d4752ab6192adfaa398fc71e75bafbd4f478619c432593e6804a2f126392f89a

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
Size

19KB
MD5

8cb821933c226d587e5c2bde41fe79f7
SHA1

bf152a58902d7dbd908c49a3954c7f9412b3db71
SHA256

d4752ab6192adfaa398fc71e75bafbd4f478619c432593e6804a2f126392f89a
SHA512

f9d90a8c5117e8fac1ed7a3ef728c0f6cd60243e069133a432892526735f0d55509c360991add6493c4d4fd18ee2721c1f6c335814b0b9dabe818cb0e16e549f
SSDEEP

384:48cOMxhYHDloKmKEYFNBOW3PNsP3JO7vLbUtg2doCwwYxQWfjfA9O:zcOKarTZrVsPZCPUJoDwYxjfj

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
1320	lsass.exe
2932	lsass.exe
2980	lsass.exe
2220	lsass.exe
3052	lsass.exe
1212	lsass.exe
3032	lsass.exe
788	lsass.exe
3064	lsass.exe
2740	lsass.exe
2796	lsass.exe
2696	lsass.exe
2880	lsass.exe
2164	lsass.exe
2772	lsass.exe
2852	lsass.exe
2708	lsass.exe
2036	lsass.exe
2544	lsass.exe
2608	lsass.exe
2952	lsass.exe
676	lsass.exe
1468	lsass.exe
2832	lsass.exe
856	lsass.exe
2864	lsass.exe
2224	lsass.exe
2392	lsass.exe
3048	lsass.exe
2140	lsass.exe
1480	lsass.exe
1532	lsass.exe
1092	lsass.exe
2380	lsass.exe
636	lsass.exe
1288	lsass.exe
372	lsass.exe
1540	lsass.exe
2412	lsass.exe
2396	lsass.exe
1720	lsass.exe
968	lsass.exe
1648	lsass.exe
2248	lsass.exe
1536	lsass.exe
1340	lsass.exe
2876	lsass.exe
656	lsass.exe
888	lsass.exe
2844	lsass.exe
896	lsass.exe
2092	lsass.exe
3004	lsass.exe
2308	lsass.exe
1668	lsass.exe
2060	lsass.exe
2948	lsass.exe
2328	lsass.exe
3024	lsass.exe
3056	lsass.exe
2012	lsass.exe
2016	lsass.exe
3032	lsass.exe
484	lsass.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1320-9-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x000a00000001202c-8.dat	upx
behavioral1/memory/1320-11-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2980-16-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2932-15-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2980-18-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2220-21-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/3052-22-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/3052-25-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1212-26-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1212-29-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/3032-30-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/3032-32-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/788-36-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/3064-38-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2372-37-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/3064-40-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2740-46-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2796-47-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2796-50-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2696-53-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2880-54-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2880-57-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2164-60-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2772-61-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2772-64-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2852-67-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2708-70-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2036-73-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2544-74-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2544-76-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2608-78-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2608-80-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2952-81-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2952-83-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/676-85-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/676-87-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1468-91-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2832-92-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2832-95-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/856-98-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2864-100-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2224-102-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2224-105-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2392-107-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/3048-109-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/3048-112-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2140-114-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1480-117-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2372-118-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1532-120-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1092-122-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1092-125-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2380-126-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2380-128-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/636-131-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1288-134-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1540-138-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/372-137-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1540-141-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2412-144-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2396-146-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1720-150-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\32103 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\27258 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\22146 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\21840 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\24923 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\14047 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\10523 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\24618 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\25232 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5590 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\21711 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\29372 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9725 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\17835 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\24307 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8183 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\13694 