meshagent | 55359047b2ba78d96cf00b4cd57445e7b68e7b0752f42a31805bf94f3f689ebf

Analysis

max time kernel
124s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe
Size

2.9MB
MD5

783c6c51d2ea781d065bea1801241650
SHA1

cdb67c19a6d4177aa51f3cda66e08026a90e27e6
SHA256

55359047b2ba78d96cf00b4cd57445e7b68e7b0752f42a31805bf94f3f689ebf
SHA512

318daceee5bcfebdf385759ada5eb6aa08189b810c49cb75809b0be16c770d924cd94808fbc011c103616bb3199f6768bf703f6d1128294196b1ff8776e3cf8e
SSDEEP

49152:OiQagHg5EVhwQd+qrW+i1w+Tqc0KxZbDOCwMDbyeKw3FGMFvfjPW21I3iIJS:bg7hRdj9iMlHBSFBWZS

Score

10^/10

meshagent rmmtest backdoor discovery persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

RMMTest

http://meshcentral.com:443/agent.ashx

Attributes

mesh_id
0x36BCDD2BF134B3D2E0FF25BB329B4F57FF9F3B1CF6BE4AF56F50C0BC68C3113E24A5FA864D4BC9B58D873279FB76BA04
server_id
D01B0463C0C9E38D81254F7B22DD4DAD848302AEF186BFCFF1D61F4F73846D6F8C8C94D01D3CF1EACA3836F8E5D316A4
wss
wss://meshcentral.com:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b9d-80.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" --installedByUser=\"S-1-5-21-493223053-2004649691-1575712786-1000\""	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe

Executes dropped EXE 1 IoCs

pid	Process
3764	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\version.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\version.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\AE555C53965FB4A90E01ED7A200379A8694382FB	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\F6BA18C0EA9BEEF94F6DAB024CF168EE9B74F2D9	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\1B8B64DD5D745977C706EE9DB59EACC6061C2FE3	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\14F35F0761B518CDB7BC49A28EF1E9146BB94918	MeshAgent.exe
File opened for modification	C:\Windows\System32\version.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\1B8B64DD5D745977C706EE9DB59EACC6061C2FE3	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\apphelp.pdb	MeshAgent.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133813794312275452"	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4572	powershell.exe
4572	powershell.exe
1476	powershell.exe
1476	powershell.exe
1860	powershell.exe
1860	powershell.exe
640	powershell.exe
640	powershell.exe
3404	powershell.exe
3404	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2156	wmic.exe
Token: SeSecurityPrivilege	2156	wmic.exe
Token: SeTakeOwnershipPrivilege	2156	wmic.exe
Token: SeLoadDriverPrivilege	2156	wmic.exe
Token: SeSystemProfilePrivilege	2156	wmic.exe
Token: SeSystemtimePrivilege	2156	wmic.exe
Token: SeProfSingleProcessPrivilege	2156	wmic.exe
Token: SeIncBasePriorityPrivilege	2156	wmic.exe
Token: SeCreatePagefilePrivilege	2156	wmic.exe
Token: SeBackupPrivilege	2156	wmic.exe
Token: SeRestorePrivilege	2156	wmic.exe
Token: SeShutdownPrivilege	2156	wmic.exe
Token: SeDebugPrivilege	2156	wmic.exe
Token: SeSystemEnvironmentPrivilege	2156	wmic.exe
Token: SeRemoteShutdownPrivilege	2156	wmic.exe
Token: SeUndockPrivilege	2156	wmic.exe
Token: SeManageVolumePrivilege	2156	wmic.exe
Token: 33	2156	wmic.exe
Token: 34	2156	wmic.exe
Token: 35	2156	wmic.exe
Token: 36	2156	wmic.exe
Token: SeIncreaseQuotaPrivilege	2156	wmic.exe
Token: SeSecurityPrivilege	2156	wmic.exe
Token: SeTakeOwnershipPrivilege	2156	wmic.exe
Token: SeLoadDriverPrivilege	2156	wmic.exe
Token: SeSystemProfilePrivilege	2156	wmic.exe
Token: SeSystemtimePrivilege	2156	wmic.exe
Token: SeProfSingleProcessPrivilege	2156	wmic.exe
Token: SeIncBasePriorityPrivilege	2156	wmic.exe
Token: SeCreatePagefilePrivilege	2156	wmic.exe
Token: SeBackupPrivilege	2156	wmic.exe
Token: SeRestorePrivilege	2156	wmic.exe
Token: SeShutdownPrivilege	2156	wmic.exe
Token: SeDebugPrivilege	2156	wmic.exe
Token: SeSystemEnvironmentPrivilege	2156	wmic.exe
Token: SeRemoteShutdownPrivilege	2156	wmic.exe
Token: SeUndockPrivilege	2156	wmic.exe
Token: SeManageVolumePrivilege	2156	wmic.exe
Token: 33	2156	wmic.exe
Token: 34	2156	wmic.exe
Token: 35	2156	wmic.exe
Token: 36	2156	wmic.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeIncreaseQuotaPrivilege	1476	powershell.exe
Token: SeSecurityPrivilege	1476	powershell.exe
Token: SeTakeOwnershipPrivilege	1476	powershell.exe
Token: SeLoadDriverPrivilege	1476	powershell.exe
Token: SeSystemProfilePrivilege	1476	powershell.exe
Token: SeSystemtimePrivilege	1476	powershell.exe
Token: SeProfSingleProcessPrivilege	1476	powershell.exe
Token: SeIncBasePriorityPrivilege	1476	powershell.exe
Token: SeCreatePagefilePrivilege	1476	powershell.exe
Token: SeBackupPrivilege	1476	powershell.exe
Token: SeRestorePrivilege	1476	powershell.exe
Token: SeShutdownPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeSystemEnvironmentPrivilege	1476	powershell.exe
Token: SeRemoteShutdownPrivilege	1476	powershell.exe
Token: SeUndockPrivilege	1476	powershell.exe
Token: SeManageVolumePrivilege	1476	powershell.exe
Token: 33	1476	powershell.exe
Token: 34	1476	powershell.exe
Token: 35	1476	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4300 wrote to memory of 2156	4300	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	84
PID 4300 wrote to memory of 2156	4300	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	84
PID 4300 wrote to memory of 3940	4300	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	87
PID 4300 wrote to memory of 3940	4300	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	87
PID 3940 wrote to memory of 4572	3940	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	91
PID 3940 wrote to memory of 4572	3940	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	91
PID 3940 wrote to memory of 1476	3940	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	93
PID 3940 wrote to memory of 1476	3940	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	93
PID 3940 wrote to memory of 1860	3940	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	96
PID 3940 wrote to memory of 1860	3940	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	96
PID 3940 wrote to memory of 640	3940	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	98
PID 3940 wrote to memory of 640	3940	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	98
PID 3940 wrote to memory of 3404	3940	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	100
PID 3940 wrote to memory of 3404	3940	2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe	100

C:\Users\Admin\AppData\Local\Temp\2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4300
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-01-15_783c6c51d2ea781d065bea1801241650_ismagent_ryuk_sliver.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "Get-Module -ListAvailable -Name netsecurity"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3404

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-493223053-2004649691-1575712786-1000"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
2.9MB

MD5
783c6c51d2ea781d065bea1801241650

SHA1
cdb67c19a6d4177aa51f3cda66e08026a90e27e6

SHA256
55359047b2ba78d96cf00b4cd57445e7b68e7b0752f42a31805bf94f3f689ebf

SHA512
318daceee5bcfebdf385759ada5eb6aa08189b810c49cb75809b0be16c770d924cd94808fbc011c103616bb3199f6768bf703f6d1128294196b1ff8776e3cf8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
b5f63423f55e96fabcd1b186b27ce0c4

SHA1
581b488265a2f159836409853f4b97eb5941bd48

SHA256
451cd58d101dc6219943589eedc0789ff95f35be417f63555ebde5d354e7c11a

SHA512
f1e9873c6c88964035589f1dbfa28bff55315a66d471e69332f96c837855252187b719d5660baee2d5e3bb5d86b8c42e54826546b6e0d949010a6c7d2facadeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc08d9efbf45b4045fdf2cfc507ddceb

SHA1
7a1095765f0b9ed6a04afeb084f4e78cc25aed5c

SHA256
b11437cfbe0773154d082440842d8754f31a0ff920b86a1c518cefbe9e0bc92e

SHA512
2f765d087a043d05720445383409bbab5f2a17f46c10257589a94a8dfa22e5888692879d25df2e78192e6a226ad3c44921689104a3e40f2a45ffe2cc0ba10571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ec317a8a44bfddc4bae74b0eb33b565

SHA1
9cd6dcc8fc663a9037626b08f6045627d6328ac8

SHA256
1fea1684a4bea9c31f932b2a198a7859065341615adfdcb15bcee8dae801e524

SHA512
a0df75870a51713bf43a6910656613652f1eb2008a86e48c3926dd8d1f1f55c77eb877e799ba78d984a024df9faa93978f31395ba24ec810575f35fdf95b15e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
babdccf15fa0b7106974ea373aee4b4c

SHA1
ca9c673627aaa8c29e7f134c0d1b0986ce37e235

SHA256
2c2da2366e23397bed7bdad5662c2ef68c378f81d2d086cf9c8866e05620912f

SHA512
e0aaa6014c039cbbc547f04534ec99b20995c050e92e9104ff022f8b11b384490195876f6d38dff53fafd39f08e27a7085728c48a731f604d2689d1829917be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_twg50g0j.d3o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\1B8B64DD5D745977C706EE9DB59EACC6061C2FE3

Filesize
1KB

MD5
eaa9a672e225c67c0f462f31d97a49e5

SHA1
df128270b6b2fee48a7ef739e328e1c87dcb8ab0

SHA256
2d60d7b33a1397706b84c632490ba0a962dfe34739ee3f99bae22002e61c2907

SHA512
6e3f369bd19b0713f5555fe65eaefe04aef1f844c9e37d7e910c845055eb2d35a32cb7c3557c699e07139bbfc5f35ce587987c9f1c75c8c681a29d717d9202c2

Download Submit
memory/4572-11-0x0000029497F70000-0x0000029497F92000-memory.dmp

Filesize
136KB

Download
memory/4572-22-0x00000294B2610000-0x00000294B262A000-memory.dmp

Filesize
104KB

Download
memory/4572-21-0x00000294B25E0000-0x00000294B25EE000-memory.dmp

Filesize
56KB

Download