meshagent | 854717a4571738e4ed8d49e7d1f9c77cf02f2aa26d7fd49cd4195b68aa44cb94

Analysis

max time kernel
134s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe
Size

2.9MB
MD5

14b3ba84931f9d0d261decb8ccbaf079
SHA1

a77659ab265213a2b38384b2ae8e1a722c1d7b2e
SHA256

854717a4571738e4ed8d49e7d1f9c77cf02f2aa26d7fd49cd4195b68aa44cb94
SHA512

97c65b9d2390b0e8af2a7a4510130a92c0be4c90399223b8f5b70eddc1b916329cb005fda7c3c5209c7d83a4c4637605a4cff37304960965e2a5af045d390b98
SSDEEP

49152:iiQagHg5EVhwQd+qrW+i1w+Tqc0KxZbDOCwMDbyeKw3FGMFvfjPW21I3iIJR:3g7hRdj9iMlHBSFBWZR

Score

10^/10

meshagent personal backdoor discovery persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

Personal

http://heimdall.hostedhero.com:443/agent.ashx

Attributes

mesh_id
0x012DB6DDE7E65372F345CC35A1186B518B2A8BBA6502557EEDF03299CB0153F34D79A8C46FF331BD838E3903EF9E37A4
server_id
316B450D4320A8D7AF354D9F06DF347C98693E4AA9014FC7CFEF9940F3F338B0853FADD2076DF2D06D5810331C87BF50
wss
wss://heimdall.hostedhero.com:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023ce5-80.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" --installedByUser=\"S-1-5-21-493223053-2004649691-1575712786-1000\""	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe

Executes dropped EXE 1 IoCs

Processes:

MeshAgent.exe

pid	Process
4500	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

Processes:

MeshAgent.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B8F5C5CA235686371F5D11150F3B28D02C76EC96	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E1F70BAB4CC592CBAA4DE9E683EE283A275F0DC2	MeshAgent.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E1F70BAB4CC592CBAA4DE9E683EE283A275F0DC2	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\version.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\3CD8F7C3D0E5A54B35A7050168F9C6EC3CA7231F	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	MeshAgent.exe
File opened for modification	C:\Windows\System32\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\version.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MeshAgent.exe

Drops file in Program Files directory 7 IoCs

Processes:

MeshAgent.exe2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe

description	ioc	Process
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

Processes:

MeshAgent.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133776664814137697"	MeshAgent.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
3432	powershell.exe
3432	powershell.exe
2220	powershell.exe
2220	powershell.exe
1488	powershell.exe
1488	powershell.exe
2884	powershell.exe
2884	powershell.exe
2320	powershell.exe
2320	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

wmic.exepowershell.exepowershell.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4884	wmic.exe
Token: SeSecurityPrivilege	4884	wmic.exe
Token: SeTakeOwnershipPrivilege	4884	wmic.exe
Token: SeLoadDriverPrivilege	4884	wmic.exe
Token: SeSystemProfilePrivilege	4884	wmic.exe
Token: SeSystemtimePrivilege	4884	wmic.exe
Token: SeProfSingleProcessPrivilege	4884	wmic.exe
Token: SeIncBasePriorityPrivilege	4884	wmic.exe
Token: SeCreatePagefilePrivilege	4884	wmic.exe
Token: SeBackupPrivilege	4884	wmic.exe
Token: SeRestorePrivilege	4884	wmic.exe
Token: SeShutdownPrivilege	4884	wmic.exe
Token: SeDebugPrivilege	4884	wmic.exe
Token: SeSystemEnvironmentPrivilege	4884	wmic.exe
Token: SeRemoteShutdownPrivilege	4884	wmic.exe
Token: SeUndockPrivilege	4884	wmic.exe
Token: SeManageVolumePrivilege	4884	wmic.exe
Token: 33	4884	wmic.exe
Token: 34	4884	wmic.exe
Token: 35	4884	wmic.exe
Token: 36	4884	wmic.exe
Token: SeIncreaseQuotaPrivilege	4884	wmic.exe
Token: SeSecurityPrivilege	4884	wmic.exe
Token: SeTakeOwnershipPrivilege	4884	wmic.exe
Token: SeLoadDriverPrivilege	4884	wmic.exe
Token: SeSystemProfilePrivilege	4884	wmic.exe
Token: SeSystemtimePrivilege	4884	wmic.exe
Token: SeProfSingleProcessPrivilege	4884	wmic.exe
Token: SeIncBasePriorityPrivilege	4884	wmic.exe
Token: SeCreatePagefilePrivilege	4884	wmic.exe
Token: SeBackupPrivilege	4884	wmic.exe
Token: SeRestorePrivilege	4884	wmic.exe
Token: SeShutdownPrivilege	4884	wmic.exe
Token: SeDebugPrivilege	4884	wmic.exe
Token: SeSystemEnvironmentPrivilege	4884	wmic.exe
Token: SeRemoteShutdownPrivilege	4884	wmic.exe
Token: SeUndockPrivilege	4884	wmic.exe
Token: SeManageVolumePrivilege	4884	wmic.exe
Token: 33	4884	wmic.exe
Token: 34	4884	wmic.exe
Token: 35	4884	wmic.exe
Token: 36	4884	wmic.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeIncreaseQuotaPrivilege	2220	powershell.exe
Token: SeSecurityPrivilege	2220	powershell.exe
Token: SeTakeOwnershipPrivilege	2220	powershell.exe
Token: SeLoadDriverPrivilege	2220	powershell.exe
Token: SeSystemProfilePrivilege	2220	powershell.exe
Token: SeSystemtimePrivilege	2220	powershell.exe
Token: SeProfSingleProcessPrivilege	2220	powershell.exe
Token: SeIncBasePriorityPrivilege	2220	powershell.exe
Token: SeCreatePagefilePrivilege	2220	powershell.exe
Token: SeBackupPrivilege	2220	powershell.exe
Token: SeRestorePrivilege	2220	powershell.exe
Token: SeShutdownPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeSystemEnvironmentPrivilege	2220	powershell.exe
Token: SeRemoteShutdownPrivilege	2220	powershell.exe
Token: SeUndockPrivilege	2220	powershell.exe
Token: SeManageVolumePrivilege	2220	powershell.exe
Token: 33	2220	powershell.exe
Token: 34	2220	powershell.exe
Token: 35	2220	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe

description	pid	Process	procid_target
PID 2992 wrote to memory of 4884	2992	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	86
PID 2992 wrote to memory of 4884	2992	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	86
PID 2992 wrote to memory of 4512	2992	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	89
PID 2992 wrote to memory of 4512	2992	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	89
PID 4512 wrote to memory of 3432	4512	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	93
PID 4512 wrote to memory of 3432	4512	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	93
PID 4512 wrote to memory of 2220	4512	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	95
PID 4512 wrote to memory of 2220	4512	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	95
PID 4512 wrote to memory of 1488	4512	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	98
PID 4512 wrote to memory of 1488	4512	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	98
PID 4512 wrote to memory of 2884	4512	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	100
PID 4512 wrote to memory of 2884	4512	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	100
PID 4512 wrote to memory of 2320	4512	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	104
PID 4512 wrote to memory of 2320	4512	2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4884
- C:\Users\Admin\AppData\Local\Temp\2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-12-03_14b3ba84931f9d0d261decb8ccbaf079_ismagent_ryuk_sliver.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "Get-Module -ListAvailable -Name netsecurity"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2320

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-493223053-2004649691-1575712786-1000"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
2.9MB

MD5
14b3ba84931f9d0d261decb8ccbaf079

SHA1
a77659ab265213a2b38384b2ae8e1a722c1d7b2e

SHA256
854717a4571738e4ed8d49e7d1f9c77cf02f2aa26d7fd49cd4195b68aa44cb94

SHA512
97c65b9d2390b0e8af2a7a4510130a92c0be4c90399223b8f5b70eddc1b916329cb005fda7c3c5209c7d83a4c4637605a4cff37304960965e2a5af045d390b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
b5f63423f55e96fabcd1b186b27ce0c4

SHA1
581b488265a2f159836409853f4b97eb5941bd48

SHA256
451cd58d101dc6219943589eedc0789ff95f35be417f63555ebde5d354e7c11a

SHA512
f1e9873c6c88964035589f1dbfa28bff55315a66d471e69332f96c837855252187b719d5660baee2d5e3bb5d86b8c42e54826546b6e0d949010a6c7d2facadeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
447c9173cd8eb4031db128b10a6ed274

SHA1
17fb39c16feb1f6c682a1b71b8734636b52e27e0

SHA256
440ae83a949c4dcbee32fb29d4a8e5425f94e5fce714c4c9b9b14948cf6d0e57

SHA512
8579867c4f39761b216882c0be09f8cef187e36033e44e74e87266f090d861ad0e8cb7bae321c966d2ede9b9195da7d49f000ae8e1c67ab70aa4e5a08500ec19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc08d9efbf45b4045fdf2cfc507ddceb

SHA1
7a1095765f0b9ed6a04afeb084f4e78cc25aed5c

SHA256
b11437cfbe0773154d082440842d8754f31a0ff920b86a1c518cefbe9e0bc92e

SHA512
2f765d087a043d05720445383409bbab5f2a17f46c10257589a94a8dfa22e5888692879d25df2e78192e6a226ad3c44921689104a3e40f2a45ffe2cc0ba10571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ae2930e89fa554a266864b3bff19ffd6

SHA1
568bf36b3f9b4aa27a1baaeea47ad9c5c7ab4ea9

SHA256
81f124134b852930e0602874ebfa51dabb7a2bd3eb2bd5cffcd306a1fd458e41

SHA512
6a1e3d8b649d44e86ac40ce972d5b55fe1d49310f5d35fea026fa97c428432b3e99dc5b59216cb6c894c657879da627a04c3e8ee98af98f8cdbacacbc645becc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d313d68c4ef42d8dc6fa75368df95d4c

SHA1
404d73b6e72cf117478c832f06c417b9095a880e

SHA256
70067182c5857987899fa96ae9c6850298e625d13d915a1050f66fda027e1388

SHA512
46cf8aba5a85a112dd4a31cb9b0e79c632ca35b3ab86a054abc43e6d3d91510d8d0056094c9bc0df4d1d1e12041f18360220b62927fa4016e4533e1169f5db25

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjdmdgse.gag.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B8F5C5CA235686371F5D11150F3B28D02C76EC96

Filesize
1KB

MD5
4fa6c9b73dd9f113a0c905f776d2f0d3

SHA1
309e486f92908ff81a48614be17d2b057a34a0a8

SHA256
54a0266639ec1f3de6feb230de37c4031aecbdbc83604000c8ffa9f9cf8654a1

SHA512
57a244d9e1d61d55b3c463c059401cfd0d9a9a88bd2c2c47d4f0ae89a83b4f2627df7c78743673fa889432876d212d80ba2411acab20c1f8a21ae442c19d826a

Download Submit
memory/3432-2-0x000001E073830000-0x000001E073852000-memory.dmp

Filesize
136KB

Download
memory/3432-21-0x000001E073880000-0x000001E07388E000-memory.dmp

Filesize
56KB

Download
memory/3432-22-0x000001E0760C0000-0x000001E0760DA000-memory.dmp

Filesize
104KB

Download