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\11792 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\20428 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5851 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\24789 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\23162 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\16067 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5014 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\25581 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\10391 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\22765 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\21579 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\12018 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\15630 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\28007 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\18581 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\30908 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\31484 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\18405 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\27429 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\31833 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\16381 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5898 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\6779 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\23247 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7082 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\23250 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\17524 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\11352 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9334 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\17438 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\30113 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\522 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\22407 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\31349 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5061 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\31530 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\21879 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\15233 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\211 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1758 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\9813 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\26245 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\16505 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\4224 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\3475 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\14041 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7440 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\DNS	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\DHCP = "1883876"	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1320	2372	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe	30
PID 2372 wrote to memory of 1320	2372	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe	30
PID 2372 wrote to memory of 1320	2372	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe	30
PID 2372 wrote to memory of 1320	2372	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe	30
PID 1320 wrote to memory of 2932	1320	lsass.exe	31
PID 1320 wrote to memory of 2932	1320	lsass.exe	31
PID 1320 wrote to memory of 2932	1320	lsass.exe	31
PID 1320 wrote to memory of 2932	1320	lsass.exe	31
PID 2932 wrote to memory of 2980	2932	lsass.exe	32
PID 2932 wrote to memory of 2980	2932	lsass.exe	32
PID 2932 wrote to memory of 2980	2932	lsass.exe	32
PID 2932 wrote to memory of 2980	2932	lsass.exe	32
PID 2980 wrote to memory of 2220	2980	lsass.exe	33
PID 2980 wrote to memory of 2220	2980	lsass.exe	33
PID 2980 wrote to memory of 2220	2980	lsass.exe	33
PID 2980 wrote to memory of 2220	2980	lsass.exe	33
PID 2220 wrote to memory of 3052	2220	lsass.exe	34
PID 2220 wrote to memory of 3052	2220	lsass.exe	34
PID 2220 wrote to memory of 3052	2220	lsass.exe	34
PID 2220 wrote to memory of 3052	2220	lsass.exe	34
PID 3052 wrote to memory of 1212	3052	lsass.exe	35
PID 3052 wrote to memory of 1212	3052	lsass.exe	35
PID 3052 wrote to memory of 1212	3052	lsass.exe	35
PID 3052 wrote to memory of 1212	3052	lsass.exe	35
PID 1212 wrote to memory of 3032	1212	lsass.exe	36
PID 1212 wrote to memory of 3032	1212	lsass.exe	36
PID 1212 wrote to memory of 3032	1212	lsass.exe	36
PID 1212 wrote to memory of 3032	1212	lsass.exe	36
PID 3032 wrote to memory of 788	3032	lsass.exe	37
PID 3032 wrote to memory of 788	3032	lsass.exe	37
PID 3032 wrote to memory of 788	3032	lsass.exe	37
PID 3032 wrote to memory of 788	3032	lsass.exe	37
PID 788 wrote to memory of 3064	788	lsass.exe	38
PID 788 wrote to memory of 3064	788	lsass.exe	38
PID 788 wrote to memory of 3064	788	lsass.exe	38
PID 788 wrote to memory of 3064	788	lsass.exe	38
PID 3064 wrote to memory of 2740	3064	lsass.exe	39
PID 3064 wrote to memory of 2740	3064	lsass.exe	39
PID 3064 wrote to memory of 2740	3064	lsass.exe	39
PID 3064 wrote to memory of 2740	3064	lsass.exe	39
PID 2740 wrote to memory of 2796	2740	lsass.exe	40
PID 2740 wrote to memory of 2796	2740	lsass.exe	40
PID 2740 wrote to memory of 2796	2740	lsass.exe	40
PID 2740 wrote to memory of 2796	2740	lsass.exe	40
PID 2796 wrote to memory of 2696	2796	lsass.exe	41
PID 2796 wrote to memory of 2696	2796	lsass.exe	41
PID 2796 wrote to memory of 2696	2796	lsass.exe	41
PID 2796 wrote to memory of 2696	2796	lsass.exe	41
PID 2696 wrote to memory of 2880	2696	lsass.exe	42
PID 2696 wrote to memory of 2880	2696	lsass.exe	42
PID 2696 wrote to memory of 2880	2696	lsass.exe	42
PID 2696 wrote to memory of 2880	2696	lsass.exe	42
PID 2880 wrote to memory of 2164	2880	lsass.exe	43
PID 2880 wrote to memory of 2164	2880	lsass.exe	43
PID 2880 wrote to memory of 2164	2880	lsass.exe	43
PID 2880 wrote to memory of 2164	2880	lsass.exe	43
PID 2164 wrote to memory of 2772	2164	lsass.exe	44
PID 2164 wrote to memory of 2772	2164	lsass.exe	44
PID 2164 wrote to memory of 2772	2164	lsass.exe	44
PID 2164 wrote to memory of 2772	2164	lsass.exe	44
PID 2772 wrote to memory of 2852	2772	lsass.exe	45
PID 2772 wrote to memory of 2852	2772	lsass.exe	45
PID 2772 wrote to memory of 2852	2772	lsass.exe	45
PID 2772 wrote to memory of 2852	2772	lsass.exe	45

C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2372
- \??\c:\lsass.exe
  c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1320
- - \??\c:\lsass.exe
    c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - \??\c:\lsass.exe
      c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2980
    - - \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        17⤵
        Executes dropped EXE
        
        PID:2852
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        18⤵
        Executes dropped EXE
        
        PID:2708
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        20⤵
        Executes dropped EXE
        
        PID:2544
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:676
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        24⤵
        Executes dropped EXE
        
        PID:1468
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        25⤵
        Executes dropped EXE
        
        PID:2832
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        26⤵
        Executes dropped EXE
        
        PID:856
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        27⤵
        Executes dropped EXE
        
        PID:2864
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        28⤵
        Executes dropped EXE
        
        PID:2224
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        29⤵
        Executes dropped EXE
        
        PID:2392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        31⤵
        Executes dropped EXE
        
        PID:2140
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        32⤵
        Executes dropped EXE
        
        PID:1480
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        33⤵
        Executes dropped EXE
        
        PID:1532
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        34⤵
        Executes dropped EXE
        
        PID:1092
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        35⤵
        Executes dropped EXE
        
        PID:2380
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        36⤵
        Executes dropped EXE
        
        PID:636
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        37⤵
        Executes dropped EXE
        
        PID:1288
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        38⤵
        Executes dropped EXE
        
        PID:372
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        39⤵
        Executes dropped EXE
        
        PID:1540
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        40⤵
        Executes dropped EXE
        
        PID:2412
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        41⤵
        Executes dropped EXE
        
        PID:2396
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        42⤵
        Executes dropped EXE
        
        PID:1720
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        43⤵
        Executes dropped EXE
        
        PID:968
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1648
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        45⤵
        Executes dropped EXE
        
        PID:2248
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        46⤵
        Executes dropped EXE
        
        PID:1536
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        47⤵
        Executes dropped EXE
        
        PID:1340
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        48⤵
        Executes dropped EXE
        
        PID:2876
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        49⤵
        Executes dropped EXE
        
        PID:656
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        50⤵
        Executes dropped EXE
        
        PID:888
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        51⤵
        Executes dropped EXE
        
        PID:2844
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        52⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:896
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        53⤵
        Executes dropped EXE
        
        PID:2092
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        54⤵
        Executes dropped EXE
        
        PID:3004
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        55⤵
        Executes dropped EXE
        
        PID:2308
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        56⤵
        Executes dropped EXE
        
        PID:1668
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        57⤵
        Executes dropped EXE
        
        PID:2060
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        58⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2948
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        60⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3024
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        61⤵
        Executes dropped EXE
        
        PID:3056
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        62⤵
        Executes dropped EXE
        
        PID:2012
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        63⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2016
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        64⤵
        Executes dropped EXE
        
        PID:3032
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        65⤵
        Executes dropped EXE
        
        PID:484
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        66⤵
        
        PID:3064
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        67⤵
        
        PID:2776
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        68⤵
        
        PID:2744
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        69⤵
        Adds Run key to start application
        
        PID:2548
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        70⤵
        Adds Run key to start application
        
        PID:2704
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        71⤵
        
        PID:2880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        72⤵
        
        PID:2164
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        73⤵
        
        PID:2732
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        74⤵
        
        PID:2680
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        75⤵
        
        PID:2588
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        76⤵
        
        PID:2540
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        77⤵
        
        PID:2552
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        78⤵
        
        PID:2620
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        79⤵
        
        PID:2608
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        80⤵
        
        PID:2952
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        81⤵
        
        PID:1400
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        82⤵
        
        PID:2848
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        83⤵
        
        PID:2612
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        84⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        85⤵
        
