d4752ab6192adfaa398fc71e75bafbd4f478619c432593e6804a2f126392f89a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
Size

19KB
MD5

8cb821933c226d587e5c2bde41fe79f7
SHA1

bf152a58902d7dbd908c49a3954c7f9412b3db71
SHA256

d4752ab6192adfaa398fc71e75bafbd4f478619c432593e6804a2f126392f89a
SHA512

f9d90a8c5117e8fac1ed7a3ef728c0f6cd60243e069133a432892526735f0d55509c360991add6493c4d4fd18ee2721c1f6c335814b0b9dabe818cb0e16e549f
SSDEEP

384:48cOMxhYHDloKmKEYFNBOW3PNsP3JO7vLbUtg2doCwwYxQWfjfA9O:zcOKarTZrVsPZCPUJoDwYxjfj

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
4320	lsass.exe
3380	lsass.exe
2936	lsass.exe
4340	lsass.exe
2096	lsass.exe
3148	lsass.exe
3184	lsass.exe
3964	lsass.exe
4516	lsass.exe
3972	lsass.exe
4576	lsass.exe
3264	lsass.exe
2148	lsass.exe
1096	lsass.exe
4908	lsass.exe
4020	lsass.exe
392	lsass.exe
3732	lsass.exe
1192	lsass.exe
2348	lsass.exe
532	lsass.exe
4604	lsass.exe
3032	lsass.exe
4480	lsass.exe
4920	lsass.exe
3800	lsass.exe
2612	lsass.exe
4284	lsass.exe
776	lsass.exe
4444	lsass.exe
60	lsass.exe
2168	lsass.exe
4040	lsass.exe
4700	lsass.exe
1676	lsass.exe
2308	lsass.exe
1520	lsass.exe
964	lsass.exe
3880	lsass.exe
828	lsass.exe
3936	lsass.exe
2972	lsass.exe
2824	lsass.exe
3980	lsass.exe
4576	lsass.exe
2196	lsass.exe
3128	lsass.exe
4404	lsass.exe
864	lsass.exe
2968	lsass.exe
5024	lsass.exe
4628	lsass.exe
2224	lsass.exe
1948	lsass.exe
660	lsass.exe
2992	lsass.exe
1456	lsass.exe
4972	lsass.exe
3628	lsass.exe
4272	lsass.exe
4360	lsass.exe
1068	lsass.exe
60	lsass.exe
4544	lsass.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4172-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/files/0x0009000000023424-3.dat	upx
behavioral2/memory/4320-5-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4320-8-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3380-9-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3380-11-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2936-12-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2936-15-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4340-17-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2096-20-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3148-23-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3184-27-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3964-30-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4516-32-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4172-34-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3972-37-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4576-40-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3264-43-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2148-44-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2148-47-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1096-50-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4908-53-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4020-54-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4020-57-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/392-59-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3732-60-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3732-63-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1192-65-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2348-69-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/532-71-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4604-74-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3032-78-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4480-80-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4920-83-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3800-86-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2612-89-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4284-92-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/776-95-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4444-96-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4444-97-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/60-100-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4172-99-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/60-103-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2168-104-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2168-107-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4040-108-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4040-111-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4700-112-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4700-115-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1676-117-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2308-119-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2308-121-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/964-126-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/1520-125-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/964-128-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3880-131-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/828-133-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/828-136-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3936-137-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3936-140-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2972-142-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2824-144-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/2824-147-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/3980-148-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4750 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7841 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\25323 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3255 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5862 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\265 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2157 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\12249 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\31362 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\15239 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\19998 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4621 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2333 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7831 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\30204 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\25284 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\19949 