7c3964f2c473e5a49eef26594040d998dc029ea973fc3e7d4d88606b66b691fc

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 00:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
Size

52KB
MD5

5480948c56f5a64827c5437969f008c1
SHA1

2cd05c09ca39825e37b131760ee8a6c76b5a301d
SHA256

7c3964f2c473e5a49eef26594040d998dc029ea973fc3e7d4d88606b66b691fc
SHA512

af589b7a5d40225b1933ca60f8f3e73e739ba13d03733a9bf6a702ec856831a67d051c839cc964b6702c7975d6818eaeb9ee6ab0a30024892494813f6a8fc78a
SSDEEP

1536:iHloQ7e4d0rYq/MC2tF3kXWyDNKf/3nbrSmKxN:iHloLcqE53kXlRMfbOm2N

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

pid	Process
1928	lsass.exe
2916	lsass.exe
4764	lsass.exe
3456	lsass.exe
3984	lsass.exe
2268	lsass.exe
1748	lsass.exe
3404	lsass.exe
3520	lsass.exe
2828	lsass.exe
3860	lsass.exe
4256	lsass.exe
2920	lsass.exe
4632	lsass.exe
524	lsass.exe
2668	lsass.exe
4352	lsass.exe
2140	lsass.exe
4432	lsass.exe
3020	lsass.exe
2884	lsass.exe
3080	lsass.exe
2032	lsass.exe
1864	lsass.exe
3868	lsass.exe
5116	lsass.exe
1536	lsass.exe
380	lsass.exe
4452	lsass.exe
376	lsass.exe
4480	lsass.exe
2424	lsass.exe
2768	lsass.exe
4764	lsass.exe
4760	lsass.exe
880	lsass.exe
4336	lsass.exe
388	lsass.exe
3592	lsass.exe
4124	lsass.exe
3852	lsass.exe
3012	lsass.exe
4684	lsass.exe
3184	lsass.exe
1000	lsass.exe
2764	lsass.exe
2108	lsass.exe
3744	lsass.exe
3428	lsass.exe
2472	lsass.exe
4700	lsass.exe
3004	lsass.exe
3828	lsass.exe
2088	lsass.exe
4100	lsass.exe
3240	lsass.exe
3772	lsass.exe
4084	lsass.exe
2840	lsass.exe
2856	lsass.exe
3804	lsass.exe
4460	lsass.exe
216	lsass.exe
2664	lsass.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5617 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\360 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\32065 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5870 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\28438 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\22907 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\27671 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4905 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\20948 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9751 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\28557 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\15059 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\30134 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\24982 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\22845 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7264 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\17095 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\14573 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\31763 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\12777 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6044 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\15869 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\22623 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9758 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\13430 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\24554 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7628 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\11231 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\18464 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\13972 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4300 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\26653 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1556 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7448 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\16557 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\31506 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7472 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\32350 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\26993 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\18971 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8813 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\21410 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\26816 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\20688 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\11175 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\25114 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\30061 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\16679 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\28563 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\32347 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\1938 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6965 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\3185 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\8834 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\28991 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\32013 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\5749 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\25902 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\28032 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9473 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\12120 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4957 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\31232 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\6913 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"	lsass.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2528-0-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/files/0x000c000000023bc7-3.dat	upx
behavioral2/memory/1928-5-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/1928-7-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2916-9-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4764-13-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3456-16-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3984-19-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2268-21-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/1748-25-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3404-28-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2528-32-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3520-30-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2828-34-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3860-37-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4256-41-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2920-43-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4632-46-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/524-48-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2668-52-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4352-54-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2140-57-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4432-60-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3020-64-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2884-67-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3080-69-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2032-73-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/1864-76-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3868-79-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/5116-82-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/1536-85-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/380-87-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4452-91-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2528-95-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/376-93-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4480-97-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2424-101-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2768-103-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4764-106-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4760-109-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/880-111-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4336-115-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/388-118-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3592-121-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4124-123-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3852-126-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4684-131-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3184-135-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/1000-138-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2764-140-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2108-143-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3744-146-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3428-148-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4700-153-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2472-152-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4700-156-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3004-159-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3828-161-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2088-164-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4100-167-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3240-170-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/3772-172-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/4084-175-0x0000000000400000-0x000000000041A000-memory.dmp	upx
behavioral2/memory/2840-177-0x0000000000400000-0x000000000041A000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DHCP = "1733758"	5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DNS	5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1928	2528	5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe	84
PID 2528 wrote to memory of 1928	2528	5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe	84
PID 2528 wrote to memory of 1928	2528	5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe	84
PID 1928 wrote to memory of 2916	1928	lsass.exe	87
PID 1928 wrote to memory of 2916	1928	lsass.exe	87
PID 1928 wrote to memory of 2916	1928	lsass.exe	87
PID 2916 wrote to memory of 4764	2916	lsass.exe	89
PID 2916 wrote to memory of 4764	2916	lsass.exe	89
PID 2916 wrote to memory of 4764	2916	lsass.exe	89
PID 4764 wrote to memory of 3456	4764	lsass.exe	90
PID 4764 wrote to memory of 3456	4764	lsass.exe	90
PID 4764 wrote to memory of 3456	4764	lsass.exe	90
PID 3456 wrote to memory of 3984	3456	lsass.exe	91
PID 3456 wrote to memory of 3984	3456	lsass.exe	91
PID 3456 wrote to memory of 3984	3456	lsass.exe	91
PID 3984 wrote to memory of 2268	3984	lsass.exe	92
PID 3984 wrote to memory of 2268	3984	lsass.exe	92
PID 3984 wrote to memory of 2268	3984	lsass.exe	92
PID 2268 wrote to memory of 1748	2268	lsass.exe	93
PID 2268 wrote to memory of 1748	2268	lsass.exe	93
PID 2268 wrote to memory of 1748	2268	lsass.exe	93
PID 1748 wrote to memory of 3404	1748	lsass.exe	94
PID 1748 wrote to memory of 3404	1748	lsass.exe	94
PID 1748 wrote to memory of 3404	1748	lsass.exe	94
PID 3404 wrote to memory of 3520	3404	lsass.exe	95
PID 3404 wrote to memory of 3520	3404	lsass.exe	95
PID 3404 wrote to memory of 3520	3404	lsass.exe	95
PID 3520 wrote to memory of 2828	3520	lsass.exe	98
PID 3520 wrote to memory of 2828	3520	lsass.exe	98
PID 3520 wrote to memory of 2828	3520	lsass.exe	98
PID 2828 wrote to memory of 3860	2828	lsass.exe	99
PID 2828 wrote to memory of 3860	2828	lsass.exe	99
PID 2828 wrote to memory of 3860	2828	lsass.exe	99
PID 3860 wrote to memory of 4256	3860	lsass.exe	100
PID 3860 wrote to memory of 4256	3860	lsass.exe	100
PID 3860 wrote to memory of 4256	3860	lsass.exe	100
PID 4256 wrote to memory of 2920	4256	lsass.exe	103
PID 4256 wrote to memory of 2920	4256	lsass.exe	103
PID 4256 wrote to memory of 2920	4256	lsass.exe	103
PID 2920 wrote to memory of 4632	2920	lsass.exe	104
PID 2920 wrote to memory of 4632	2920	lsass.exe	104
PID 2920 wrote to memory of 4632	2920	lsass.exe	104
PID 4632 wrote to memory of 524	4632	lsass.exe	106
PID 4632 wrote to memory of 524	4632	lsass.exe	106
PID 4632 wrote to memory of 524	4632	lsass.exe	106
PID 524 wrote to memory of 2668	524	lsass.exe	107
PID 524 wrote to memory of 2668	524	lsass.exe	107
PID 524 wrote to memory of 2668	524	lsass.exe	107
PID 2668 wrote to memory of 4352	2668	lsass.exe	108
PID 2668 wrote to memory of 4352	2668	lsass.exe	108
PID 2668 wrote to memory of 4352	2668	lsass.exe	108
PID 4352 wrote to memory of 2140	4352	lsass.exe	109
PID 4352 wrote to memory of 2140	4352	lsass.exe	109
PID 4352 wrote to memory of 2140	4352	lsass.exe	109
PID 2140 wrote to memory of 4432	2140	lsass.exe	110
PID 2140 wrote to memory of 4432	2140	lsass.exe	110
PID 2140 wrote to memory of 4432	2140	lsass.exe	110
PID 4432 wrote to memory of 3020	4432	lsass.exe	111
PID 4432 wrote to memory of 3020	4432	lsass.exe	111
PID 4432 wrote to memory of 3020	4432	lsass.exe	111
PID 3020 wrote to memory of 2884	3020	lsass.exe	112
PID 3020 wrote to memory of 2884	3020	lsass.exe	112
PID 3020 wrote to memory of 2884	3020	lsass.exe	112
PID 2884 wrote to memory of 3080	2884	lsass.exe	115

C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2528
- \??\c:\lsass.exe
  c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1928
- - \??\c:\lsass.exe
    c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - \??\c:\lsass.exe
      c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4764
    - - \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3456
      - \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        23⤵
        Executes dropped EXE
        
        PID:3080
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        24⤵
        Executes dropped EXE
        
        PID:2032
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        25⤵
        Executes dropped EXE
        
        PID:1864
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        26⤵
        Executes dropped EXE
        
        PID:3868
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        27⤵
        Executes dropped EXE
        
        PID:5116
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        28⤵
        Executes dropped EXE
        
        PID:1536
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:380
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        30⤵
        Executes dropped EXE
        
        PID:4452
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:376
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        32⤵
        Executes dropped EXE
        
        PID:4480
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        33⤵
        Executes dropped EXE
        
        PID:2424
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        34⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2768
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        35⤵
        Executes dropped EXE
        
        PID:4764
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        37⤵
        Executes dropped EXE
        
        PID:880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        38⤵
        Executes dropped EXE
        
        PID:4336
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        39⤵
        Executes dropped EXE
        
        PID:388
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        40⤵
        Executes dropped EXE
        
        PID:3592
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        41⤵
        Executes dropped EXE
        
        PID:4124
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        42⤵
        Executes dropped EXE
        
        PID:3852
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        43⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        44⤵
        Executes dropped EXE
        
        PID:4684
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        45⤵
        Executes dropped EXE
        
        PID:3184
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        46⤵
        Executes dropped EXE
        
        PID:1000
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        47⤵
        Executes dropped EXE
        
        PID:2764
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        48⤵
        Executes dropped EXE
        
        PID:2108
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        49⤵
        Executes dropped EXE
        
        PID:3744
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        50⤵
        Executes dropped EXE
        
        PID:3428
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        51⤵
        Executes dropped EXE
        
        PID:2472
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        52⤵
        Executes dropped EXE
        
        PID:4700
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        53⤵
        Executes dropped EXE
        
        PID:3004
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        54⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3828
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        55⤵
        Executes dropped EXE
        
        PID:2088
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        56⤵
        Executes dropped EXE
        
        PID:4100
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        57⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3240
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        58⤵
        Executes dropped EXE
        
        PID:3772
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        59⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4084
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        61⤵
        Executes dropped EXE
        
        PID:2856
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        62⤵
        Executes dropped EXE
        
        PID:3804
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        64⤵
        Executes dropped EXE
        
        PID:216
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        65⤵
        Executes dropped EXE
        
        PID:2664
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        66⤵
        Adds Run key to start application
        
        PID:2708
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        67⤵
        
        PID:4480
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        68⤵
        
        PID:540
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        69⤵
        
        PID:1984
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        70⤵
        Adds Run key to start application
        
        PID:2040
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        71⤵
        
        PID:2916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        72⤵
        
        PID:3984
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        73⤵
        Adds Run key to start application
        
        PID:3224
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        74⤵
        
        PID:400
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        75⤵
        
        PID:3584
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        76⤵
        
        PID:4952
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        77⤵
        
        PID:2392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        78⤵
        
        PID:4116
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        79⤵
        
        PID:2704
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        80⤵
        
        PID:3852
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        81⤵
        
        PID:3572
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        82⤵
        
        PID:3168
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        83⤵
        
        PID:4592
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        84⤵
        
        PID:3348
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        85⤵
        
        PID:3288
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        87⤵
        
        PID:1000
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        88⤵
        Adds Run key to start application
        
        PID:2764
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        89⤵
        
        PID:4976
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        90⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        91⤵
        
        PID:3744
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        92⤵
        
        PID:2472
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        93⤵
        
        PID:1572
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        94⤵
        
        PID:4980
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        95⤵
        
        PID:1420
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        96⤵
        
        PID:2348
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        97⤵
        
        PID:2344
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        98⤵
        
        PID:4140
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        99⤵
        
        PID:896
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        100⤵
        
        PID:4120
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        101⤵
        
        PID:2604
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        102⤵
        
        PID:3144
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        103⤵
        Adds Run key to start application
        
        PID:2100
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        104⤵
        
        PID:4968
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        105⤵
        
        PID:2440
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        106⤵
        
        PID:3340
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        107⤵
        
        PID:3752
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        108⤵
        Adds Run key to start application
        
        PID:4952
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        109⤵
        Adds Run key to start application
        
        PID:4124
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        110⤵
        Adds Run key to start application
        
        PID:4004
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        111⤵
        
        PID:2932
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        112⤵
        
        PID:3200
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        113⤵
        
        PID:396
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        114⤵
        
        PID:4488
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        115⤵
        
        PID:4888
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        117⤵
        
        PID:2360
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        118⤵
        
        PID:916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        119⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        120⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        121⤵
        
        PID:4388
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        122⤵
        
        PID:2212
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        123⤵
        Adds Run key to start application
        
        PID:2188
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        124⤵
        
        PID:3560
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        125⤵
        Adds Run key to start application
        
        PID:4272
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        128⤵
        
        PID:720
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        131⤵
        Adds Run key to start application
        
        PID:1720
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        132⤵
        
        PID:4612
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        133⤵
        
        PID:3412
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        134⤵
        
        PID:4420
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        135⤵
        
        PID:4084
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        137⤵
        
        PID:640
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:896
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        139⤵
        
        PID:4452
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        140⤵
        
        PID:3948
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        141⤵
        
        PID:3432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        142⤵
        Adds Run key to start application
        
        PID:2664
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        143⤵
        
        PID:468
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        144⤵
        
        PID:3496
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        145⤵
        
        PID:4760
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        146⤵
        
        PID:4152
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        147⤵
        
        PID:4764
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        148⤵
        
        PID:3984
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        149⤵
        
        PID:4208
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        150⤵
        
        PID:4792
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        154⤵
        
        PID:4848
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        155⤵
        
        PID:3168
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        156⤵
        
        PID:2744
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:456
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        160⤵
        
        PID:3064
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        161⤵
        Adds Run key to start application
        
        PID:4916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        162⤵
        
        PID:1900
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        163⤵
        Adds Run key to start application
        
        PID:1608
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        164⤵
        
        PID:432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        165⤵
        
        PID:452
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        167⤵
        Adds Run key to start application
        
        PID:3744
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:656
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        169⤵
        
        PID:1808
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        170⤵
        
        PID:2472
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        171⤵
        
        PID:4584
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        173⤵
        
        PID:4800
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        174⤵
        
        PID:1060
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        175⤵
        
        PID:2948
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        176⤵
        
        PID:3772
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        178⤵
        
        PID:3280
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        179⤵
        
        PID:2840
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        180⤵
        
        PID:1516
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        181⤵
        
        PID:4576
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        182⤵
        
        PID:4332
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        183⤵
        
        PID:640
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        184⤵
        
        PID:4120
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        185⤵
        
        PID:2604
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        186⤵
        
        PID:2264
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        188⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        189⤵
        
        PID:3308
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        190⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        191⤵
        
        PID:4984
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        192⤵
        
        PID:2920
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        193⤵
        
        PID:3572
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        196⤵
        
        PID:3180
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        197⤵
        
        PID:4192
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        198⤵
        Adds Run key to start application
        
        PID:4684
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        199⤵
        
        PID:4692
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        200⤵
        
        PID:5040
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        201⤵
        
        PID:392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        202⤵
        
        PID:4916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        204⤵
        
        PID:2188
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        205⤵
        
        PID:524
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        207⤵
        
        PID:4584
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        209⤵
        
        PID:4800
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        210⤵
        
        PID:1060
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        211⤵
        Adds Run key to start application
        
        PID:1420
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        212⤵
        Adds Run key to start application
        
        PID:4372
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:936
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        214⤵
        
        PID:2344
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        215⤵
        
        PID:4084
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        216⤵
        
        PID:2964
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        217⤵
        
        PID:4360
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        218⤵
        
        PID:968
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        219⤵
        
        PID:2944
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        220⤵
        
        PID:896
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        221⤵
        
        PID:2164
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        222⤵
        
        PID:4672
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        223⤵
        
        PID:2720
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        224⤵
        Adds Run key to start application
        
        PID:4440
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        226⤵
        Adds Run key to start application
        
        PID:3888
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        228⤵
        
        PID:4764
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        229⤵
        
        PID:388
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        230⤵
        Adds Run key to start application
        
        PID:588
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        231⤵
        
        PID:3408
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        232⤵
        
        PID:4116
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        233⤵
        
        PID:404
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        234⤵
        
        PID:2932
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        235⤵
        
        PID:3768
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        236⤵
        
        PID:1384
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        237⤵
        
        PID:1644
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        238⤵
        
        PID:396
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        239⤵
        
        PID:1532
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        240⤵
        
        PID:2128
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        241⤵
        
        PID:3980
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        242⤵
        
        PID:2692
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        243⤵
        
        PID:3348
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        244⤵
        
        PID:3824
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        245⤵
        
        PID:2024
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        246⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        247⤵
        
        PID:844
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        248⤵
        Adds Run key to start application
        
        PID:2872
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        249⤵
        Adds Run key to start application
        
        PID:3916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        250⤵
        
        PID:984
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        251⤵
        
        PID:4888
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        252⤵
        
        PID:4956
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        253⤵
        
        PID:5044
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        255⤵
        
        PID:4388
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        257⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        258⤵
        Adds Run key to start application
        
        PID:452
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        259⤵
        
        PID:2668
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        260⤵
        
        PID:1392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        261⤵
        
        PID:4864
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        262⤵
        
        PID:2220
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        263⤵
        
        PID:1636
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        264⤵
        
        PID:4408
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        265⤵
        
        PID:2032
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        267⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        268⤵
        
        PID:672
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        269⤵
        
        PID:1060
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        271⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        273⤵
        
        PID:2828
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        274⤵
        
        PID:4616
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        275⤵
        
        PID:3060
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        276⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        277⤵
        
        PID:4356
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        278⤵
        
        PID:5116
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        279⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:640
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        280⤵
        
        PID:5092
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        281⤵
        
        PID:4968
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        282⤵
        
        PID:2720
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        283⤵
        Adds Run key to start application
        
        PID:2432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        284⤵
        Adds Run key to start application
        
        PID:3552
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        285⤵
        
        PID:2512
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        286⤵
        
        PID:3372
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        287⤵
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        288⤵
        
        PID:2768
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        289⤵
        
        PID:1984
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        290⤵
        
        PID:4128
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        291⤵
        
        PID:3924
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        292⤵
        
        PID:4124
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        293⤵
        
        PID:4812
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        294⤵
        
        PID:4792
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        295⤵
        
        PID:2704
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        296⤵
        
        PID:4992
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        297⤵
        
        PID:3444
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        298⤵
        
        PID:1724
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        299⤵
        Adds Run key to start application
        
        PID:3200
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        300⤵
        
        PID:4560
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        301⤵
        Adds Run key to start application
        
        PID:4848
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        302⤵
        
        PID:3824
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        303⤵
        
        PID:4908
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        304⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        305⤵
        
        PID:3928
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        306⤵
        
        PID:3004
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        307⤵
        Adds Run key to start application
        
        PID:4584
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        308⤵
        
        PID:4100
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        309⤵
        
        PID:1836
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        310⤵
        
        PID:3224
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        311⤵
        
        PID:4072
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        312⤵
        
        PID:4360
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        313⤵
        
        PID:968
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        314⤵
        Adds Run key to start application
        
        PID:4468
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        315⤵
        
        PID:3804
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        316⤵
        
        PID:896
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        317⤵
        
        PID:2164
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        318⤵
        
        PID:468
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        319⤵
        
        PID:376
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        320⤵
        
        PID:3452
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        321⤵
        
        PID:1152
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        322⤵
        
        PID:4900
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        323⤵
        
        PID:2440
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        324⤵
        
        PID:4760
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        325⤵
        
        PID:3372
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        326⤵
        
        PID:3984
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        327⤵
        
        PID:1892
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        328⤵
        
        PID:2820
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        329⤵
        Adds Run key to start application
        
        PID:1128
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        330⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        331⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        332⤵
        
        PID:4880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        333⤵
        Adds Run key to start application
        
        PID:4792
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        334⤵
        
        PID:2932
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        335⤵
        
        PID:3904
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        336⤵
        
        PID:4436
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        337⤵
        Adds Run key to start application
        
        PID:868
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        338⤵
        
        PID:3516
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        339⤵
        
        PID:4488
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        340⤵
        
        PID:1532
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        341⤵
        
        PID:4824
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        342⤵
        
        PID:4192
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        343⤵
        
        PID:912
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        344⤵
        
        PID:1000
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        345⤵
        
        PID:392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        346⤵
        
        PID:4908
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        347⤵
        
        PID:4892
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        348⤵
        
        PID:4684
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        349⤵
        
        PID:2312
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        350⤵
        
        PID:2692
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        351⤵
        Adds Run key to start application
        
        PID:3640
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        352⤵
        Adds Run key to start application
        
        PID:4652
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        353⤵
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        354⤵
        
        PID:4980
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        355⤵
        Adds Run key to start application
        
        PID:2088
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        356⤵
        
        PID:5024
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        357⤵
        
        PID:4100
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        358⤵
        
        PID:4800
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        359⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        360⤵
        
        PID:3644
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        361⤵
        Adds Run key to start application
        
        PID:2668
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        362⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        363⤵
        
        PID:4456
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        364⤵
        Adds Run key to start application
        
        PID:5028
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        365⤵
        
        PID:2828
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        366⤵
        
        PID:2684
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        367⤵
        
        PID:4420
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        368⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        369⤵
        
        PID:1772
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        370⤵
        
        PID:4036
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        371⤵
        
        PID:4512
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        372⤵
        Adds Run key to start application
        
        PID:4120
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        373⤵
        
        PID:3948
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        374⤵
        
        PID:4480
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        375⤵
        
        PID:1204
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        376⤵
        
        PID:3496
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        377⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        378⤵
        
        PID:1512
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        379⤵
        
        PID:3564
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        380⤵
        
        PID:1232
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        381⤵
        
        PID:880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        382⤵
        Adds Run key to start application
        
        PID:2916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        383⤵
        
        PID:3040
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        384⤵
        
        PID:2392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        385⤵
        
        PID:4208
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        386⤵
        
        PID:4984
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        387⤵
        
        PID:4812
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        388⤵
        
        PID:2704
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        389⤵
        
        PID:3768
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        390⤵
        
        PID:1384
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        391⤵
        
        PID:2712
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        392⤵
        
        PID:3168
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        393⤵
        
        PID:3008
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        394⤵
        
        PID:1532
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        395⤵
        
        PID:4824
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        396⤵
        
        PID:3288
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        397⤵
        
        PID:912
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        398⤵
        
        PID:1000
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        399⤵
        
        PID:392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        400⤵
        
        PID:3180
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        401⤵
        
        PID:3348
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        402⤵
        
        PID:2444
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        403⤵
        
        PID:5072
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        404⤵
        Adds Run key to start application
        
        PID:3760
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        405⤵
        Adds Run key to start application
        
        PID:2888
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        406⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4432
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        407⤵
        
        PID:3936
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        408⤵
        
        PID:4052
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        409⤵
        
        PID:1132
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        410⤵
        
        PID:4584
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        411⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        412⤵
        
        PID:720
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        413⤵
        Adds Run key to start application
        
        PID:1864
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        414⤵
        
        PID:1752
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        415⤵
        
        PID:2188
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        416⤵
        
        PID:1608
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        417⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        418⤵
        
        PID:4456
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        419⤵
        
        PID:3016
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        420⤵
        
        PID:2828
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        421⤵
        
        PID:2356
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        422⤵
        Adds Run key to start application
        
        PID:4420
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        423⤵
        
        PID:2880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        424⤵
        
        PID:1336
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        425⤵
        
        PID:2908
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        426⤵
        
        PID:4068
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        427⤵
        
        PID:1232
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        428⤵
        
        PID:880
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        429⤵
        
        PID:2916
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        430⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        431⤵
        
        PID:2392
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        432⤵
        
        PID:2736
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        433⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        434⤵
        
        PID:4008
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        435⤵
        
        PID:4352
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        436⤵
        
        PID:4256
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        437⤵
        
        PID:2704
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        438⤵
        
        PID:3768
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        439⤵
        
        PID:3856
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        440⤵
        
        PID:2712
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        441⤵
        Adds Run key to start application
        
        PID:3168
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        442⤵
        
        PID:3200
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        443⤵
        
        PID:4796
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        444⤵
        
        PID:728
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        445⤵
        
        PID:4824
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        446⤵
        
        PID:2412
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        447⤵
        
        PID:2844
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        448⤵
        Adds Run key to start application
        
        PID:4988
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        449⤵
        
        PID:2108
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        450⤵
        
        PID:4692
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        451⤵
        
        PID:2976
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        452⤵
        
        PID:3316
        
        \??\c:\lsass.exe
        
        c:\lsass.exe exe C:\Users\Admin\AppData\Local\Temp\5480948c56f5a64827c5437969f008c1_JaffaCakes118.exe
        453⤵
        
        PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\lsass.exe

Filesize
52KB

MD5
5480948c56f5a64827c5437969f008c1

SHA1
2cd05c09ca39825e37b131760ee8a6c76b5a301d

SHA256
7c3964f2c473e5a49eef26594040d998dc029ea973fc3e7d4d88606b66b691fc

SHA512
af589b7a5d40225b1933ca60f8f3e73e739ba13d03733a9bf6a702ec856831a67d051c839cc964b6702c7975d6818eaeb9ee6ab0a30024892494813f6a8fc78a

Download Submit
memory/216-188-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/376-93-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/380-87-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/388-118-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/400-208-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/524-48-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/540-196-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/880-111-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/896-260-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1000-235-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1000-138-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1420-252-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1536-85-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1572-248-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1612-241-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1748-25-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1864-76-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1928-7-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1928-5-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1984-198-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2032-73-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2040-200-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2088-164-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2108-143-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2140-57-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2268-21-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2344-256-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2348-254-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2392-214-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2424-101-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2472-152-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2472-246-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2528-32-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2528-0-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2528-95-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2604-264-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2664-190-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2668-52-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2704-218-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2708-192-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2764-237-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2764-140-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2768-103-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2828-34-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2840-177-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2856-181-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2884-67-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2916-202-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2916-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2920-43-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3004-159-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3020-64-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3080-69-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3168-225-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3184-135-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3184-233-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3224-206-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3240-170-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3288-231-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3348-229-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3404-28-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3428-148-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3456-16-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3520-30-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3572-221-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3572-223-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3584-210-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3592-121-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3744-146-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3744-243-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3772-172-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3804-183-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3828-161-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3852-220-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3852-126-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3860-37-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3868-79-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3984-19-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/3984-204-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4084-175-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4100-167-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4116-216-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4120-262-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4124-123-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4140-258-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4256-41-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4336-115-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4352-54-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4432-60-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4452-91-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4460-185-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4480-194-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4480-97-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4592-227-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4632-46-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4684-131-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4700-153-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4700-156-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4760-109-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4764-106-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4764-13-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4952-212-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4976-239-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/4980-250-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/5116-82-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads