Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2024 02:43

General

  • Target

    e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe

  • Size

    1.8MB

  • MD5

    749bd6bf56a6d0ad6a8a4e5712377555

  • SHA1

    6e4ff640a527ed497505c402d1e7bdb26f3dd472

  • SHA256

    e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3

  • SHA512

    250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d

  • SSDEEP

    49152:UkQletNpj4NmwF1tBE6BAfTm9k9MJsuAfChboFtcZo:UFletXjoD1tBEc90XCo6Zo

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

group

C2

http://94.131.119.184:443/agent.ashx

Attributes
  • mesh_id

    0x1BB80B7BD3F37219BF6F79BEE0A08A00B90168972309CA4BFD812814A9F980439E71B51CC08CC59D904B5AED18647DD0

  • server_id

    B13800B3094163CC81EA68335E6D9A9B98350B3D697F92D49A06C6ADC9519150B766816EBC90ED105D4749F3F47F60B6

  • wss

    wss://94.131.119.184:443/agent.ashx

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 26 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe
    "C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4424
    • C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
      "C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2444
  • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
    "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Windows\SysWOW64\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1336
    • C:\Windows\SysWOW64\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1068
    • C:\Windows\SysWOW64\wbem\wmic.exe
      wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3040
    • C:\Windows\SysWOW64\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4540
    • C:\Windows\SysWOW64\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
      • System Location Discovery: System Language Discovery
      PID:4708
    • C:\Windows\SysWOW64\wbem\wmic.exe
      wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2688
  • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
    "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\SysWOW64\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
        PID:4060
      • C:\Windows\SysWOW64\wbem\wmic.exe
        wmic os get oslanguage /FORMAT:LIST
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3016
      • C:\Windows\SysWOW64\wbem\wmic.exe
        wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:4112
      • C:\Windows\SysWOW64\wbem\wmic.exe
        wmic SystemEnclosure get ChassisTypes
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3644
      • C:\Windows\SysWOW64\wbem\wmic.exe
        wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:5104
    • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
      "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\wbem\wmic.exe
        wmic SystemEnclosure get ChassisTypes
        2⤵
          PID:2236
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic os get oslanguage /FORMAT:LIST
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2752
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:872
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic SystemEnclosure get ChassisTypes
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2004
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1604
      • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
        "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:4272
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic SystemEnclosure get ChassisTypes
          2⤵
          • System Location Discovery: System Language Discovery
          PID:5024
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic os get oslanguage /FORMAT:LIST
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3600
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3316
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic SystemEnclosure get ChassisTypes
          2⤵
          • System Location Discovery: System Language Discovery
          PID:4380
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1372
      • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
        "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
        1⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        PID:1360
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic SystemEnclosure get ChassisTypes
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2716
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic os get oslanguage /FORMAT:LIST
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3192
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
            PID:4368
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1672
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1512
        • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
          "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          PID:4964
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2796
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic os get oslanguage /FORMAT:LIST
            2⤵
            • System Location Discovery: System Language Discovery
            PID:3800
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2272
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
            • System Location Discovery: System Language Discovery
            PID:428
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:4612
        • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
          "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          PID:4224
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2968
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic os get oslanguage /FORMAT:LIST
            2⤵
            • System Location Discovery: System Language Discovery
            PID:4728
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1568
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
            • System Location Discovery: System Language Discovery
            PID:4864
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1468
        • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
          "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          PID:2888
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2792
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic os get oslanguage /FORMAT:LIST
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2488
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:3452
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
            • System Location Discovery: System Language Discovery
            PID:3688
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:3232
        • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
          "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies data under HKEY_USERS
          PID:1504
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1212
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic os get oslanguage /FORMAT:LIST
            2⤵
            • System Location Discovery: System Language Discovery
            PID:4820
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2912
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic os get oslanguage /FORMAT:LIST
            2⤵
            • System Location Discovery: System Language Discovery
            PID:1948
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2652
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
            2⤵
              PID:2372
          • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
            "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Modifies data under HKEY_USERS
            PID:1984
            • C:\Windows\SysWOW64\wbem\wmic.exe
              wmic SystemEnclosure get ChassisTypes
              2⤵
              • System Location Discovery: System Language Discovery
              PID:972
            • C:\Windows\SysWOW64\wbem\wmic.exe
              wmic os get oslanguage /FORMAT:LIST
              2⤵
              • System Location Discovery: System Language Discovery
              PID:2060
            • C:\Windows\SysWOW64\wbem\wmic.exe
              wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:1928
            • C:\Windows\SysWOW64\wbem\wmic.exe
              wmic os get oslanguage /FORMAT:LIST
              2⤵
              • System Location Discovery: System Language Discovery
              PID:752
            • C:\Windows\SysWOW64\wbem\wmic.exe
              wmic SystemEnclosure get ChassisTypes
              2⤵
              • System Location Discovery: System Language Discovery
              PID:4864
            • C:\Windows\SysWOW64\wbem\wmic.exe
              wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
              2⤵
              • System Location Discovery: System Language Discovery
              PID:1016
          • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
            "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
            1⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            • Modifies data under HKEY_USERS
            PID:5112
            • C:\Windows\SysWOW64\wbem\wmic.exe
              wmic SystemEnclosure get ChassisTypes
              2⤵
              • System Location Discovery: System Language Discovery
              PID:5036
            • C:\Windows\SysWOW64\wbem\wmic.exe
              wmic os get oslanguage /FORMAT:LIST
              2⤵
              • System Location Discovery: System Language Discovery
              PID:1688
            • C:\Windows\SysWOW64\wbem\wmic.exe
              wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
              2⤵
                PID:3612

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Program Files (x86)\Mesh Agent\MeshAgent.db

              Filesize

              271KB

              MD5

              88c75aa130372900ef0859ce48f6dd63

              SHA1

              b7d658a123f5aecb68522a6a9ac4a6a462988533

              SHA256

              cbe718733b3e62e83d67649ed76e2a20fe3991676b001da15d0e457c1a06e487

              SHA512

              b3967e24eea39c9b65bea707c7ca1755f3eb49c0e54ea72dbb608fd2d94779e533bb906ffa53a09744a8c8a5568f1f3f84dc449ec7fab8450d0624f3b12d4000

            • C:\Program Files (x86)\Mesh Agent\MeshAgent.db

              Filesize

              388KB

              MD5

              bc1f2c01b9ba91916b0b16f67e9b7631

              SHA1

              286190fe0412df737f11de05f501cec529850e41

              SHA256

              a6bd64b9b9a5ad28c704b368ccaa6c24431b0b3a21dcccd4b60065a05129e66c

              SHA512

              800ba72c1d095b7b28ea376692785f56c6b975728ee3e087e2e77621e937a83e32aaa810823cd6e444de87eb7de20ea0dc5b1b899e3645676b1a50fb0843bae7

            • C:\Program Files (x86)\Mesh Agent\MeshAgent.db

              Filesize

              153KB

              MD5

              fdac77bed4dfc4777405faf374cc17e0

              SHA1

              e9023f27c51334eb89dc8fe82127b328b5ff1f2d

              SHA256

              2b1f8c86bcdc2b55eede05de59bd22137c3f639f1931a36bb8562e01ab2336e4

              SHA512

              9524a2b5456679edc7daad01076add19ae10c23e50364cd4f22e8e1bd2cec94683d5713c437f8b7f124125e320d5cbbb0fc7e55e375080674a8e1350d9f8e128

            • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

              Filesize

              1KB

              MD5

              3ce2418e92d58324231754e1268269b2

              SHA1

              918d42a717cde2e8840b50d83be220943ba6a7cb

              SHA256

              6b36239b5c755a03ef31a4290e7bd12b8eb609b448e67f0b4c84763199ca8033

              SHA512

              9098a8d690ee0296ab3b57b0fde59b7806bd63adf9280c51bad1b0fdb0037ac3c1cc0f3138c1845184e695d7c83ce569c59e2681336aa3f8c5da66a60be58311

            • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

              Filesize

              1KB

              MD5

              419f6c6b0f2333c73540a8a78c27288f

              SHA1

              d85c3619d38461451a64f0fbdf8a23cabc2ce58c

              SHA256

              2137bcf17e7e6e69791ac899711f47f70b8ed83b093c9b0176efd89d47d6cc72

              SHA512

              feddc348bb62e46f5aef8241f3b9fbdb50edb589628db31037ec7a37e8b3f9b116e4f0053ba0e7b18f56ff2e8634cf456725345e4fcccc26e996a2252a6b9fea

            • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

              Filesize

              1KB

              MD5

              199c86615643738dfe54bf60f73efbcd

              SHA1

              5d2d69bc53ed8c53609d992df7d2ad419a0ba558

              SHA256

              9ac118430edc23170e4c704e6e33261983237538bc3f763a47a3d7025e5b3332

              SHA512

              1712f54cd586317c336e3f6e17b2dc02c4882c7bb089186b7a82741604cd7e7418b35f25e41a790e621e6f35ff8e0305ed9b1d5fd4efccdb65fc52288a6de5b0

            • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

              Filesize

              334B

              MD5

              dfc7268d5292de055de4c5499a8896e3

              SHA1

              c1d2b5cd21779ae72f28352db820474fd122267b

              SHA256

              4c00564a05b480fdf0e440a1cfb9530520fa89dcd9465c0d9c297e83ff013cd6

              SHA512

              a2ea82889e7c9592cc9c6cece3e64d26fb2e671bb15361107bb164c2a0b036142a21ae145e82793b3c80004efb5fe168f6a0968883f6d098a7a310b47ba6a98e

            • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

              Filesize

              501B

              MD5

              8e210976ff6cc0b2199cfba58b33e3dd

              SHA1

              7a4be618554a1730405afc3bc94c34642ddae99e

              SHA256

              4ecad35b718aeb3b053d3ae768cc9c06929a468631659bcd0e5b908fa7a040ad

              SHA512

              50aa6d99ced79f73f077a1166e576172f4f52bacd596f4aa6d86f8949dd9fc6d2fcc4e60bffdbad5ff60a2a016c8202968ecbc79f42862365e043da7fd4d1b0b

            • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

              Filesize

              668B

              MD5

              b1aa65146fe3cb44d3ea4a41fe3ccf87

              SHA1

              0a6fa21f2c1a164de62e11cfcb07c6ac0bd24c5c

              SHA256

              627b10f6d074de1d17d9d68161feed97aa17fc592a3b097a991a83e2ab649d9d

              SHA512

              c1504fe191a45cd8696bb5c5c6aaaf5e01da98f478270001e1a84aab53af5d6b50823200fa3572b333ec3c779a2b0ee13383227a68b2b84cc6e59b162a4dcbb5

            • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

              Filesize

              835B

              MD5

              01611e5a5709701c644efa7da24aa1f8

              SHA1

              61d864d2487fe0924907254608a01f7edb7b1ba0

              SHA256

              a68e84acb1bb5300cf2710ea12732d8e121733a680fdd3f72d21af5c759264e4

              SHA512

              dd366b8c7913d44054f04bd1e23b36268ab623df037dc0cfe5e4118ca21a27b2aff948f7f711db5bc407a7e9214dc4b3fa1c7627e9c986e283d0b0fef22ff04c

            • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

              Filesize

              1002B

              MD5

              91b7985e3497641408eb3d3f2cff2052

              SHA1

              c8bdfe8c6d6df994f025fb5fbaa635d61c2fa238

              SHA256

              e6229a92e3e75d27d7e9d106c640edc2e0fcfa3764ed77644ab74891ef8520d6

              SHA512

              43b715a8877dc7b00f844902e01ea2c17bf108f9cb4032ca489622f35d36f86eaa02be99d11b7bc56e113d4e44f79547c8cf93125328a9fe843469d7630cd32e

            • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

              Filesize

              1KB

              MD5

              4a2fee677205b4ea5853ce25c1d70b75

              SHA1

              be178e7ec1079193e3f28fb7a4832b3b5377ce44

              SHA256

              42ed968c519d59cfd2e60882d23bc8b297aacce0d3d544925ff1a0ff11312405

              SHA512

              087282dd161c23bce35bd6362323473d84b948b1576ad10d27558d5453c7aecd1536a744df6d22ee93cc53b77364bbac59702c04f00f83b273521cca57976266

            • C:\Program Files (x86)\Mesh Agent\MeshAgent.msh

              Filesize

              31KB

              MD5

              90c4989cf99b9f357020a7e07a977eea

              SHA1

              7e0d44a99412713401a00502fe85c2877064daa4

              SHA256

              4f1fdf000e1d59f66dc3c37d3de736145a2ee07bb486894b131406bc01272902

              SHA512

              b627eff21c9506704208e343d7e80a26f64057fa8b00265b74eb0a8f33ab1f082fd43a54bf35b25f40b63aaf44c1f8ca7c0b319028565fdf558cf72f52de241d

            • C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe

              Filesize

              3.7MB

              MD5

              e8bd5c14b8301039e7538298d26cf09b

              SHA1

              4702252fef2156b59ad61f1f397b205323b339c4

              SHA256

              f32426d0fc71a3a054f0fe263133aabeb25c9d7d129238cfcfc0c1a40854c67e

              SHA512

              7108e6379e9e2698dbac52549b5fc81d7b3c5bb02d4d3574b7be9e8ab9f6f473513e651c1ce0809d74273f02e837c36032666f739c05b71fa732899360b77cee

            • C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\3F015550341E3E07E40741008DA01E9CEC2AFF68

              Filesize

              1KB

              MD5

              53bf9bb768756cd26d632eecfbf73746

              SHA1

              0232e8230bd5c44015fc26c2c42340205bff1c0c

              SHA256

              b04c380b8b5c8518d841db27d03e2116f08be87902a394045aee66d7d7f21edc

              SHA512

              45745eb825c640bbbcf2890cd0ae3e2228b1942755365bcc0ca11d696b4ab359746f66ecf59e033cac9dcefd779ee7d0fc556307428cbf135f85640e68390342