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\13524 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\24654 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\30074 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\16285 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\13202 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\30473 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\25934 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\25890 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7536 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\15938 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\13862 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\14052 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\32588 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\19244 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4053 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2115 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\11528 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4089 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\18716 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\25678 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1180 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\12235 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2154 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\23693 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2074 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\20563 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\10699 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8106 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\16067 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\15404 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3131 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8365 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\15151 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\26418 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\16557 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\23685 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\16563 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\14837 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\19065 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\27839 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\13166 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8015 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\28453 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8048 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9031 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\21716 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4937 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"	lsass.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DHCP = "1631340"	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DNS	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 4320	4172	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe	85
PID 4172 wrote to memory of 4320	4172	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe	85
PID 4172 wrote to memory of 4320	4172	8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe	85
PID 4320 wrote to memory of 3380	4320	lsass.exe	88
PID 4320 wrote to memory of 3380	4320	lsass.exe	88
PID 4320 wrote to memory of 3380	4320	lsass.exe	88
PID 3380 wrote to memory of 2936	3380	lsass.exe	89
PID 3380 wrote to memory of 2936	3380	lsass.exe	89
PID 3380 wrote to memory of 2936	3380	lsass.exe	89
PID 2936 wrote to memory of 4340	2936	lsass.exe	90
PID 2936 wrote to memory of 4340	2936	lsass.exe	90
PID 2936 wrote to memory of 4340	2936	lsass.exe	90
PID 4340 wrote to memory of 2096	4340	lsass.exe	91
PID 4340 wrote to memory of 2096	4340	lsass.exe	91
PID 4340 wrote to memory of 2096	4340	lsass.exe	91
PID 2096 wrote to memory of 3148	2096	lsass.exe	92
PID 2096 wrote to memory of 3148	2096	lsass.exe	92
PID 2096 wrote to memory of 3148	2096	lsass.exe	92
PID 3148 wrote to memory of 3184	3148	lsass.exe	93
PID 3148 wrote to memory of 3184	3148	lsass.exe	93
PID 3148 wrote to memory of 3184	3148	lsass.exe	93
PID 3184 wrote to memory of 3964	3184	lsass.exe	94
PID 3184 wrote to memory of 3964	3184	lsass.exe	94
PID 3184 wrote to memory of 3964	3184	lsass.exe	94
PID 3964 wrote to memory of 4516	3964	lsass.exe	95
PID 3964 wrote to memory of 4516	3964	lsass.exe	95
PID 3964 wrote to memory of 4516	3964	lsass.exe	95
PID 4516 wrote to memory of 3972	4516	lsass.exe	98
PID 4516 wrote to memory of 3972	4516	lsass.exe	98
PID 4516 wrote to memory of 3972	4516	lsass.exe	98
PID 3972 wrote to memory of 4576	3972	lsass.exe	99
PID 3972 wrote to memory of 4576	3972	lsass.exe	99
PID 3972 wrote to memory of 4576	3972	lsass.exe	99
PID 4576 wrote to memory of 3264	4576	lsass.exe	100
PID 4576 wrote to memory of 3264	4576	lsass.exe	100
PID 4576 wrote to memory of 3264	4576	lsass.exe	100
PID 3264 wrote to memory of 2148	3264	lsass.exe	102
PID 3264 wrote to memory of 2148	3264	lsass.exe	102
PID 3264 wrote to memory of 2148	3264	lsass.exe	102
PID 2148 wrote to memory of 1096	2148	lsass.exe	104
PID 2148 wrote to memory of 1096	2148	lsass.exe	104
PID 2148 wrote to memory of 1096	2148	lsass.exe	104
PID 1096 wrote to memory of 4908	1096	lsass.exe	105
PID 1096 wrote to memory of 4908	1096	lsass.exe	105
PID 1096 wrote to memory of 4908	1096	lsass.exe	105
PID 4908 wrote to memory of 4020	4908	lsass.exe	106
PID 4908 wrote to memory of 4020	4908	lsass.exe	106
PID 4908 wrote to memory of 4020	4908	lsass.exe	106
PID 4020 wrote to memory of 392	4020	lsass.exe	107
PID 4020 wrote to memory of 392	4020	lsass.exe	107
PID 4020 wrote to memory of 392	4020	lsass.exe	107
PID 392 wrote to memory of 3732	392	lsass.exe	108
PID 392 wrote to memory of 3732	392	lsass.exe	108
PID 392 wrote to memory of 3732	392	lsass.exe	108
PID 3732 wrote to memory of 1192	3732	lsass.exe	109
PID 3732 wrote to memory of 1192	3732	lsass.exe	109
PID 3732 wrote to memory of 1192	3732	lsass.exe	109
PID 1192 wrote to memory of 2348	1192	lsass.exe	110
PID 1192 wrote to memory of 2348	1192	lsass.exe	110
PID 1192 wrote to memory of 2348	1192	lsass.exe	110
PID 2348 wrote to memory of 532	2348	lsass.exe	111
PID 2348 wrote to memory of 532	2348	lsass.exe	111
PID 2348 wrote to memory of 532	2348	lsass.exe	111
PID 532 wrote to memory of 4604	532	lsass.exe	113

C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:4172
- \??\c:\lsass.exe
  c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4320
- - \??\c:\lsass.exe
    c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - \??\c:\lsass.exe
      c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2936
    - - \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4340
      - \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3964
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        23⤵
        Executes dropped EXE
        
        PID:4604
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        24⤵
        Executes dropped EXE
        
        PID:3032
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        25⤵
        Executes dropped EXE
        
        PID:4480
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        26⤵
        Executes dropped EXE
        
        PID:4920
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        27⤵
        Executes dropped EXE
        
        PID:3800
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        29⤵
        Executes dropped EXE
        
        PID:4284
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        30⤵
        Executes dropped EXE
        
        PID:776
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        31⤵
        Executes dropped EXE
        
        PID:4444
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        32⤵
        Executes dropped EXE
        
        PID:60
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        33⤵
        Executes dropped EXE
        
        PID:2168
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        34⤵
        Executes dropped EXE
        
        PID:4040
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        35⤵
        Executes dropped EXE
        
        PID:4700
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        36⤵
        Executes dropped EXE
        
        PID:1676
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        37⤵
        Executes dropped EXE
        
        PID:2308
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        38⤵
        Executes dropped EXE
        
        PID:1520
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        39⤵
        Executes dropped EXE
        
        PID:964
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        41⤵
        Executes dropped EXE
        
        PID:828
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        42⤵
        Executes dropped EXE
        
        PID:3936
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        43⤵
        Executes dropped EXE
        
        PID:2972
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2824
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        45⤵
        Executes dropped EXE
        
        PID:3980
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        46⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4576
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        47⤵
        Executes dropped EXE
        
        PID:2196
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        48⤵
        Executes dropped EXE
        
        PID:3128
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        49⤵
        Executes dropped EXE
        
        PID:4404
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        50⤵
        Executes dropped EXE
        
        PID:864
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        51⤵
        Executes dropped EXE
        
        PID:2968
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        52⤵
        Executes dropped EXE
        
        PID:5024
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        53⤵
        Executes dropped EXE
        
        PID:4628
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2224
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        55⤵
        Executes dropped EXE
        
        PID:1948
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        56⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:660
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        57⤵
        Executes dropped EXE
        
        PID:2992
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        58⤵
        Executes dropped EXE
        
        PID:1456
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        59⤵
        Executes dropped EXE
        
        PID:4972
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        61⤵
        Executes dropped EXE
        
        PID:4272
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        62⤵
        Executes dropped EXE
        
        PID:4360
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        63⤵
        Executes dropped EXE
        
        PID:1068
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        64⤵
        Executes dropped EXE
        
        PID:60
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        66⤵
        
        PID:1212
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        67⤵
        
        PID:3700
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        68⤵
        
        PID:3632
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        70⤵
        
        PID:3584
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        71⤵
        Adds Run key to start application
        
        PID:2924
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        72⤵
        
        PID:4036
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        73⤵
        Adds Run key to start application
        
        PID:5028
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        74⤵
        
        PID:2200
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        75⤵
        
        PID:2272
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        76⤵
        
        PID:4708
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        77⤵
        
        PID:4456
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        78⤵
        Adds Run key to start application
        
        PID:3076
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        79⤵
        Adds Run key to start application
        
        PID:2312
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        80⤵
        
        PID:3568
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        81⤵
        
        PID:2320
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        83⤵
        
        PID:3264
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        84⤵
        
        PID:2316
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        86⤵
        
        PID:4908
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        87⤵
        
        PID:4764
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        88⤵
        
        PID:1932
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        89⤵
        Adds Run key to start application
        
        PID:4600
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        90⤵
        
        PID:2968
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        91⤵
        
        PID:2748
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        92⤵
        
        PID:3508
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        93⤵
        
        PID:4580
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        94⤵
        
        PID:1772
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        95⤵
        Adds Run key to start application
        
        PID:4920
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:3852
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        97⤵
        
        PID:2772
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        98⤵
        
        PID:620
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        99⤵
        
        PID:4968
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        100⤵
        
        PID:3796
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        101⤵
        
        PID:1212
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        102⤵
        Adds Run key to start application
        
        PID:4980
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        103⤵
        
        PID:424
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        104⤵
        
        PID:2128
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        105⤵
        
        PID:2716
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        107⤵
        
        PID:4508
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        108⤵
        
        PID:608
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        109⤵
        
        PID:4432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        112⤵
        
        PID:1136
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        113⤵
        
        PID:688
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        115⤵
        
        PID:3980
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        116⤵
        
        PID:4984
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        117⤵
        
        PID:4060
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        118⤵
        Adds Run key to start application
        
        PID:4276
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        119⤵
        
        PID:2712
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        120⤵
        
        PID:1196
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        121⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        123⤵
        
        PID:2416
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        124⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        125⤵
        
        PID:3864
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        126⤵
        
        PID:4740
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        127⤵
        
        PID:660
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        128⤵
        
        PID:2540
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        129⤵
        
        PID:2432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        130⤵
        
        PID:4744
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        131⤵
        
        PID:1456
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        132⤵
        
        PID:3852
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        133⤵
        
        PID:2720
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        136⤵
        
        PID:2752
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        137⤵
        Adds Run key to start application
        
        PID:3692
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        138⤵
        
        PID:4040
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        139⤵
        
        PID:1372
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        140⤵
        
        PID:4700
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        141⤵
        
        PID:3556
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        142⤵
        
        PID:452
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        143⤵
        
        PID:4080
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        144⤵
        
        PID:4408
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        145⤵
        
        PID:964
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        146⤵
        
        PID:3632
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        147⤵
        
        PID:4780
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        148⤵
        
        PID:3880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        149⤵
        
        PID:2152
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        150⤵
        
        PID:3768
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        151⤵
        
        PID:3368
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        152⤵
        
        PID:396
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        153⤵
        
        PID:2120
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        155⤵
        
        PID:2212
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        156⤵
        Adds Run key to start application
        
        PID:2320
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        159⤵
        
        PID:4404
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        160⤵
        
        PID:4276
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        162⤵
        
        PID:4764
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        163⤵
        
        PID:3276
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        164⤵
        
        PID:4020
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        165⤵
        
        PID:4296
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        166⤵
        Adds Run key to start application
        
        PID:3984
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        167⤵
        
        PID:4584
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        168⤵
        
        PID:1228
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        169⤵
        
        PID:960
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        171⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:660
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        172⤵
        Adds Run key to start application
        
        PID:2540
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        173⤵
        
        PID:2432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        174⤵
        
        PID:2612
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        175⤵
        
        PID:1456
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        176⤵
        
        PID:3852
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        177⤵
        
        PID:1516
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        178⤵
        
        PID:4368
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        179⤵
        Adds Run key to start application
        
        PID:1380
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        180⤵
        
        PID:4968
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        182⤵
        
        PID:3300
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        183⤵
        
        PID:1068
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        184⤵
        
        PID:1432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        185⤵
        
        PID:712
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        186⤵
        
        PID:5052
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        187⤵
        
        PID:5032
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        188⤵
        
        PID:3148
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        190⤵
        
        PID:2200
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        191⤵
        
        PID:3964
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        193⤵
        
        PID:3368
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        194⤵
        
        PID:3076
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        196⤵
        
        PID:3972
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        197⤵
        
        PID:2948
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        198⤵
        
        PID:2340
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        199⤵
        Adds Run key to start application
        
        PID:2688
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        200⤵
        
        PID:1196
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        201⤵
        Adds Run key to start application
        
        PID:1932
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        202⤵
        
        PID:2916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        203⤵
        
        PID:2416
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        204⤵
        
        PID:1028
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        206⤵
        
        PID:3508
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        207⤵
        Adds Run key to start application
        
        PID:532
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        208⤵
        
        PID:2992
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        209⤵
        
        PID:4144
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        210⤵
        
        PID:4612
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        211⤵
        
        PID:3392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        212⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        213⤵
        
        PID:1272
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        214⤵
        
        PID:4048
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        215⤵
        
        PID:4444
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        216⤵
        
        PID:4844
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        217⤵
        
        PID:60
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        218⤵
        
        PID:4292
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        219⤵
        
        PID:4728
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        220⤵
        
        PID:3300
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        221⤵
        
        PID:3796
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        222⤵
        Adds Run key to start application
        
        PID:1676
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        223⤵
        
        PID:4092
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        224⤵
        
        PID:1120
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        225⤵
        
        PID:3124
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        226⤵
        
        PID:2224
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        228⤵
        
        PID:1752
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        229⤵
        
        PID:2716
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        230⤵
        Adds Run key to start application
        
        PID:3148
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        231⤵
        
        PID:4780
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        232⤵
        Adds Run key to start application
        
        PID:4692
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        233⤵
        
        PID:2152
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        234⤵
        
        PID:4496
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        235⤵
        
        PID:3484
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        236⤵
        Adds Run key to start application
        
        PID:3368
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        237⤵
        Adds Run key to start application
        
        PID:1672
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        238⤵
        
        PID:2120
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        239⤵
        Adds Run key to start application
        
        PID:3496
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        240⤵
        
        PID:4348
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        241⤵
        
        PID:2948
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        242⤵
        
        PID:1928
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        243⤵
        
        PID:2464
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        244⤵
        
        PID:3156
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        245⤵
        
        PID:4052
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        246⤵
        
        PID:400
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        247⤵
        
        PID:864
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        248⤵
        
        PID:4192
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        249⤵
        
        PID:936
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        250⤵
        
        PID:4716
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        251⤵
        Adds Run key to start application
        
        PID:2640
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        252⤵
        
        PID:4148
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:960
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        254⤵
        
        PID:3508
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        255⤵
        
        PID:532
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        256⤵
        
        PID:2992
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        257⤵
        
        PID:2540
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        258⤵
        
        PID:3592
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        259⤵
        Adds Run key to start application
        
        PID:2612
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        260⤵
        
        PID:528
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:116
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        262⤵
        
        PID:2524
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        263⤵
        
        PID:3696
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        264⤵
        
        PID:2780
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        265⤵
        
        PID:2900
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        266⤵
        Adds Run key to start application
        
        PID:4368
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        267⤵
        
        PID:3944
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        269⤵
        
        PID:372
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        270⤵
        
        PID:2388
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        271⤵
        
        PID:1088
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        272⤵
        
        PID:4832
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        273⤵
        
        PID:2728
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        274⤵
        
        PID:452
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        275⤵
        
        PID:1332
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        276⤵
        
        PID:896
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        277⤵
        
        PID:2224
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        278⤵
        
        PID:4408
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        279⤵
        Adds Run key to start application
        
        PID:1752
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        280⤵
        
        PID:2716
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        281⤵
        
        PID:3148
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        282⤵
        
        PID:4780
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        283⤵
        
        PID:4692
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        284⤵
        
        PID:2152
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        285⤵
        
        PID:4496
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        286⤵
        
        PID:3484
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        287⤵
        
        PID:3368
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        288⤵
        
        PID:2244
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        289⤵
        
        PID:2652
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        290⤵
        
        PID:3312
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        291⤵
        Adds Run key to start application
        
        PID:4348
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        292⤵
        
        PID:2384
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        293⤵
        
        PID:1928
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        294⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        295⤵
        
        PID:2952
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        296⤵
        
        PID:4992
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        297⤵
        
        PID:552
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        298⤵
        
        PID:3960
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        299⤵
        
        PID:2132
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        300⤵
        Adds Run key to start application
        
        PID:2168
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        301⤵
        
        PID:4292
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        302⤵
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        303⤵
        
