Malware Analysis Report

2024-08-06 17:06

Sample ID 240509-zpx3bseb51
Target 2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118
SHA256 e17185845ed5f9b116b41706d00b7e2139c38007b93040277b81e37a28f88f10
Tags
darkcomet guest16 persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e17185845ed5f9b116b41706d00b7e2139c38007b93040277b81e37a28f88f10

Threat Level: Known bad

The file 2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16 persistence rat trojan

Darkcomet

Modifies WinLogon for persistence

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-09 20:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 20:54

Reported

2024-05-09 20:56

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe
PID 2364 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe
PID 2364 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe
PID 2364 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe

Network

N/A

Files

memory/2364-0-0x0000000074581000-0x0000000074582000-memory.dmp

memory/2364-1-0x0000000074580000-0x0000000074B2B000-memory.dmp

memory/2364-2-0x0000000074580000-0x0000000074B2B000-memory.dmp

memory/2364-3-0x0000000074580000-0x0000000074B2B000-memory.dmp

memory/2364-8-0x0000000074580000-0x0000000074B2B000-memory.dmp

memory/2364-9-0x0000000074580000-0x0000000074B2B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 20:54

Reported

2024-05-09 20:56

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4396 set thread context of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4396 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe
PID 4396 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe
PID 4396 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe
PID 4396 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe
PID 4396 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe
PID 2128 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 2128 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 2128 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 2128 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE
PID 2128 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE
PID 2128 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Windows\SysWOW64\notepad.exe
PID 2024 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2024 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2024 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 3572 wrote to memory of 5024 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3572 wrote to memory of 5024 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 3572 wrote to memory of 5024 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 5024 wrote to memory of 3084 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\2ba93e7526338456f3c80c94ea1b5d83_JaffaCakes118.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CATALOG.PDF"

C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE

"C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=60734EE69FFF92C8798BC8DB216CEE9D --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8AE2F27069B84C30A960AD29FBF042FA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8AE2F27069B84C30A960AD29FBF042FA --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=47701F6674B9782A3E06E9C69A922F80 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1EC965110CD24A517B4F44F87122C7CC --mojo-platform-channel-handle=1952 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6EF08478074D3DCB9027D3D9F21548E5 --mojo-platform-channel-handle=2436 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=DFDA597F2E2CAE8039FA1D71DD02D2D3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=DFDA597F2E2CAE8039FA1D71DD02D2D3 --renderer-client-id=7 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.201:443 www.bing.com tcp
US 8.8.8.8:53 201.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
BE 88.221.83.201:443 www.bing.com tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 151.16.21.2.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 22.121.18.2.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
N/A 127.0.0.1:1604 tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
N/A 127.0.0.1:1604 tcp

Files

memory/4396-0-0x00000000750B2000-0x00000000750B3000-memory.dmp

memory/4396-1-0x00000000750B0000-0x0000000075661000-memory.dmp

memory/4396-2-0x00000000750B0000-0x0000000075661000-memory.dmp

memory/4396-3-0x00000000750B0000-0x0000000075661000-memory.dmp

memory/2128-17-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2128-20-0x0000000000400000-0x000000000048B000-memory.dmp

memory/4396-22-0x00000000750B0000-0x0000000075661000-memory.dmp

memory/2128-19-0x0000000000400000-0x000000000048B000-memory.dmp

memory/4396-23-0x00000000750B0000-0x0000000075661000-memory.dmp

memory/4396-24-0x00000000750B0000-0x0000000075661000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\OUR PURCHASE ORDER.EXE

MD5 3329b1a6261ee6363ff6d16a547c5998
SHA1 17ce078dc8b2f41cc1e93cbfca1e9a4babbd5f1d
SHA256 1105e440792a9279c1a6201190f5062f9004c825adb161db159ff02dc615affb
SHA512 2ce1f03ddfb6c80a2bccd75fd3c29883bccfac4e2b0ade268751b09a201180627e5253861900ef5cd314d3aae126025c19203be2b301924c9396dc331af42484

memory/2128-36-0x0000000000400000-0x000000000048B000-memory.dmp

memory/2024-42-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CATALOG.PDF

MD5 99a42f818a546c4264bbb9bfdcec1e7b
SHA1 14fb3e3852bd5c139dfcaa12bfe2569feaecc389
SHA256 cfac945d47ba70bb46c5b50417cea0ad18d6a0714e697d8a25bd298bd9943df8
SHA512 960d922ccce0004edc4443ff245e839c5635d01300fc2e311190a78d56588831ad9e83ca4e23bf9a683b36c3d2265407ad2fb54f55fc371dcfad5200a3d164e8

memory/3472-44-0x0000000001380000-0x0000000001381000-memory.dmp

memory/4872-57-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2024-56-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4396-84-0x00000000750B0000-0x0000000075661000-memory.dmp

memory/4872-85-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4396-86-0x00000000750B2000-0x00000000750B3000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 a8b999b10793a76b647dc92d1fbf967e
SHA1 c7e0b8f7a17a8d03082ca08ceed5d2d45e0105f1
SHA256 350d8161bf9b18534c898604b2435a5b61fc823d76467b79f3deb117a97f90c1
SHA512 e048fd344fd5d99ee946f0375779e698455a9ec5c3b75d8c43b1b88031858bb70193f4bdca0451484fdf0719db2ae7bbdbb1dd0f21991faa7d6cd2c5027ec70d

memory/4872-181-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4872-184-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4872-185-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4872-186-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4872-187-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4872-188-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4872-189-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4872-190-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4872-191-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4872-192-0x0000000000400000-0x00000000004BC000-memory.dmp