meshagent | cfc9778f772c8c8daa33a520e3adbfa7fad6b33ee0d5dd104f5580eaf52eed82

Analysis

max time kernel
137s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe
Size

2.9MB
MD5

0aa9dc10bf05ec4c4d4b9baa5cbb6f1f
SHA1

6f157cb52d687a9b960bf67aa2448fc7e5d2db17
SHA256

cfc9778f772c8c8daa33a520e3adbfa7fad6b33ee0d5dd104f5580eaf52eed82
SHA512

cb36426922341cf3586caa15cbf05982df8ed9df4cc4faccb1c9ac4e3c193a17ac04cc4c0987bcf6f6223c07e6ff3055be3d1d00b963fb65495887916179e13d
SSDEEP

49152:iiQagHg5EVhwQd+qrW+i1w+Tqc0KxZbDOCwMDbyeKw3FGMFvfjPW21I3iIJn:3g7hRdj9iMlHBSFBWZn

Score

10^/10

meshagent test backdoor discovery persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

test

http://heimdall.hostedhero.com:443/agent.ashx

Attributes

mesh_id
0x4E4070D78AFFA88AFDD57BD66456CDBE2034549498474E2723BF29A67E0608F067A66207C3C42FCD04E348988CD8E892
server_id
316B450D4320A8D7AF354D9F06DF347C98693E4AA9014FC7CFEF9940F3F338B0853FADD2076DF2D06D5810331C87BF50
wss
wss://heimdall.hostedhero.com:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023cbb-80.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" --installedByUser=\"S-1-5-21-3756129449-3121373848-4276368241-1000\""	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe

Executes dropped EXE 1 IoCs

Processes:

MeshAgent.exe

pid	Process
4044	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

Processes:

MeshAgent.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\Kernel.Appcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\17C2320E66CD84F155B5200B2048B107A123ED20	MeshAgent.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\version.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\17C2320E66CD84F155B5200B2048B107A123ED20	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\version.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\version.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\CCE08D840619E6A6EC4B4D53C5B0002AE5430480	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6A12E32CD2AD11DAB1996663B5CAE39486228026	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\2023E28E2719559B786A38B9C37F06EEA6B47D0F	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe

Drops file in Program Files directory 7 IoCs

Processes:

MeshAgent.exe2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe

description	ioc	Process
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

Processes:

MeshAgent.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133776660970269134"	MeshAgent.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3328	powershell.exe
3328	powershell.exe
4552	powershell.exe
4552	powershell.exe
1708	powershell.exe
1708	powershell.exe
4620	powershell.exe
4620	powershell.exe
744	powershell.exe
744	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exepowershell.exepowershell.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1652	wmic.exe
Token: SeSecurityPrivilege	1652	wmic.exe
Token: SeTakeOwnershipPrivilege	1652	wmic.exe
Token: SeLoadDriverPrivilege	1652	wmic.exe
Token: SeSystemProfilePrivilege	1652	wmic.exe
Token: SeSystemtimePrivilege	1652	wmic.exe
Token: SeProfSingleProcessPrivilege	1652	wmic.exe
Token: SeIncBasePriorityPrivilege	1652	wmic.exe
Token: SeCreatePagefilePrivilege	1652	wmic.exe
Token: SeBackupPrivilege	1652	wmic.exe
Token: SeRestorePrivilege	1652	wmic.exe
Token: SeShutdownPrivilege	1652	wmic.exe
Token: SeDebugPrivilege	1652	wmic.exe
Token: SeSystemEnvironmentPrivilege	1652	wmic.exe
Token: SeRemoteShutdownPrivilege	1652	wmic.exe
Token: SeUndockPrivilege	1652	wmic.exe
Token: SeManageVolumePrivilege	1652	wmic.exe
Token: 33	1652	wmic.exe
Token: 34	1652	wmic.exe
Token: 35	1652	wmic.exe
Token: 36	1652	wmic.exe
Token: SeIncreaseQuotaPrivilege	1652	wmic.exe
Token: SeSecurityPrivilege	1652	wmic.exe
Token: SeTakeOwnershipPrivilege	1652	wmic.exe
Token: SeLoadDriverPrivilege	1652	wmic.exe
Token: SeSystemProfilePrivilege	1652	wmic.exe
Token: SeSystemtimePrivilege	1652	wmic.exe
Token: SeProfSingleProcessPrivilege	1652	wmic.exe
Token: SeIncBasePriorityPrivilege	1652	wmic.exe
Token: SeCreatePagefilePrivilege	1652	wmic.exe
Token: SeBackupPrivilege	1652	wmic.exe
Token: SeRestorePrivilege	1652	wmic.exe
Token: SeShutdownPrivilege	1652	wmic.exe
Token: SeDebugPrivilege	1652	wmic.exe
Token: SeSystemEnvironmentPrivilege	1652	wmic.exe
Token: SeRemoteShutdownPrivilege	1652	wmic.exe
Token: SeUndockPrivilege	1652	wmic.exe
Token: SeManageVolumePrivilege	1652	wmic.exe
Token: 33	1652	wmic.exe
Token: 34	1652	wmic.exe
Token: 35	1652	wmic.exe
Token: 36	1652	wmic.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeIncreaseQuotaPrivilege	4552	powershell.exe
Token: SeSecurityPrivilege	4552	powershell.exe
Token: SeTakeOwnershipPrivilege	4552	powershell.exe
Token: SeLoadDriverPrivilege	4552	powershell.exe
Token: SeSystemProfilePrivilege	4552	powershell.exe
Token: SeSystemtimePrivilege	4552	powershell.exe
Token: SeProfSingleProcessPrivilege	4552	powershell.exe
Token: SeIncBasePriorityPrivilege	4552	powershell.exe
Token: SeCreatePagefilePrivilege	4552	powershell.exe
Token: SeBackupPrivilege	4552	powershell.exe
Token: SeRestorePrivilege	4552	powershell.exe
Token: SeShutdownPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeSystemEnvironmentPrivilege	4552	powershell.exe
Token: SeRemoteShutdownPrivilege	4552	powershell.exe
Token: SeUndockPrivilege	4552	powershell.exe
Token: SeManageVolumePrivilege	4552	powershell.exe
Token: 33	4552	powershell.exe
Token: 34	4552	powershell.exe
Token: 35	4552	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe

description	pid	Process	procid_target
PID 3028 wrote to memory of 1652	3028	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	85
PID 3028 wrote to memory of 1652	3028	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	85
PID 3028 wrote to memory of 1928	3028	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	90
PID 3028 wrote to memory of 1928	3028	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	90
PID 1928 wrote to memory of 3328	1928	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	94
PID 1928 wrote to memory of 3328	1928	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	94
PID 1928 wrote to memory of 4552	1928	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	96
PID 1928 wrote to memory of 4552	1928	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	96
PID 1928 wrote to memory of 1708	1928	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	98
PID 1928 wrote to memory of 1708	1928	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	98
PID 1928 wrote to memory of 4620	1928	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	101
PID 1928 wrote to memory of 4620	1928	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	101
PID 1928 wrote to memory of 744	1928	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	103
PID 1928 wrote to memory of 744	1928	2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Users\Admin\AppData\Local\Temp\2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-12-03_0aa9dc10bf05ec4c4d4b9baa5cbb6f1f_ismagent_ryuk_sliver.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "Get-Module -ListAvailable -Name netsecurity"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:744

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-3756129449-3121373848-4276368241-1000"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
2.9MB

MD5
0aa9dc10bf05ec4c4d4b9baa5cbb6f1f

SHA1
6f157cb52d687a9b960bf67aa2448fc7e5d2db17

SHA256
cfc9778f772c8c8daa33a520e3adbfa7fad6b33ee0d5dd104f5580eaf52eed82

SHA512
cb36426922341cf3586caa15cbf05982df8ed9df4cc4faccb1c9ac4e3c193a17ac04cc4c0987bcf6f6223c07e6ff3055be3d1d00b963fb65495887916179e13d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
b5f63423f55e96fabcd1b186b27ce0c4

SHA1
581b488265a2f159836409853f4b97eb5941bd48

SHA256
451cd58d101dc6219943589eedc0789ff95f35be417f63555ebde5d354e7c11a

SHA512
f1e9873c6c88964035589f1dbfa28bff55315a66d471e69332f96c837855252187b719d5660baee2d5e3bb5d86b8c42e54826546b6e0d949010a6c7d2facadeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
23909774a4f0358be8e03226d73fbd61

SHA1
4df262994ce4eb3935965881c1e2dc730668da94

SHA256
6dbd177f5aa34f836bf52885c04a3a93771384ebad954911be812c039290bcad

SHA512
6ed0bfd0a498043cccf9ef2d9bebc869c4f5f2befc90636e2e3167b2d0b694c538f93aaeefe221bc08ca3962c6499f402df4934444c9f82883d3314075d5f05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc08d9efbf45b4045fdf2cfc507ddceb

SHA1
7a1095765f0b9ed6a04afeb084f4e78cc25aed5c

SHA256
b11437cfbe0773154d082440842d8754f31a0ff920b86a1c518cefbe9e0bc92e

SHA512
2f765d087a043d05720445383409bbab5f2a17f46c10257589a94a8dfa22e5888692879d25df2e78192e6a226ad3c44921689104a3e40f2a45ffe2cc0ba10571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bcea833c877d5e8bba484770cb65cb64

SHA1
a99b560378a7e0919d29c6c3ffdb86e68dcd5592

SHA256
1a7c732a8de0ff074315b342a3f2937039b493ecbf287773905aa7fb1d80798e

SHA512
d10e59bfbce6d8a128c87c7d6997c1353b71b4544661aa4232801758c5b3298724d1fcb32e904cf5740808ad764a34c4366681e51d928490485ef8fcd48b530c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f15de76b698d30aa93ea03789ba112dd

SHA1
24f5ca947e3ac23fcf842c03ec8a2ede1e777984

SHA256
c08e83ffcff75d0e851db0959e4c0be99ff92703a7cf79a797114e2a4505f1a6

SHA512
a20905a0c162cf29989ea01946d765fd69f38497c214934264e78b9b7ae1f7ed9522bc40169d428f7c2f4f8817e21dc2d5e72967c9809254acb35a85856dc0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lewlvqqu.fbg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3328-5-0x0000029362170000-0x0000029362192000-memory.dmp

Filesize
136KB

Download
memory/3328-21-0x00000293622E0000-0x00000293622EE000-memory.dmp

Filesize
56KB

Download
memory/3328-22-0x000002937CB80000-0x000002937CB9A000-memory.dmp

Filesize
104KB

Download