        PID:1800
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        86⤵
        
        PID:2864
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        87⤵
        
        PID:2400
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        88⤵
        
        PID:2232
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        89⤵
        
        PID:2320
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        91⤵
        
        PID:2140
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        92⤵
        
        PID:1480
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        93⤵
        
        PID:772
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        94⤵
        
        PID:1152
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        95⤵
        
        PID:2428
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        96⤵
        
        PID:616
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        97⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        98⤵
        
        PID:1880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        99⤵
        
        PID:2452
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        100⤵
        
        PID:2436
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        101⤵
        
        PID:2412
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        102⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        103⤵
        
        PID:1716
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        105⤵
        
        PID:2024
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        106⤵
        
        PID:328
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        108⤵
        
        PID:2916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        109⤵
        
        PID:2856
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        110⤵
        Adds Run key to start application
        
        PID:2420
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        111⤵
        
        PID:2244
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        112⤵
        Adds Run key to start application
        
        PID:320
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        113⤵
        Adds Run key to start application
        
        PID:888
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        114⤵
        
        PID:2100
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        115⤵
        
        PID:896
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        117⤵
        
        PID:1580
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        118⤵
        Adds Run key to start application
        
        PID:1308
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        119⤵
        
        PID:1668
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        120⤵
        Adds Run key to start application
        
        PID:1100
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        121⤵
        
        PID:2324
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        122⤵
        Adds Run key to start application
        
        PID:2980
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        123⤵
        
        PID:2068
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        124⤵
        
        PID:1552
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        126⤵
        
        PID:2264
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        127⤵
        
        PID:2268
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        128⤵
        
        PID:3020
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        129⤵
        
        PID:2700
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        130⤵
        Adds Run key to start application
        
        PID:2760
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        131⤵
        Adds Run key to start application
        
        PID:2740
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        132⤵
        
        PID:2776
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        133⤵
        
        PID:2696
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        134⤵
        
        PID:2548
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        135⤵
        Adds Run key to start application
        
        PID:2576
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        136⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        137⤵
        
        PID:2332
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        138⤵
        
        PID:2852
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        139⤵
        
        PID:2708
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        140⤵
        
        PID:2588
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        141⤵
        
        PID:2536
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        142⤵
        
        PID:2552
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        143⤵
        
        PID:2600
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        144⤵
        
        PID:2592
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        145⤵
        
        PID:676
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        146⤵
        
        PID:2820
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        147⤵
        
        PID:1892
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        148⤵
        
        PID:2644
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        149⤵
        
        PID:864
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        150⤵
        Adds Run key to start application
        
        PID:2128
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        151⤵
        
        PID:2192
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        153⤵
        
        PID:2184
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        155⤵
        
        PID:2104
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        156⤵
        
        PID:3048
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        157⤵
        
        PID:2196
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        158⤵
        
        PID:2556
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        159⤵
        
        PID:1532
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        160⤵
        Adds Run key to start application
        
        PID:2380
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        161⤵
        
        PID:2428
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        162⤵
        System Location Discovery: System Language Discovery
        
        PID:616
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        163⤵
        Adds Run key to start application
        
        PID:1328
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:1324
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        165⤵
        
        PID:2452
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        166⤵
        
        PID:2436
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        167⤵
        
        PID:1704
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        168⤵
        
        PID:1872
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        169⤵
        
        PID:1716
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        170⤵
        
        PID:1520
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        171⤵
        
        PID:1040
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:328
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        173⤵
        Adds Run key to start application
        
        PID:1860
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        174⤵
        
        PID:1856
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        175⤵
        System Location Discovery: System Language Discovery
        
        PID:852
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        176⤵
        Adds Run key to start application
        
        PID:2420
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        177⤵
        
        PID:2244
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:320
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        179⤵
        
        PID:712
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        180⤵
        
        PID:2472
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        181⤵
        
        PID:896
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        182⤵
        
        PID:1496
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        184⤵
        
        PID:2492
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        185⤵
        
        PID:2208
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        186⤵
        
        PID:1100
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        188⤵
        
        PID:2988
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        189⤵
        
        PID:2328
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        190⤵
        Adds Run key to start application
        
        PID:2992
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        191⤵
        
        PID:2004
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        192⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        193⤵
        Adds Run key to start application
        
        PID:2260
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        194⤵
        
        PID:2652
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        195⤵
        
        PID:2648
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        196⤵
        
        PID:2760
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        197⤵
        
        PID:2692
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        198⤵
        
        PID:2796
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        199⤵
        
        PID:2672
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        200⤵
        
        PID:2548
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        201⤵
        
        PID:2176
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        202⤵
        Adds Run key to start application
        
        PID:2568
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        203⤵
        
        PID:2564
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        205⤵
        
        PID:2804
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        206⤵
        
        PID:2540
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        207⤵
        
        PID:2572
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        209⤵
        
        PID:2608
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        210⤵
        
        PID:1560
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        212⤵
        
        PID:2728
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        213⤵
        
        PID:2604
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        214⤵
        
        PID:2444
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        215⤵
        
        PID:2408
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        216⤵
        
        PID:388
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        217⤵
        
        PID:2240
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        218⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        219⤵
        
        PID:1884
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        220⤵
        Adds Run key to start application
        
        PID:2188
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        221⤵
        
        PID:1488
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        222⤵
        
        PID:3048
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        223⤵
        
        PID:2336
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        224⤵
        
        PID:2376
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        225⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        226⤵
        
        PID:964
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        227⤵
        
        PID:680
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        228⤵
        
        PID:1804
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        229⤵
        
        PID:1916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        230⤵
        
        PID:1724
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        231⤵
        
        PID:1880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        232⤵
        
        PID:1020
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        233⤵
        Adds Run key to start application
        
        PID:1404
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        234⤵
        
        PID:1648
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        235⤵
        
        PID:1520
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        236⤵
        
        PID:1040
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        237⤵
        
        PID:328
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        238⤵
        Adds Run key to start application
        
        PID:2344
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        239⤵
        
        PID:1856
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        240⤵
        
        PID:1340
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:572
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        242⤵
        
        PID:2244
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:320
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        244⤵
        
        PID:712
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        245⤵
        
        PID:2152
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        246⤵
        
        PID:2308
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        247⤵
        
        PID:1596
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        248⤵
        
        PID:3004
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        249⤵
        
        PID:2936
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        250⤵
        
        PID:1308
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        251⤵
        
        PID:2476
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        252⤵
        
        PID:3012
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        253⤵
        
        PID:1072
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        254⤵
        
        PID:2980
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        255⤵
        
        PID:3008
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        256⤵
        
        PID:788
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        257⤵
        
        PID:2284
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        259⤵
        
        PID:3064
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        260⤵
        
        PID:2780
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        261⤵
        
        PID:2740
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        262⤵
        
        PID:2692
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        263⤵
        
        PID:2796
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        264⤵
        
        PID:2672
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        265⤵
        
        PID:2548
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        267⤵
        
        PID:2568
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        268⤵
        
        PID:2596
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        269⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        270⤵
        
        PID:2588
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        271⤵
        
        PID:2536
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        272⤵
        
        PID:2964
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        273⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        274⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        275⤵
        
        PID:2592
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        276⤵
        
        PID:2468
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        277⤵
        
        PID:676
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        278⤵
        
        PID:2820
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        279⤵
        
        PID:2728
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        280⤵
        
        PID:2604
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        281⤵
        
        PID:1484
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        282⤵
        
        PID:2204
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        283⤵
        
        PID:592
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        284⤵
        
        PID:2192
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        285⤵
        
        PID:2580
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        286⤵
        
        PID:1808
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        287⤵
        
        PID:2440
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        288⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        289⤵
        
        PID:2104
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        290⤵
        Adds Run key to start application
        
        PID:3048
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        291⤵
        Adds Run key to start application
        
        PID:2336
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        292⤵
        
        PID:1532
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        293⤵
        System Location Discovery: System Language Discovery
        
        PID:1092
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        294⤵
        
        PID:796
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        295⤵
        Adds Run key to start application
        
        PID:1288
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        296⤵
        Adds Run key to start application
        
        PID:2428
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        297⤵
        Adds Run key to start application
        
        PID:1592
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        298⤵
        
        PID:1620
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        299⤵
        Adds Run key to start application
        
        PID:2404
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        300⤵
        
        PID:344
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        301⤵
        
        PID:1720
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        302⤵
        
        PID:1432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        303⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        304⤵
        
        PID:1708
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        305⤵
        
        PID:2516
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        306⤵
        
        PID:2236
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        307⤵
        
        PID:2788
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        308⤵
        
        PID:2916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        309⤵
        
        PID:1904
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        310⤵
        
        PID:1860
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        311⤵
        
        PID:2108
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        312⤵
        
        PID:708
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        313⤵
        
        PID:892
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        314⤵
        
        PID:1564
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        315⤵
        
        PID:2092
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        316⤵
        
        PID:1584
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        317⤵
        
        PID:1556
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        318⤵
        
        PID:2060
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        319⤵
        
        PID:2208
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        320⤵
        
        PID:2948
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        321⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        322⤵
        
        PID:3040
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        323⤵
        
        PID:2068
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        324⤵
        
        PID:2992
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        325⤵
        
        PID:2004
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        326⤵
        
        PID:2264
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        327⤵
        
        PID:2112
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        328⤵
        
        PID:3020
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        329⤵
        
        PID:2752
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        330⤵
        
        PID:2748
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        331⤵
        
        PID:2740
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        332⤵
        Adds Run key to start application
        
        PID:2668
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        333⤵
        
        PID:2880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        334⤵
        
        PID:2836
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        335⤵
        
        PID:2548
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        336⤵
        
        PID:2332
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        337⤵
        
        PID:2568
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        338⤵
        
        PID:2772
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        339⤵
        Adds Run key to start application
        
        PID:2708
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        340⤵
        
        PID:2544
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        341⤵
        
        PID:2712
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        342⤵
        Adds Run key to start application
        
        PID:564
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        343⤵
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        344⤵
        
        PID:2340
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        345⤵
        
        PID:2592
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        346⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        347⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        348⤵
        
        PID:2848
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        349⤵
        
        PID:2644
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        350⤵
        
        PID:2860
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        351⤵
        
        PID:2224
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        352⤵
        
        PID:2128
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        353⤵
        
        PID:2400
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        354⤵
        
        PID:2192
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        355⤵
        
        PID:2580
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        356⤵
        
        PID:2140
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        357⤵
        
        PID:2440
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        358⤵
        
        PID:2972
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        359⤵
        
        PID:944
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        360⤵
        Adds Run key to start application
        
        PID:1012
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        361⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        362⤵
        
        PID:2300
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        363⤵
        System Location Discovery: System Language Discovery
        
        PID:616
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        364⤵
        
        PID:936
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        365⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        366⤵
        
        PID:2008
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        367⤵
        
        PID:1916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        368⤵
        
        PID:916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        369⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        370⤵
        
        PID:2252
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        371⤵
        
        PID:556
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        372⤵
        
        PID:1872
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        373⤵
        
        PID:1940
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        374⤵
        
        PID:2248
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        375⤵
        
        PID:1536
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        376⤵
        Adds Run key to start application
        
        PID:1404
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        377⤵
        
        PID:328
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        378⤵
        
        PID:2416
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        379⤵
        
        PID:1004
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        380⤵
        
        PID:816
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        381⤵
        
        PID:572
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        382⤵
        
        PID:2628
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        383⤵
        
        PID:2124
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        384⤵
        
        PID:712
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        385⤵
        
        PID:1564
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        386⤵
        
        PID:2308
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        387⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        388⤵
        
        PID:3004
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        389⤵
        
        PID:1576
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        390⤵
        
        PID:2208
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        391⤵
        
        PID:2948
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        392⤵
        
        PID:2932
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        393⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        394⤵
        
        PID:2068
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        395⤵
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        396⤵
        
        PID:1284
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        397⤵
        
        PID:3052
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        398⤵
        
        PID:2260
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        399⤵
        
        PID:2636
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        400⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        401⤵
        
        PID:2544
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        402⤵
        
        PID:2712
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        403⤵
        
        PID:564
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        404⤵
        
        PID:2608
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        405⤵
        Adds Run key to start application
        
        PID:2340
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        406⤵
        
        PID:2952
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        407⤵
        
        PID:2940
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        408⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        409⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        410⤵
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        411⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        412⤵
        
        PID:2160
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        413⤵
        
        PID:2392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        414⤵
        
        PID:2232
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        415⤵
        
        PID:1948
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        416⤵
        
        PID:2240
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        417⤵
        
        PID:1712
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        418⤵
        
        PID:1608
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        419⤵
        
        PID:2276
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        420⤵
        
        PID:2816
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        421⤵
        
        PID:1680
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        422⤵
        System Location Discovery: System Language Discovery
        
        PID:964
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        423⤵
        
        PID:2300
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        424⤵
        
        PID:940
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        425⤵
        
        PID:680
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        426⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        427⤵
        
        PID:2008
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        428⤵
        
        PID:1916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        429⤵
        
        PID:1508
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        430⤵
        Adds Run key to start application
        
        PID:1880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        431⤵
        
        PID:1432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        432⤵
        
        PID:1796
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        433⤵
        
        PID:1920
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        434⤵
        
        PID:1708
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        435⤵
        
        PID:2120
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        436⤵
        
        PID:1776
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        437⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        438⤵
        
        PID:2916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        439⤵
        
        PID:1904
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        440⤵
        
        PID:568
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        441⤵
        Adds Run key to start application
        
        PID:2108
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        442⤵
        
        PID:708
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        443⤵
        
        PID:1144
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        444⤵
        Adds Run key to start application
        
        PID:1732
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        445⤵
        Adds Run key to start application
        
        PID:896
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        446⤵
        Adds Run key to start application
        
        PID:1580
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        447⤵
        
        PID:1556
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        448⤵
        
        PID:2088
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        449⤵
        
        PID:2060
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        450⤵
        
        PID:2208
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        451⤵
        
        PID:2872
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        452⤵
        
        PID:2988
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        453⤵
        
        PID:2148
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        454⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        455⤵
        Adds Run key to start application
        
        PID:2992
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        456⤵
        
        PID:1284
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        457⤵
        Adds Run key to start application
        
        PID:3060
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        458⤵
        
        PID:2260
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        459⤵
        
        PID:3020
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        460⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        461⤵
        
        PID:2352
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        462⤵
        Adds Run key to start application
        
        PID:2712
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        463⤵
        
        PID:1368
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        464⤵
        
        PID:2608
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        465⤵
        
        PID:1560
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        466⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        467⤵
        
        PID:2820
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        468⤵
        
        PID:2600
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        469⤵
        
        PID:2528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\lsass.exe

Filesize
19KB

MD5
8cb821933c226d587e5c2bde41fe79f7

SHA1
bf152a58902d7dbd908c49a3954c7f9412b3db71

SHA256
d4752ab6192adfaa398fc71e75bafbd4f478619c432593e6804a2f126392f89a

SHA512
f9d90a8c5117e8fac1ed7a3ef728c0f6cd60243e069133a432892526735f0d55509c360991add6493c4d4fd18ee2721c1f6c335814b0b9dabe818cb0e16e549f

Download Submit
memory/372-137-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/484-224-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/484-226-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/636-131-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/656-172-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/656-175-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/676-85-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/676-87-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/788-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/856-98-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/888-177-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/896-184-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/968-151-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/968-153-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1092-125-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1092-122-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1212-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1212-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1288-134-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1320-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1320-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1340-167-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1340-164-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1468-91-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1480-117-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1532-120-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1536-163-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1540-141-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1540-138-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1648-156-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1668-197-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1720-150-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2012-217-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2016-219-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2036-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2060-198-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2060-200-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2092-187-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2092-185-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2140-114-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2164-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2220-21-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2224-102-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2224-105-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2248-157-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2248-159-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2308-194-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2308-191-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2328-207-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2328-205-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2372-118-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2372-43-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/2372-6-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/2372-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2372-42-0x0000000000020000-0x0000000000030000-memory.dmp

Filesize
64KB

Download
memory/2372-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2380-126-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2380-128-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2392-107-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2396-146-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2412-144-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2544-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2544-76-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2608-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2608-78-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2696-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2708-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2740-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-233-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2772-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2772-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2776-229-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2776-231-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2796-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2796-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2832-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2832-92-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2844-178-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2844-180-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2852-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2864-100-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2876-168-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2876-171-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2880-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2880-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2932-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2948-204-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2952-81-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2952-83-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2980-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3004-190-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3024-211-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3032-32-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3032-223-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3032-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3048-109-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3048-112-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3052-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3052-25-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3056-215-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3056-212-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3064-228-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3064-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3064-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads