meshagent | 1f8d1578e21fc517274e3a560c57a765b622ea907d0a3ba926b28be4e8ee4abd

Analysis

max time kernel
422s
max time network
423s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
19/03/2025, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meshcmd.exe
Size

4.1MB
MD5

b8d633d731051f9095ba02cde40271c9
SHA1

100f773094541684597d90d2c393febb963b1cde
SHA256

1f8d1578e21fc517274e3a560c57a765b622ea907d0a3ba926b28be4e8ee4abd
SHA512

4f39f2ac9f813bb50d70d788b5f82959e16a1e2d98b5a2559ea5b40b4be724b686d13a3f74cf0c2f1a6bae216861d2a89d776bb65cc62a72e70b37dbc66ed74e
SSDEEP

49152:6dZEy2B6vflQf6X8uZQoy3vR6QVQy5Z+bm4M/HMFvfGW0/wZ7IbOjxw57OSghLOT:CHvfGfZvZj1/N/z/AwpD5

Score

10^/10

meshagent testforme backdoor defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

testforme

Attributes

mesh_id
0x74027A312B0AB84E62227EC7C3E867458E9AD873985FAC23F0F8E783CD81F70E77DFC0CB7FFBA5E22349C40190A873E9
server_id
6BCD039A3454760E09EE7BFA6EB2A0F65A5F903D90EBA25FEA531F167630DF6B89F39F9E1CEF9D75CAD4B57AC61E0644
wss
localhost

Signatures

Detects MeshAgent payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000400000002ae17-247.dat	family_meshagent
behavioral1/files/0x001b00000002b274-573.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Downloads MZ/PE file 1 IoCs

flow	pid	Process
116	5072	chrome.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent64.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent64-testforme (1).exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent64-testforme (1).exe

Executes dropped EXE 18 IoCs

pid	Process
4852	meshagent64-testforme.exe
5176	meshagent64-testforme.exe
4740	meshagent64.exe
3880	meshagent64.exe
5284	meshagent64.exe
4488	meshagent64.exe
5256	meshagent64.exe
3432	MeshAgent.exe
4212	meshagent64-testforme (1).exe
6076	meshagent64-testforme (1).exe
4688	MeshAgent.exe
4100	meshagent64-testforme (1).exe
2748	meshagent64-testforme (1).exe
2208	meshagent64-testforme (1).exe
6108	meshagent64-testforme (1).exe
2428	MeshAgent.exe
1844	meshagent64-testforme (1).exe
3632	meshagent64-testforme (1).exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\70004C3CA6FE8B651EF61A8D9A800C1F47A5435C	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\70004C3CA6FE8B651EF61A8D9A800C1F47A5435C	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MeshAgent.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent64-testforme (1).exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent64.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent64-testforme (1).exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\meshagent64-testforme (1).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\meshagent64-testforme.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\meshagent64.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	meshagent64-testforme.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	meshagent64-testforme (1).exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133868959178390853"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe

Modifies system certificate store 2 TTPs 5 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	meshagent64-testforme.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	meshagent64-testforme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	meshagent64-testforme.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	meshagent64-testforme.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	meshagent64-testforme.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\meshagent64-testforme (1).exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\meshagent64-testforme.exe:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\meshagent64.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
1236	chrome.exe
1236	chrome.exe
4008	powershell.exe
4008	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe
Token: SeShutdownPrivilege	3120	chrome.exe
Token: SeCreatePagefilePrivilege	3120	chrome.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
4460	WindowsTerminal.exe
4460	WindowsTerminal.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
3120	chrome.exe
4460	WindowsTerminal.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4460	WindowsTerminal.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 5604	3120	chrome.exe	83
PID 3120 wrote to memory of 5604	3120	chrome.exe	83
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 3928	3120	chrome.exe	84
PID 3120 wrote to memory of 5072	3120	chrome.exe	85
PID 3120 wrote to memory of 5072	3120	chrome.exe	85
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86
PID 3120 wrote to memory of 672	3120	chrome.exe	86

C:\Users\Admin\AppData\Local\Temp\meshcmd.exe
"C:\Users\Admin\AppData\Local\Temp\meshcmd.exe"
1⤵
PID:2376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7fff92f3dcf8,0x7fff92f3dd04,0x7fff92f3dd10
  2⤵
  PID:5604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1952,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2228,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2232 /prefetch:11
  2⤵
  - Downloads MZ/PE file
  PID:5072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2384,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2360 /prefetch:13
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4340 /prefetch:9
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4624,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4816,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4808 /prefetch:14
  2⤵
  PID:5680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4952,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4960 /prefetch:14
  2⤵
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5008,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5284 /prefetch:14
  2⤵
  PID:5524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5484,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5448 /prefetch:14
  2⤵
  PID:3340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5908,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4824,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4664,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3248,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:6040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=224,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4640 /prefetch:14
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6128,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3268 /prefetch:14
  2⤵
  PID:1864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5780,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6104 /prefetch:14
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6132,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3352 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1460
- C:\Users\Admin\Downloads\meshagent64-testforme.exe
  "C:\Users\Admin\Downloads\meshagent64-testforme.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:4852
- - C:\Users\Admin\Downloads\meshagent64-testforme.exe
    "C:\Users\Admin\Downloads\meshagent64-testforme.exe" connect --disableUpdate=1 --hideConsole=1 --exitPID=4852
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:5176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6364,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6368 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6336,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6020 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4448,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6316 /prefetch:14
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6372,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6340 /prefetch:14
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4364,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5684 /prefetch:14
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6196,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6228,i,17106058933681814531,15736318232386183959,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4304 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4980
- C:\Users\Admin\Downloads\meshagent64-testforme (1).exe
  "C:\Users\Admin\Downloads\meshagent64-testforme (1).exe"
  2⤵
  - Executes dropped EXE
  PID:4212
- - C:\Users\Admin\Downloads\meshagent64-testforme (1).exe
    "C:\Users\Admin\Downloads\meshagent64-testforme (1).exe" -fullinstall
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:6076
- C:\Users\Admin\Downloads\meshagent64-testforme (1).exe
  "C:\Users\Admin\Downloads\meshagent64-testforme (1).exe"
  2⤵
  - Executes dropped EXE
  PID:4100
- - C:\Users\Admin\Downloads\meshagent64-testforme (1).exe
    "C:\Users\Admin\Downloads\meshagent64-testforme (1).exe" -fulluninstall
    3⤵
    - Executes dropped EXE
    PID:2748
  - - C:\Windows\system32\cmd.exe
      /C del "C:\Program Files\Mesh Agent\MeshAgent.*" && rmdir "C:\Program Files\Mesh Agent" && rmdir "C:\Program Files"
      4⤵
      PID:1324
- C:\Users\Admin\Downloads\meshagent64-testforme (1).exe
  "C:\Users\Admin\Downloads\meshagent64-testforme (1).exe"
  2⤵
  - Executes dropped EXE
  PID:2208
- - C:\Users\Admin\Downloads\meshagent64-testforme (1).exe
    "C:\Users\Admin\Downloads\meshagent64-testforme (1).exe" -fullinstall
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:6108
- C:\Users\Admin\Downloads\meshagent64-testforme (1).exe
  "C:\Users\Admin\Downloads\meshagent64-testforme (1).exe"
  2⤵
  - Executes dropped EXE
  PID:1844
- - C:\Users\Admin\Downloads\meshagent64-testforme (1).exe
    "C:\Users\Admin\Downloads\meshagent64-testforme (1).exe" connect --disableUpdate=1 --hideConsole=1 --exitPID=1844
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:3632

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2080

C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe" -d "C:\Users\Admin\Downloads\."
1⤵
PID:1460
- C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
  wt.exe -d "C:\Users\Admin\Downloads\."
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4460
- - C:\Windows\system32\wsl.exe
    C:\Windows\system32\wsl.exe --list
    3⤵
    PID:4960
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xa1c --server 0xa18
    3⤵
    PID:712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4008
  - - C:\Users\Admin\Downloads\meshagent64.exe
      "C:\Users\Admin\Downloads\meshagent64.exe" --help
      4⤵
      Executes dropped EXE
      PID:4740
  - - C:\Users\Admin\Downloads\meshagent64.exe
      "C:\Users\Admin\Downloads\meshagent64.exe" --start --WebProxy=https://81.199.130.130
      4⤵
      Executes dropped EXE
      PID:3880
  - - C:\Users\Admin\Downloads\meshagent64.exe
      "C:\Users\Admin\Downloads\meshagent64.exe" --start --WebProxy=https://81.199.130.130
      4⤵
      Executes dropped EXE
      PID:5284
  - - C:\Users\Admin\Downloads\meshagent64.exe
      "C:\Users\Admin\Downloads\meshagent64.exe" -start -WebProxy=https://81.199.130.130
      4⤵
      Executes dropped EXE
      PID:4488
  - - C:\Users\Admin\Downloads\meshagent64.exe
      "C:\Users\Admin\Downloads\meshagent64.exe" -fullinstall -WebProxy=https://81.199.130.130
      4⤵
      Sets service image path in registry
      Executes dropped EXE
      Drops file in Program Files directory
      PID:5256

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:4284

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3432

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4688

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
35KB

MD5
6a3b07208e062b6c0485dd49c67789fd

SHA1
56a7aa768aed52ae9742736a432580d20f5d4842

SHA256
a3ee0287042f804d575948470896765b63dc86fb235415ba3786fcb096bcbc12

SHA512
63d3acd1436d5b0b07ca2a47308351457860ef9a3b3492e34b90a79d25d5b65ca49a88287918839c50cab5395cfaf0e215b9994fd1d442769d3bcafb56c83319

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.msh

Filesize
31KB

MD5
27dc895ec6881e8614556cd128accd08

SHA1
18256784185922dc55e94ae2199289b882f8c83b

SHA256
0e46f9dd0e81ebf62756d00bfbaf962e30d0008483bb1a7034cba18a0d6e004f

SHA512
1353e23ad880885fa38963465caee11761ab094f5317344e7aa824784e683a54ade94b65d23c68961d7f9a09d8109549434e0b74c94ae975918dcfdb60de3919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
3dbc124da47d745f90c8448163ac9cb1

SHA1
7fc1ca92096f858487d38f9ef3a31d9db893b3d8

SHA256
22239f729b670de7470125d743f8b74e83c2c33db4f69603f14f3ec4b6d1084a

SHA512
78d3fafe6f873bc03e2a7adcb6c983f1aac167e0104df411b4db5e903642dae33c437076e37417ce3785315ad4fc050ff3940bf7eb9326fe81c48fffdedb5294

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
5f87f94540a94d110ce77fcf8cbf7dcf

SHA1
f4f38689e7f5f89cc3953535682844a74330accf

SHA256
f31de43d0443b28a5cc012ae1482f7ac8afa586d2eaff51773e5ca87c46bdb24

SHA512
2efb888071c51855cf40a731e3b06fd9646d4742c3bb8b39954578df10c6785dd43c81e99e85a42c89e0ef0d0da0cd31398a2e859e3602cb3928e5b634102f46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
f93f50a30ee90cfa36b44b852fe13508

SHA1
ff091dcd09e42b8a118f8c2d3805ddb02ac34389

SHA256
e0cdfdc8e9195c47354b3c88dde5184c270dc5621d2d4c495a8ca01c240c273b

SHA512
41c45dbcf688b0662ef67983825b43995832b1a6de7f94d5f6dee87ab8c49d8b124c24db6ab8d6d4630dfcb97b2599b06a65fa4a6fdb6c060684a204136baa82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
97c8907f1b7b4ad57638955500116cbc

SHA1
7c3d7ac1eeb964bb16769a64c04107b352d93846

SHA256
8b1d37f691dcc5518082335d16a2d20711a3033a4475acb89eaf05eec5b9fcdc

SHA512
0ad696d8c468bc9613d88fe4e1aef97fb984bfa9368bb72622a89fab019cb79a8462abf6d8d14fd3175fcffe975e568a3c494e0cdf4ba29561f0d266268c0d44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
7cdebcc720e2502a07346e0c677f3d71

SHA1
300ed3de73c6e5beca18caee1dac2f54f809458c

SHA256
79c64793da6f53c44960b377b2a59171f59991e977556f99b724ea74fd38da1f

SHA512
1b259350db0c0c8f0d06f562a72c9f59e29c634a428de9b7cef3afb1b6701e66e4784b75b6d381d1708d35f979946dfa225790a986a28f3a378957a18a566f8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6b5cc6aaea8e3d8b504755a9b1b50ab1

SHA1
90b62c728063a157d24dd2923ab342714095996a

SHA256
ed00c6547bcc4addfc3df2ed9682cc7ae7c2f6a17d9fb53051a492955de2e5c9

SHA512
478b2d2ea74d2f50abc0dd19ac36d984ee050f42cd29d8592ba002cb4e0d9a0b28b5a83c37fd1fa885cb3efd4b25d9a2a2aeace06a0effbd3e0733fcf6ee902a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
61c746bf3f2663835d24e10a5a596902

SHA1
80202e62b2ca38c365932ae7252c58b5c1b91d67

SHA256
e82d74ac7a8741074e3424b6342dd85efb87e43a538b872a9437f91d597ff98a

SHA512
ae5bac20cd6d3090a99d591b9ba7d4617888cd44b8eb7c0b0012d7960d27be8d6e53278f3708deaa599182286fd89ad0c4c8b9ad2109a3627fb10a3f80e5ef08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0fe923180bd87acc7c1b0d4786d8cb35

SHA1
2ef3601e7f1a2ecc7ca2db6161a6f682f3973154

SHA256
5181efe931c9e45e99bb90b27ea886d74e378ef382460eeb8dfccc0debbd487f

SHA512
d8c4646ef8e4e8925169e694db1bed75dfe16e28d2a195da8e14522909eb65bc6e9d29c72a852861276721face12d7d3e07f412d2f86c3a8562e8abbd494f52c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6cc69c66df959837a37ab82200489183

SHA1
31c7390c8efde5fd7722ff1fd5ad626d586574c5

SHA256
dfebfeeff7a332a96c7784791759ea7ade2ffc4cfd0e646d92a6332a8f2f738b

SHA512
2281758e0cfc3085d7072b803d99b20f9525cfaca5be1bb49c1a161612e997d096b2ab22940e73518e8881edd8384f6c4bc726cbef18e70dc278033c7e5bf1f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c24b5a0aa0bf507fc9c0a3e0e08ad0cd

SHA1
676639af0c327544f352be59e32d61173e313604

SHA256
c45d064382e5e6ecde975f7e25da62c07bad4723b438c9684d057c00aa8daa6e

SHA512
f7c20e58de2cdd9d7d2afbbc0c3eb96d628b21db5b69e1af32ac15e90702c28e8cf16eaf933c7c92acff77f0ae1a9a6a3a7b7868ce2143b15aaa9a9384ac9b4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
61ffe4c270c7346c640dcc2caa1d9cd1

SHA1
7f35c79ed9c192f094da028309a27fd8bcbfb569

SHA256
0b95de99b9974f8bf770c702c81c88809b0a465bd198940e150c4ec6b71faf84

SHA512
93bae7d0c476eb807500d7f3c2698f5858a9139c6b21e2b9141d0eeb1df98c7ba2ae7bb4c7fb930da9b8620b83410514d84b56923fa063420f1df76be698b06b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ecf65673c0057e9e85333ac85a15d0ff

SHA1
2fbd07b2fe6af068236c327f0232526c674f02dc

SHA256
3d766ce77fc8390b70697e3e9127c13f20d01b1ed49f1bf3051b56806c8a1b63

SHA512
b68ce069df45b392d56742ecf3652b11e9833215d7255d25c0e7bfb273fdb98c452b6eda7f83545da7f52da2ef8a20bf7f5d4514390f2f736a60d32f6c26d58c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a4e37b65f0563d4b9ef37985b54827bc

SHA1
1c38bdaeb5d19d848b5c2d8aafc7d849b4a4211c

SHA256
6db48b7d2e648c37722394846cdbc00d5d2d9613386dbf303a857decc95fe59d

SHA512
47bdbb0eb2cc66763ceb63085ce55e524b9417601787a3dfd2379874cb87a491874735281ccd45a47cf83e1f2bce1c1a36a55fecd8a0bf22a530840406443ebf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e2fa2d5cc796ebaeb67b8c1ffbd1c8e2

SHA1
351893f93395dc2fa738837e777ed134b3b9452f

SHA256
b70d465ac13f02f8af5cf2465c9bd30db7617dd6e4b4aa759aac6afcd4497954

SHA512
7f15fee2a05ae418fe7b8f8d05795652c5484d608ba1360ceacd289f6f57fbde3b0102944776a55820ee0b71e5aa4f6fd5c924234631f572fd3c51103c84f631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
549461a3035f5891daa079f94cbe19c8

SHA1
41f536c2c92697f61936505ed7485b1d355ca5bb

SHA256
89d52a70963c8de44cf9db61f33c2f2cfd0dc816e6714f77b0212d33be192b9d

SHA512
87307f01be3c559cb1fddee77e444f05fdbaf06afe2435e73a267f9268b1b00faffd49d41c5b338ce2a50e59dbf17988daa3a4329c56950f215e2a14c140530e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
03aecd5b2b4b046609f3c4a2c79c80fc

SHA1
64b22fa32015d6f98c92ed41c0349ab71ed44d7e

SHA256
8f0a5c39194bc62f458f99fffd05f6af913f728e654a5ce221759e6f2b129446

SHA512
d2e6eb4afd8d12ff865e700620b75aa577f3ad62a0839a957c72abbef98cf3749000c9f841238b846421856bb9d3d90bca7e2e78a2a350be3597352b5c34a311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
071a576ddde17e7464a112c4d5ec3d75

SHA1
184d34c75b0fd9713cc595711e354236c4e47f37

SHA256
06e22e856ac765b4fd99206876adfc076e6d599de573900689dfc8c7b5efb867

SHA512
24668f73541e129810e4c23c69b791452d7cc90e5b7de8e7c249a5f9e88ad195762daad50b23e99468a7cc90403433e6aa18eabdf41968498900f4c456bd7ff5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
625ed4a7c74a2cb0e1e67315169f5468

SHA1
758c12a897b8a15dccdd08178508e172e799dbe8

SHA256
848172e2e97198fd7bdd092f2747d608d3062fb7eab4b0a10a38e3c5fe1ca301

SHA512
ee50abeff33531e92d47c165a3d15894b5ff21ea75c6d63ac57f7446c9d2012c0e1a3122e49d3189246e4babd60660e72acd2b0c275e55a33a22317e5ffffb8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ecbd62b9c26fb67114f151e28b1e15a2

SHA1
7d3a68ce58286c6f93403095c62797c2868a29c8

SHA256
f9980da22dcd8bb03a3a4b0fdb193269803eced40d659b1b7f96b2cf235fa3f0

SHA512
ebc44e8988c9eee0fbcc93b40273cd9309bce759e98c6ec2b655ab58b982c2b2340337273eacf9826562a3291049c43bc0c35b1b2e27801a51d5d97614e3c374

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
30e8d581024f038a3d0dd6615be8f263

SHA1
8f85abd6a35de4010391945fbd11f94903c7dce5

SHA256
1668bbcfccde1c573f0553904cb92d6435f95f11efb8ad8d2e2293b3662dbbd4

SHA512
2e441b77003d3e5a92c8e7ce169fcb3def21c0b9be9f92127629fa6aa55dcad4294bc4fc280345c5cf687d18c5e996313e7d1e5eef8259d77fc9953b88677d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57aa59.TMP

Filesize
48B

MD5
89af81bb754326c94667e4796d1af338

SHA1
228f67d4763af1a5a8e5682e7725435a36c099e6

SHA256
9168baa5cdbfa4da49eb06b879afbb425b854774291f751213a1900e10b9d079

SHA512
9c1b21991d030eb61a3cc10b17e17be82929130432e535ccf894eec88c6e2f8d6c88e93c2af8861fe227a8da6d0cf2b5eeaed7b295d16896908525f6081e76b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
52f67114a16c4c541dc5e5837b34e331

SHA1
5b1bafbd060bd2700488d23b0f5e102c92bcbc16

SHA256
3c8ce143b6057243fcdb497e86c96ac243c1f97880290af2ec6ba6d759f58f1a

SHA512
d59955d83a181760d4309f9f02aa2095cabceed1078271481143a3c5ce98f4fc5f19eb28008c317899c7bfb7676d532feec6bb694d840e0a3677cdef9f3c436b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
15b7278d7fca49b1d85a53a015afdd51

SHA1
5dfdd630842e4bed8954bbbe28c0a796fbe6a4bc

SHA256
ac2aba3adfd206eaed5207ba97bcf5615c0181e50238cd7f0585ba6d8e5d0a79

SHA512
da4dd1e28ea47438bdc2e3071cf0f1ed6a8246667087a63c0b8328af770e2e4fef0f7b158101aaf54fb9eaf1635764da46471d9578914f4e68ea5ed2fb27603c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
7c6f26f231f02320f51a7539752a37c4

SHA1
4ab85fec8526f3ba20b52efb8bc22c9e2d4858ad

SHA256
c288b4230727d4e553f29bf7dadb1b26ebba146a0731e8366210eba0775eec88

SHA512
5928d62bf72c7e5543b87109d3413af81f4853916100f9d07d166676ebc41b4c30e655935baacaa50959ba36f0a9ab19ff2595f4a4230c0947943a822b544082

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
d098c69c85dd545f70a873228e8bc019

SHA1
cfc50455fd36d07023d04bcb93f8e07e92c1fa8e

SHA256
2d8f12053083ad4f497668578d358d37e464705785673f452535c669106e54cb

SHA512
d775b65315dbecdaa40885bd0f3dc457453303f9ce4d8a6a6a7ffade816478fea77be4d85a5e91080884232deb510986f6b11d3e98b98d0ef3c714e042728ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_efdf3qoz.faf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\908B5F04FED78C0002DC2109C1091E093CF86447

Filesize
1KB

MD5
fc12f60330007cb5d2e416d74a3269ac

SHA1
0bf34e83712776f792aae2ce5a18cb67c84d5411

SHA256
3e9f81bc8fdcdddcd512ca8dade8aded3a675e8d7a9d1abbf08d4491816ade4a

SHA512
113c87f22774c72c674e9fd29efbb9b08a9b64e9b28ac86c412cd6ce17b6229aa1bc85cbc92ece6a3df6c83f1ecd916434f9c7372857540c3423b80979c2a238

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\908B5F04FED78C0002DC2109C1091E093CF86447

Filesize
1KB

MD5
35625a7f052c61613aa8f083ee9cd605

SHA1
ba44ba0a96080fb308ca592ae90ce6d1f7c79fa0

SHA256
139c21933a01d616d449b3f2d081aa98a0e1c5e0b7e4321f64f85becf961fcfd

SHA512
1ed4de070d0d4307e6ddb66b51b5b4277c53cb655cc774a7f7352d64e28704482171764c320f9a19a522e19c6cc34db6696a0300280012c6616cc1cd49454073

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\9F15FC2A70693BA787DE1874FECEFBFB3BAC517B

Filesize
1KB

MD5
7190b52ab58c0f21ec4d339d91e9eba5

SHA1
69bab9c5b6b8220798d7648e823d0efa7e0d3bde

SHA256
c6f4ae0ef406c84ed8ffff60467ecb6eca258e86aba6acebb25af9e630872de5

SHA512
f8e7a9b300fff8b727ff933d895ad43df3f60a82d9b3371159a3bc48072c6d356002e0806606d143b5efa7fbf9fd2023c1502413016dba8dd1ed766a3bf15919

Download Submit
C:\Users\Admin\Downloads\836df461-fffb-482d-bd5c-54bf5d6d9065.tmp

Filesize
33KB

MD5
a5b70e582c9632981429b2f965baf28e

SHA1
4dc7165d81e246119558c83734c3d84e583d3710

SHA256
b485c03e34c0551fb6836bab579cef9ac88b402a64287ee9c20690a2f322ed5e

SHA512
c02dcc0ac386099304b8791406e40b9af7f0a9b37b245b951866189637d91d381a14e3cf68d4b67ee95f222b8d65d99902d15d85fcc7d3c280b6be5158b0e04f

Download Submit
C:\Users\Admin\Downloads\meshagent64-testforme.exe

Filesize
3.3MB

MD5
5f061173fe5d9ddfd479a2d51b0f9a6d

SHA1
62d5c663ae810c6a5440486ff2eaeb4f71bc53d1

SHA256
92d76ea72244c634ec82220fd7cbcad699b83ec6ffbafd0f063900388fff3a36

SHA512
48b580e60669a7bba20ace3a4c4cd374e369789d64aad36d2bb58ef4ca8e503071c7b3041f1ffb6763e9351c50465603552223a877811e5037203bdd7ae526c9

Download Submit
C:\Users\Admin\Downloads\meshagent64-testforme.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\meshagent64.exe

Filesize
3.3MB

MD5
3042be7996041c6fedb96fdd979b382e

SHA1
ff7b8932bc44e5cc70eba292567504f1d6195258

SHA256
00fa7314ceb24e4bb51ab78f80ad5bc47a29a44a05fc7f3fda622bacb6bcdf1a

SHA512
c270ba65df62ff74dbc0a2a45b150bf9eb8e3ea5b14564aef9cb9f8ebb0525db37e64d7cb40e8720a102de645952c9667861522aa74dddd42b5cac8dca2da918

Download Submit
C:\Users\Admin\Downloads\meshagent64.exe:Zone.Identifier

Filesize
74B

MD5
94542618c434890a02c7b63cc5e7feb8

SHA1
9c3e95431fe4343712bba8cfbb57cb771ec80385

SHA256
97de33967bedbc4db9469f1db8eafacc8199a5eb5ba6d0eac23c6b468a8db9c1

SHA512
1993b66da437ca8b969d29c444f62bb1a0c53787e4a8f048b1e6f06c928f0eeec81af8c6ea5dec979f7a338bc30eb1b63d6af8c9971d19cec3d9fc0f9b12c68d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\063FB5BE148C7F7A814A465E690AE05D12CCC8C7

Filesize
1KB

MD5
55e2565c625e66e03149d769ce1b15dc

SHA1
af89083c814fcb4463487088d9ac7e2848c062ca

SHA256
ede9272cf4a9fa15b5a48fa52c7f98501ca23c3a11ca71204c1fa28fec3917b4

SHA512
a4448e06eddc5d1025d96617ee5f1a34c470545bd387ac3a295c019580339ab9cd6aa82b764628e6ca709e5c54bb14037c62442d7516480d9ea3aa2c138b7166

Download Submit
memory/4008-597-0x000001F69F220000-0x000001F69F266000-memory.dmp

Filesize
280KB

Download
memory/4008-593-0x000001F69EDE0000-0x000001F69EE02000-memory.dmp

Filesize
136KB

Download
memory/4008-599-0x000001F69F2F0000-0x000001F69F366000-memory.dmp

Filesize
472KB

Download
memory/4008-600-0x000001F69F270000-0x000001F69F28E000-memory.dmp

Filesize
120KB

Download