» lsass.exe
Overview
Analysis
File Details
Behaviors (1)

lsass.exe

The executable lsass.exe has been detected as malware by 30 anti-virus scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘run32’.

File name:

lsass.exe

Version:

0.0.0.0

MD5:

b9c8fca7af52c857edfca0b3991dcba9

SHA-1:

5fd7203bac907f90057eb7517a645ba387fea146

Scanner detections:

30 / 68

Status:

Malware

Analysis date:

4/23/2024 11:43:03 PM UTC (a few moments ago)

Scan engine

Detection

Engine version

AhnLab V3 Security

Win-Trojan/Xema.variant

2010.12.05

Avira AntiVirus

TR/Crypt.CFI.Gen

7.10.14.189

avast!

Win32:Trojan-gen

2014.9-140829

AVG

Worm/Autoit

2015.0.3368

Bitdefender

Gen:Trojan.Heur.HmNfrD!mgqfib

1.0.20.1205

Clam AntiVirus

BC.Heuristic.Trojan.SusPacked.BF-6.A

0.98/17411

Comodo Security

Heur.Suspicious

6947

Dr.Web

Win32.HLLC.Bojan

9.0.1.0241

ESET NOD32

Win32/Autoit.GP

8.5673

Fortinet FortiGate

W32/YahLover!worm

8/29/2014

F-Prot

W32/Trojan2.MFAR

v6.4.6.2.117

F-Secure

Gen:Trojan.Heur.HmNfrD!mgqfib

11.2014-29-08_6

G Data

Gen:Trojan.Heur.HmNfrD!mgqfib

14.8.21

IKARUS anti.virus

Worm.Win32.VB.cj

t3scan.1.1.90.0

K7 AntiVirus

Trojan

13.70.3162

Kaspersky

Trojan-Downloader.Win32.Agent

14.0.0.3333

McAfee

W32/YahLover.worm.gen

5600.7024

Microsoft Security Essentials

Worm:AutoIt/Helompy.A

1.163.1557.0

Norman

W32/Suspicious_Gen2.dam

11.20140829

nProtect

Trojan/W32.AutoIt_Packed.551669

10.12.04.01

Panda Antivirus

Trj/Keylogger.GE

14.08.29.11

Prevx

High Risk Worm

3.0

Quick Heal

Trojan.Agent.ATV

8.14.11.00

Rising Antivirus

Worm.Win32.Agent.abv

23.00.65.14827

Sophos

Troj/AutoIt-JO

4.60

Trend Micro House Call

TROJ_Generic.DIT

7.2.241

Trend Micro

TROJ_Generic.DIT

10.465.29

Vba32 AntiVirus

TrojanDownloader.Agent.engo

3.12.14.2

VIPRE Antivirus

Trojan.Win32.Generic!SB.0

7508

ViRobot

Trojan.Win32.Autoit.551669

2010.12.4.4185

File size:

538.7 KB (551,669 bytes)

File type:

Executable application (Win32 EXE)

Language:

English (United Kingdom)

File PE Metadata

Compilation timestamp:

7/11/2007 10:21:32 AM

OS version:

4.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

7.10

CTPH (ssdeep):

12288:2M5DSN6aAH0XNp7gGpWa7U8oico9hJMBex+gQL0X:2M5D18NpEGZNVlxnFX

Entry address:

0x9B110

Entry point:

60, BE, 00, B0, 46, 00, 8D, BE, 00, 60, F9, FF, 57, EB, 0B, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, 0B, 75, 28, 8B, 1E, 83, EE, FC, 11, DB, 72, 1F, 48, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, EB, D4, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, EB, 52, 31, C9, 83, E8, 03, 72, 11, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 75, D1, F8, 89, C5, EB, 0B, 01, DB, 75, 07, 8B... 
[+]

Packer / compiler:

UPX v0.89.6 - v1.02 / v1.05 -v1.24

Code size:

196 KB (200,704 bytes)

Startup File (All Users Run)

Registry location:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:

run32

Command:

C:\win\lsass.exe

Remove lsass.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.