        PID:1068
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        304⤵
        
        PID:4828
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        305⤵
        
        PID:2096
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        306⤵
        Adds Run key to start application
        
        PID:1660
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        307⤵
        
        PID:4432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        308⤵
        
        PID:4340
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        309⤵
        Adds Run key to start application
        
        PID:2972
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        310⤵
        Adds Run key to start application
        
        PID:2984
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        311⤵
        
        PID:1596
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        312⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        313⤵
        
        PID:3368
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        314⤵
        
        PID:2928
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        315⤵
        
        PID:2652
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        316⤵
        
        PID:4764
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        317⤵
        
        PID:2764
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        318⤵
        
        PID:4524
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        319⤵
        
        PID:1112
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        320⤵
        
        PID:2548
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        321⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        322⤵
        
        PID:4052
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        323⤵
        
        PID:1772
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        324⤵
        Adds Run key to start application
        
        PID:660
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        326⤵
        
        PID:3392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        327⤵
        
        PID:3960
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        328⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        329⤵
        
        PID:1932
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        330⤵
        Adds Run key to start application
        
        PID:2916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        331⤵
        
        PID:4084
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        332⤵
        
        PID:736
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        333⤵
        
        PID:4788
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        334⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        335⤵
        
        PID:832
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        336⤵
        
        PID:1644
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        337⤵
        
        PID:1380
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        338⤵
        
        PID:1600
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        339⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        340⤵
        Adds Run key to start application
        
        PID:620
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        341⤵
        System Location Discovery: System Language Discovery
        
        PID:3328
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        342⤵
        
        PID:3152
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        343⤵
        
        PID:3124
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        344⤵
        System Location Discovery: System Language Discovery
        
        PID:452
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        345⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        346⤵
        
        PID:1372
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        347⤵
        
        PID:4128
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        348⤵
        Adds Run key to start application
        
        PID:672
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        349⤵
        
        PID:3752
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        350⤵
        
        PID:1520
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        351⤵
        
        PID:1708
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        352⤵
        System Location Discovery: System Language Discovery
        
        PID:964
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        353⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        354⤵
        Adds Run key to start application
        
        PID:860
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        355⤵
        
        PID:3164
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        356⤵
        
        PID:704
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        357⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        358⤵
        
        PID:1048
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        359⤵
        
        PID:2268
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        360⤵
        Adds Run key to start application
        
        PID:836
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        361⤵
        
        PID:2392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        362⤵
        
        PID:3496
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        363⤵
        
        PID:4956
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        364⤵
        
        PID:4112
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        365⤵
        
        PID:3876
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        366⤵
        
        PID:3632
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        367⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        368⤵
        
        PID:2348
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        369⤵
        
        PID:1360
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        370⤵
        
        PID:112
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        371⤵
        
        PID:2540
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        372⤵
        
        PID:4304
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        373⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        374⤵
        Adds Run key to start application
        
        PID:4020
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        375⤵
        
        PID:1932
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        376⤵
        
        PID:3892
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        377⤵
        
        PID:4084
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        378⤵
        
        PID:736
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        379⤵
        
        PID:4324
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        380⤵
        
        PID:4528
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        381⤵
        
        PID:3644
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        382⤵
        
        PID:4360
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        383⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        384⤵
        
        PID:4368
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        385⤵
        Adds Run key to start application
        
        PID:1212
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        386⤵
        
        PID:4604
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        387⤵
        
        PID:3688
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        388⤵
        
        PID:4708
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        389⤵
        
        PID:4232
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        390⤵
        
        PID:2824
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        391⤵
        
        PID:1596
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        392⤵
        Adds Run key to start application
        
        PID:4100
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        393⤵
        
        PID:2232
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        394⤵
        
        PID:688
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        395⤵
        Adds Run key to start application
        
        PID:3312
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        396⤵
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        397⤵
        
        PID:3264
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        398⤵
        
        PID:1112
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        399⤵
        
        PID:4276
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        400⤵
        
        PID:4064
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        401⤵
        
        PID:4992
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        402⤵
        Adds Run key to start application
        
        PID:4052
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        403⤵
        
        PID:2348
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        404⤵
        
        PID:660
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        405⤵
        
        PID:1100
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        406⤵
        
        PID:928
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        407⤵
        
        PID:3960
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        408⤵
        Adds Run key to start application
        
        PID:5024
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        409⤵
        
        PID:4756
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        410⤵
        
        PID:4452
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        411⤵
        Adds Run key to start application
        
        PID:2756
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        412⤵
        
        PID:676
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        413⤵
        
        PID:4728
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        414⤵
        Adds Run key to start application
        
        PID:4712
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        415⤵
        
        PID:372
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        416⤵
        Adds Run key to start application
        
        PID:1876
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        417⤵
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        418⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        419⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        420⤵
        Adds Run key to start application
        
        PID:964
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        421⤵
        
        PID:4232
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        422⤵
        
        PID:396
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        423⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        424⤵
        Adds Run key to start application
        
        PID:1048
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        425⤵
        
        PID:2232
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        426⤵
        
        PID:2268
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        427⤵
        
        PID:748
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        428⤵
        
        PID:2340
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        429⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        430⤵
        
        PID:3576
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        431⤵
        
        PID:3220
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        432⤵
        
        PID:4956
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        433⤵
        
        PID:1808
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        434⤵
        
        PID:3876
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        435⤵
        
        PID:1552
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        436⤵
        
        PID:2320
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        437⤵
        
        PID:2876
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        438⤵
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        439⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        440⤵
        
        PID:112
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        441⤵
        
        PID:3508
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        442⤵
        
        PID:3628
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        443⤵
        
        PID:532
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        444⤵
        
        PID:2968
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        445⤵
        Adds Run key to start application
        
        PID:4564
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        446⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        447⤵
        
        PID:1932
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        448⤵
        
        PID:2756
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        449⤵
        
        PID:676
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        450⤵
        
        PID:4396
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        451⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        452⤵
        
        PID:1376
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        453⤵
        
        PID:4108
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        454⤵
        
        PID:4360
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        455⤵
        
        PID:3468
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\8cb821933c226d587e5c2bde41fe79f7_JaffaCakes118.exe
        456⤵
        
        PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\lsass.exe

Filesize
19KB

MD5
8cb821933c226d587e5c2bde41fe79f7

SHA1
bf152a58902d7dbd908c49a3954c7f9412b3db71

SHA256
d4752ab6192adfaa398fc71e75bafbd4f478619c432593e6804a2f126392f89a

SHA512
f9d90a8c5117e8fac1ed7a3ef728c0f6cd60243e069133a432892526735f0d55509c360991add6493c4d4fd18ee2721c1f6c335814b0b9dabe818cb0e16e549f

Download Submit
memory/60-217-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/60-100-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/60-103-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/392-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/532-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/660-192-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/776-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/828-133-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/828-136-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/864-169-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/864-167-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/872-228-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/964-128-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/964-126-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1068-215-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1096-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1192-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1212-221-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1456-198-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1520-125-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1676-117-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1948-189-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1948-186-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2096-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2148-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2148-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2168-104-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2168-107-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2196-156-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2196-159-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2224-184-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2308-121-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2308-119-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2348-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2612-89-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2824-144-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2824-147-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2924-231-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2924-233-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2936-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2936-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2968-174-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2968-171-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2972-142-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2992-193-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2992-195-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3032-78-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3128-161-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3148-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3184-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3264-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3380-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3380-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3584-230-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3628-205-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3632-226-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3700-222-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3700-224-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3732-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3732-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3800-86-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3880-131-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3936-137-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3936-140-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3964-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3972-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3980-148-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3980-151-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4020-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4020-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4040-111-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4040-108-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4172-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4172-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4172-99-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4272-208-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4284-92-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4320-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4320-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4340-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4360-212-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4404-165-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4404-163-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4444-96-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4444-97-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4480-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4516-32-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4544-219-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4576-155-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4576-152-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4576-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4604-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4628-182-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4628-179-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4700-115-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4700-112-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4908-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4920-83-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4972-201-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5024-178-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5024-175-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads