meshagent | 56fbcb8a44a9870fdea8cbe69567220d98f4092cf47d59f450c3f378cb95136d

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe
Size

2.9MB
MD5

f9ffbad54a868dec678f79cc583c5f95
SHA1

a5c892b1ca7feb7d82c44394dda1eac306e6f674
SHA256

56fbcb8a44a9870fdea8cbe69567220d98f4092cf47d59f450c3f378cb95136d
SHA512

e540eaf2e0257e9be4d0e37f9b04f949d3563af30c5e63c5e332c785410aae30a3999b3b912e6cba458047e41a841b9e49d294792103620ff4c8abe967ea25d8
SSDEEP

49152:1yEEFoRjQ86ctQAWrk9k+PhBFB3FFIBoYCIYSMFvf0VQc9pdQPi:1nj36pUk0TkfYiQ/i

Score

10^/10

meshagent toruń_biuro backdoor discovery persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

TORUŃ_BIURO

http://telbmc3t.telbridge:443/agent.ashx

Attributes

mesh_id
0x445D64B5A8329B892A143B2D5EE04236CA4980B72D4D55FA00EB4AB75F6A1DDA62A118FCA7866B8ABBEFF5BB5C7571B1
server_id
9B5005CC4067F497A7E7934F8BB2EB09848772D6E44A4FE31B5F153284A8E7DF73F7037E7326F7DF36B9841E820BFE4F
wss
wss://telbmc3t.telbridge:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000300000001da7d-80.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" --installedByUser=\"S-1-5-21-2278412438-3475196406-3686434223-1000\""	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000\Control Panel\International\Geo\Nation	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe

Executes dropped EXE 1 IoCs

pid	Process
3108	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CEFB6C26041FF9911E31CCFC11AF19D59E45775C	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\version.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdiplus.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6B1C7E44F20540D90E89E34B0A68743A152F4677	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\version.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CEFB6C26041FF9911E31CCFC11AF19D59E45775C	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\6B1C7E44F20540D90E89E34B0A68743A152F4677	MeshAgent.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\apphelp.pdb	MeshAgent.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133852976301728426"	MeshAgent.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1452	powershell.exe
1452	powershell.exe
2316	powershell.exe
2316	powershell.exe
4508	powershell.exe
4508	powershell.exe
2828	powershell.exe
2828	powershell.exe
5044	powershell.exe
5044	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2336	wmic.exe
Token: SeSecurityPrivilege	2336	wmic.exe
Token: SeTakeOwnershipPrivilege	2336	wmic.exe
Token: SeLoadDriverPrivilege	2336	wmic.exe
Token: SeSystemProfilePrivilege	2336	wmic.exe
Token: SeSystemtimePrivilege	2336	wmic.exe
Token: SeProfSingleProcessPrivilege	2336	wmic.exe
Token: SeIncBasePriorityPrivilege	2336	wmic.exe
Token: SeCreatePagefilePrivilege	2336	wmic.exe
Token: SeBackupPrivilege	2336	wmic.exe
Token: SeRestorePrivilege	2336	wmic.exe
Token: SeShutdownPrivilege	2336	wmic.exe
Token: SeDebugPrivilege	2336	wmic.exe
Token: SeSystemEnvironmentPrivilege	2336	wmic.exe
Token: SeRemoteShutdownPrivilege	2336	wmic.exe
Token: SeUndockPrivilege	2336	wmic.exe
Token: SeManageVolumePrivilege	2336	wmic.exe
Token: 33	2336	wmic.exe
Token: 34	2336	wmic.exe
Token: 35	2336	wmic.exe
Token: 36	2336	wmic.exe
Token: SeIncreaseQuotaPrivilege	2336	wmic.exe
Token: SeSecurityPrivilege	2336	wmic.exe
Token: SeTakeOwnershipPrivilege	2336	wmic.exe
Token: SeLoadDriverPrivilege	2336	wmic.exe
Token: SeSystemProfilePrivilege	2336	wmic.exe
Token: SeSystemtimePrivilege	2336	wmic.exe
Token: SeProfSingleProcessPrivilege	2336	wmic.exe
Token: SeIncBasePriorityPrivilege	2336	wmic.exe
Token: SeCreatePagefilePrivilege	2336	wmic.exe
Token: SeBackupPrivilege	2336	wmic.exe
Token: SeRestorePrivilege	2336	wmic.exe
Token: SeShutdownPrivilege	2336	wmic.exe
Token: SeDebugPrivilege	2336	wmic.exe
Token: SeSystemEnvironmentPrivilege	2336	wmic.exe
Token: SeRemoteShutdownPrivilege	2336	wmic.exe
Token: SeUndockPrivilege	2336	wmic.exe
Token: SeManageVolumePrivilege	2336	wmic.exe
Token: 33	2336	wmic.exe
Token: 34	2336	wmic.exe
Token: 35	2336	wmic.exe
Token: 36	2336	wmic.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeIncreaseQuotaPrivilege	2316	powershell.exe
Token: SeSecurityPrivilege	2316	powershell.exe
Token: SeTakeOwnershipPrivilege	2316	powershell.exe
Token: SeLoadDriverPrivilege	2316	powershell.exe
Token: SeSystemProfilePrivilege	2316	powershell.exe
Token: SeSystemtimePrivilege	2316	powershell.exe
Token: SeProfSingleProcessPrivilege	2316	powershell.exe
Token: SeIncBasePriorityPrivilege	2316	powershell.exe
Token: SeCreatePagefilePrivilege	2316	powershell.exe
Token: SeBackupPrivilege	2316	powershell.exe
Token: SeRestorePrivilege	2316	powershell.exe
Token: SeShutdownPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeSystemEnvironmentPrivilege	2316	powershell.exe
Token: SeRemoteShutdownPrivilege	2316	powershell.exe
Token: SeUndockPrivilege	2316	powershell.exe
Token: SeManageVolumePrivilege	2316	powershell.exe
Token: 33	2316	powershell.exe
Token: 34	2316	powershell.exe
Token: 35	2316	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 2336	4760	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	85
PID 4760 wrote to memory of 2336	4760	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	85
PID 4760 wrote to memory of 4572	4760	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	91
PID 4760 wrote to memory of 4572	4760	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	91
PID 4572 wrote to memory of 1452	4572	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	94
PID 4572 wrote to memory of 1452	4572	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	94
PID 4572 wrote to memory of 2316	4572	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	98
PID 4572 wrote to memory of 2316	4572	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	98
PID 4572 wrote to memory of 4508	4572	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	101
PID 4572 wrote to memory of 4508	4572	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	101
PID 4572 wrote to memory of 2828	4572	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	103
PID 4572 wrote to memory of 2828	4572	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	103
PID 4572 wrote to memory of 5044	4572	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	105
PID 4572 wrote to memory of 5044	4572	2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe	105

C:\Users\Admin\AppData\Local\Temp\2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-03-01_f9ffbad54a868dec678f79cc583c5f95_ismagent_ryuk_sliver.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "Get-Module -ListAvailable -Name netsecurity"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5044

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-2278412438-3475196406-3686434223-1000"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
2.9MB

MD5
f9ffbad54a868dec678f79cc583c5f95

SHA1
a5c892b1ca7feb7d82c44394dda1eac306e6f674

SHA256
56fbcb8a44a9870fdea8cbe69567220d98f4092cf47d59f450c3f378cb95136d

SHA512
e540eaf2e0257e9be4d0e37f9b04f949d3563af30c5e63c5e332c785410aae30a3999b3b912e6cba458047e41a841b9e49d294792103620ff4c8abe967ea25d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
b5f63423f55e96fabcd1b186b27ce0c4

SHA1
581b488265a2f159836409853f4b97eb5941bd48

SHA256
451cd58d101dc6219943589eedc0789ff95f35be417f63555ebde5d354e7c11a

SHA512
f1e9873c6c88964035589f1dbfa28bff55315a66d471e69332f96c837855252187b719d5660baee2d5e3bb5d86b8c42e54826546b6e0d949010a6c7d2facadeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc08d9efbf45b4045fdf2cfc507ddceb

SHA1
7a1095765f0b9ed6a04afeb084f4e78cc25aed5c

SHA256
b11437cfbe0773154d082440842d8754f31a0ff920b86a1c518cefbe9e0bc92e

SHA512
2f765d087a043d05720445383409bbab5f2a17f46c10257589a94a8dfa22e5888692879d25df2e78192e6a226ad3c44921689104a3e40f2a45ffe2cc0ba10571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
302c0520e15e07cfbfea016a53148051

SHA1
10575783a6ec9537c9649eeb8ce4baeeb8665c5b

SHA256
18502cd315881b11e681f1e6eb1ef9fcbea8e0f9b566b6e2c623658e84022f0e

SHA512
cbf17087a80aaab432673ed5c3b5db46053695d96c24231789a5533d0007ac377d02c8cd93735bc928fe4d308cb62c94ff648b33dad7ec16a367fbd05e54cc12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c5abd48d54c40d94c789ab31dc7cb091

SHA1
75be51f7bdbb1b9f423d72c316e3115e7751cd60

SHA256
1cb8bf7061f9cd3a605ec9c8154e7c118149030890ed404bcb18af2ebf093bb3

SHA512
da44335b69c8747e2f8b6966c0fd9f115193001f5d968e6c67a91c66bef02e0d8a216fa5e44a0033a0180912bf89fe35e30a99ac72cecabb75ba72db03ceaef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fkm1r3iq.1rx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CEFB6C26041FF9911E31CCFC11AF19D59E45775C

Filesize
1KB

MD5
cd3dbd7477cd09ac6d1c0de11b57333b

SHA1
caf965e64c185fe8444ee79aa03269bae326d571

SHA256
2c0900f91c82f56add05aa4ca43f50993ede517214334306604f123c5e165382

SHA512
1d7aae3f938ac194413fcdb5f796284e383b9947228a601d699b459804df629b80a235650f86498d46d9ec6a0dc64aa8de4d89dc4702bdb1e2927caabae2798e

Download Submit
memory/1452-11-0x000001883DDD0000-0x000001883DDF2000-memory.dmp

Filesize
136KB

Download
memory/1452-21-0x000001883DE30000-0x000001883DE3E000-memory.dmp

Filesize
56KB

Download
memory/1452-22-0x0000018840230000-0x000001884024A000-memory.dmp

Filesize
104KB

Download