ad889abc190b7fa02bad475b9de841efd5c6177604082e546c87a076bd887834122276abcdc6ef4b6fe28c68
-
SSDEEP
49152:67N1ahCg0V7N1ahCL0V7N1ahC10V7N1ahCes:67t7+7o77
Score
10/10
Malware Config
Signatures
-
Fakeav family
-
resource yara_rule behavioral1/memory/2748-22-0x0000000000400000-0x00000000004C1000-memory.dmp fakeav behavioral1/files/0x0007000000016d29-21.dat fakeav behavioral1/memory/2656-1319-0x0000000000400000-0x00000000004C1000-memory.dmp fakeav behavioral1/memory/2656-1529-0x0000000000400000-0x00000000004C1000-memory.dmp fakeav -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "C:\\Program Files (x86)\\Internet Explorer\\iexplor.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "C:\\Program Files (x86)\\Mozilla Firefox\\firefoxe.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe\Debugger = "C:\\Windows\\system32\\spool.exe" LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolsv.exe LSASSMGR.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe LSASSMGR.EXE -
Executes dropped EXE 64 IoCs
pid Process 2752 srtsrv32.exe 2656 lssmon.exe 2844 srtsrv32.exe 2696 LSASSMGR.EXE 2820 srtsrv32.exe 2988 srtsrv32.exe 2252 LSASSMGR.EXE 2808 LSASSMGR.EXE 2084 LSASSMGR.EXE 1928 LSASSMGR.EXE 2412 LSASSMGR.EXE 1176 LSASSMGR.EXE 2344 LSASSMGR.EXE 988 LSASSMGR.EXE 532 LSASSMGR.EXE 1980 LSASSMGR.EXE 304 LSASSMGR.EXE 1732 LSASSMGR.EXE 1504 LSASSMGR.EXE 2176 LSASSMGR.EXE 3060 LSASSMGR.EXE 2000 LSASSMGR.EXE 900 LSASSMGR.EXE 2136 LSASSMGR.EXE 2484 LSASSMGR.EXE 2120 LSASSMGR.EXE 996 LSASSMGR.EXE 560 LSASSMGR.EXE 740 LSASSMGR.EXE 1924 LSASSMGR.EXE 1676 LSASSMGR.EXE 684 LSASSMGR.EXE 588 LSASSMGR.EXE 2424 LSASSMGR.EXE 2272 LSASSMGR.EXE 2280 LSASSMGR.EXE 2100 LSASSMGR.EXE 1784 LSASSMGR.EXE 872 LSASSMGR.EXE 1840 LSASSMGR.EXE 336 LSASSMGR.EXE 2776 LSASSMGR.EXE 2680 LSASSMGR.EXE 2632 LSASSMGR.EXE 2748 LSASSMGR.EXE 2900 LSASSMGR.EXE 2832 LSASSMGR.EXE 2720 LSASSMGR.EXE 2660 LSASSMGR.EXE 2232 LSASSMGR.EXE 2544 LSASSMGR.EXE 2548 LSASSMGR.EXE 576 LSASSMGR.EXE 2980 LSASSMGR.EXE 1432 LSASSMGR.EXE 3056 LSASSMGR.EXE 1920 LSASSMGR.EXE 2868 LSASSMGR.EXE 2220 LSASSMGR.EXE 1636 LSASSMGR.EXE 1984 LSASSMGR.EXE 768 LSASSMGR.EXE 584 LSASSMGR.EXE 1856 LSASSMGR.EXE -
Loads dropped DLL 64 IoCs
pid Process 2748 ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe 2748 ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe 2748 ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe 2656 lssmon.exe 2656 lssmon.exe 2752 srtsrv32.exe 2752 srtsrv32.exe 2656 lssmon.exe 2656 lssmon.exe 2656 lssmon.exe 2656 lssmon.exe 2844 srtsrv32.exe 2696 LSASSMGR.EXE 2696 LSASSMGR.EXE 2844 srtsrv32.exe 2820 srtsrv32.exe 2820 srtsrv32.exe 2988 srtsrv32.exe 2988 srtsrv32.exe 2304 WerFault.exe 2304 WerFault.exe 2252 LSASSMGR.EXE 2252 LSASSMGR.EXE 2808 LSASSMGR.EXE 2808 LSASSMGR.EXE 1928 LSASSMGR.EXE 1928 LSASSMGR.EXE 2412 LSASSMGR.EXE 2412 LSASSMGR.EXE 2084 LSASSMGR.EXE 2084 LSASSMGR.EXE 2344 LSASSMGR.EXE 2344 LSASSMGR.EXE 1176 LSASSMGR.EXE 1176 LSASSMGR.EXE 988 LSASSMGR.EXE 988 LSASSMGR.EXE 532 LSASSMGR.EXE 532 LSASSMGR.EXE 2304 WerFault.exe 1980 LSASSMGR.EXE 1980 LSASSMGR.EXE 304 LSASSMGR.EXE 304 LSASSMGR.EXE 1504 LSASSMGR.EXE 1504 LSASSMGR.EXE 2176 LSASSMGR.EXE 2176 LSASSMGR.EXE 1732 LSASSMGR.EXE 1732 LSASSMGR.EXE 3060 LSASSMGR.EXE 3060 LSASSMGR.EXE 2000 LSASSMGR.EXE 2000 LSASSMGR.EXE 900 LSASSMGR.EXE 2136 LSASSMGR.EXE 900 LSASSMGR.EXE 2136 LSASSMGR.EXE 2484 LSASSMGR.EXE 2484 LSASSMGR.EXE 996 LSASSMGR.EXE 996 LSASSMGR.EXE 2120 LSASSMGR.EXE 2120 LSASSMGR.EXE -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\lssmon.exe" lssmon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Layersecurity Servicemonitor = "C:\\Windows\\system32\\LSSMON.EXE" LSASSMGR.EXE -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File created C:\Windows\SysWOW64\LSASSMGR.EXE LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE File opened for modification C:\Windows\SysWOW64\spool.exe LSASSMGR.EXE -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File created C:\Program Files (x86)\Mozilla Firefox\firefoxe.exe LSASSMGR.EXE File opened for modification C:\Program Files (x86)\Internet Explorer\iexplor.exe LSASSMGR.EXE -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\divx32.dll ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2304 2656 WerFault.exe 32 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language srtsrv32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASSMGR.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2752 2748 ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2752 2748 ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2752 2748 ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2752 2748 ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe 31 PID 2748 wrote to memory of 2656 2748 ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe 32 PID 2748 wrote to memory of 2656 2748 ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe 32 PID 2748 wrote to memory of 2656 2748 ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe 32 PID 2748 wrote to memory of 2656 2748 ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe 32 PID 2656 wrote to memory of 2844 2656 lssmon.exe 33 PID 2656 wrote to memory of 2844 2656 lssmon.exe 33 PID 2656 wrote to memory of 2844 2656 lssmon.exe 33 PID 2656 wrote to memory of 2844 2656 lssmon.exe 33 PID 2752 wrote to memory of 2696 2752 srtsrv32.exe 34 PID 2752 wrote to memory of 2696 2752 srtsrv32.exe 34 PID 2752 wrote to memory of 2696 2752 srtsrv32.exe 34 PID 2752 wrote to memory of 2696 2752 srtsrv32.exe 34 PID 2656 wrote to memory of 2820 2656 lssmon.exe 35 PID 2656 wrote to memory of 2820 2656 lssmon.exe 35 PID 2656 wrote to memory of 2820 2656 lssmon.exe 35 PID 2656 wrote to memory of 2820 2656 lssmon.exe 35 PID 2656 wrote to memory of 2988 2656 lssmon.exe 36 PID 2656 wrote to memory of 2988 2656 lssmon.exe 36 PID 2656 wrote to memory of 2988 2656 lssmon.exe 36 PID 2656 wrote to memory of 2988 2656 lssmon.exe 36 PID 2656 wrote to memory of 2304 2656 lssmon.exe 37 PID 2656 wrote to memory of 2304 2656 lssmon.exe 37 PID 2656 wrote to memory of 2304 2656 lssmon.exe 37 PID 2656 wrote to memory of 2304 2656 lssmon.exe 37 PID 2696 wrote to memory of 2808 2696 LSASSMGR.EXE 39 PID 2696 wrote to memory of 2808 2696 LSASSMGR.EXE 39 PID 2696 wrote to memory of 2808 2696 LSASSMGR.EXE 39 PID 2696 wrote to memory of 2808 2696 LSASSMGR.EXE 39 PID 2844 wrote to memory of 2252 2844 srtsrv32.exe 38 PID 2844 wrote to memory of 2252 2844 srtsrv32.exe 38 PID 2844 wrote to memory of 2252 2844 srtsrv32.exe 38 PID 2844 wrote to memory of 2252 2844 srtsrv32.exe 38 PID 2820 wrote to memory of 2084 2820 srtsrv32.exe 40 PID 2820 wrote to memory of 2084 2820 srtsrv32.exe 40 PID 2820 wrote to memory of 2084 2820 srtsrv32.exe 40 PID 2820 wrote to memory of 2084 2820 srtsrv32.exe 40 PID 2988 wrote to memory of 2412 2988 srtsrv32.exe 41 PID 2988 wrote to memory of 2412 2988 srtsrv32.exe 41 PID 2988 wrote to memory of 2412 2988 srtsrv32.exe 41 PID 2988 wrote to memory of 2412 2988 srtsrv32.exe 41 PID 2252 wrote to memory of 1928 2252 LSASSMGR.EXE 42 PID 2252 wrote to memory of 1928 2252 LSASSMGR.EXE 42 PID 2252 wrote to memory of 1928 2252 LSASSMGR.EXE 42 PID 2252 wrote to memory of 1928 2252 LSASSMGR.EXE 42 PID 2808 wrote to memory of 2344 2808 LSASSMGR.EXE 43 PID 2808 wrote to memory of 2344 2808 LSASSMGR.EXE 43 PID 2808 wrote to memory of 2344 2808 LSASSMGR.EXE 43 PID 2808 wrote to memory of 2344 2808 LSASSMGR.EXE 43 PID 1928 wrote to memory of 1176 1928 LSASSMGR.EXE 257 PID 1928 wrote to memory of 1176 1928 LSASSMGR.EXE 257 PID 1928 wrote to memory of 1176 1928 LSASSMGR.EXE 257 PID 1928 wrote to memory of 1176 1928 LSASSMGR.EXE 257 PID 2412 wrote to memory of 532 2412 LSASSMGR.EXE 103 PID 2412 wrote to memory of 532 2412 LSASSMGR.EXE 103 PID 2412 wrote to memory of 532 2412 LSASSMGR.EXE 103 PID 2412 wrote to memory of 532 2412 LSASSMGR.EXE 103 PID 2084 wrote to memory of 988 2084 LSASSMGR.EXE 46 PID 2084 wrote to memory of 988 2084 LSASSMGR.EXE 46 PID 2084 wrote to memory of 988 2084 LSASSMGR.EXE 46 PID 2084 wrote to memory of 988 2084 LSASSMGR.EXE 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ee0c9bb326750db7697cd87371470a1e_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\srtsrv32.exe"C:\Windows\system32\srtsrv32.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2344 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"9⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"10⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"11⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2280 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"12⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"13⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"14⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"15⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2544 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"16⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"17⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"19⤵
- Event Triggered Execution: Image File Execution Options Injection
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"20⤵
- Adds Run key to start application
PID:2928 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"21⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"22⤵PID:1780
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"23⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"24⤵
- Adds Run key to start application
PID:2432 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"25⤵PID:2108
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"26⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"27⤵PID:2752
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"28⤵PID:3020
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"29⤵PID:2972
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"30⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2008 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"31⤵PID:2016
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"32⤵PID:2384
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"33⤵PID:2368
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"34⤵
- Adds Run key to start application
PID:3060 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"35⤵PID:1468
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"36⤵
- Drops file in Program Files directory
PID:1676 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"37⤵
- Drops file in Program Files directory
PID:2268 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"38⤵
- Drops file in Program Files directory
PID:1032 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"39⤵
- Adds Run key to start application
PID:2680 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"40⤵PID:2692
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"41⤵PID:1536
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"42⤵PID:1300
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"43⤵
- Adds Run key to start application
PID:2332 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"44⤵PID:1836
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"45⤵PID:480
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"46⤵
- Adds Run key to start application
PID:2412 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"47⤵PID:292
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"48⤵PID:3008
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"49⤵PID:1640
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"50⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"51⤵PID:2764
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"52⤵
- Event Triggered Execution: Image File Execution Options Injection
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"53⤵
- Drops file in Program Files directory
PID:2904 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"54⤵
- Event Triggered Execution: Image File Execution Options Injection
- Drops file in Program Files directory
PID:2748 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"55⤵PID:624
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"56⤵PID:1052
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"57⤵PID:1176
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"58⤵PID:2188
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"59⤵PID:2384
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"60⤵
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"61⤵PID:1264
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"62⤵PID:3008
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"63⤵
- Adds Run key to start application
- Drops file in Program Files directory
PID:1640 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"64⤵PID:1344
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"65⤵PID:1492
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"67⤵
- Drops file in Program Files directory
PID:2596 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"68⤵
- Adds Run key to start application
PID:2588 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"69⤵PID:2836
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"70⤵PID:1596
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"71⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1836 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"72⤵
- Adds Run key to start application
- Drops file in Program Files directory
PID:1984 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"73⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"74⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"75⤵PID:1656
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"76⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"77⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"78⤵PID:1524
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"79⤵
- Adds Run key to start application
PID:1048 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"80⤵PID:2548
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"81⤵PID:1920
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"82⤵PID:2584
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"83⤵PID:2592
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"84⤵PID:1976
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"85⤵PID:1548
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"86⤵PID:304
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"87⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:532 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"88⤵PID:1732
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"89⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"90⤵
- Event Triggered Execution: Image File Execution Options Injection
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"91⤵PID:1032
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"92⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"93⤵PID:2160
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"94⤵PID:2168
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"95⤵PID:3056
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"96⤵PID:1928
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"97⤵PID:2008
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"98⤵PID:1904
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"99⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2220 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"100⤵
- Drops file in Program Files directory
PID:1696 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"101⤵PID:900
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"102⤵PID:2484
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"103⤵PID:2616
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"104⤵PID:1692
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"105⤵PID:2488
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"106⤵PID:1032
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"107⤵PID:2788
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"108⤵PID:2628
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"109⤵PID:2596
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"110⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:2880 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"111⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1444 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"112⤵PID:1644
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"113⤵PID:2772
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"114⤵PID:2496
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"115⤵PID:1716
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"116⤵
- Event Triggered Execution: Image File Execution Options Injection
PID:1656 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"117⤵
- Adds Run key to start application
PID:684 -
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"118⤵PID:2648
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"119⤵PID:2356
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"120⤵PID:2200
-
C:\Windows\SysWOW64\LSASSMGR.EXE"C:\Windows\system32\LSASSMGR.EXE"121⤵
- Event Triggered Execution: Image File Execution Options Injection
- Drops file in System32 directory
PID:2160
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-