Thanks for the link, and yes I know that lsass.exe was exploited, but I was surprised that it needed rundll32.exe to execute the DoublePulse payload. But perhaps that's not relevant because I suppose any child process that is spawned via lsass.exe would have been blocked with anti-executable like VS and ERP, so this was a nice demonstration of the effectiveness of these kind of tools. Doesn't AG block child processes spawned by system processes like lsass.exe from running? Thanks for the info. To clarify, I didn't doubt it, I was just trying to figure things out, so I'm not one of those whining kids.