Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-09-2024 16:01

General

  • Target

    file.exe

  • Size

    1.8MB

  • MD5

    749bd6bf56a6d0ad6a8a4e5712377555

  • SHA1

    6e4ff640a527ed497505c402d1e7bdb26f3dd472

  • SHA256

    e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3

  • SHA512

    250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d

  • SSDEEP

    49152:UkQletNpj4NmwF1tBE6BAfTm9k9MJsuAfChboFtcZo:UFletXjoD1tBEc90XCo6Zo

Malware Config

Extracted

Family

meshagent

Version

2

Botnet

group

C2

http://94.131.119.184:443/agent.ashx

Attributes
  • mesh_id

    0x1BB80B7BD3F37219BF6F79BEE0A08A00B90168972309CA4BFD812814A9F980439E71B51CC08CC59D904B5AED18647DD0

  • server_id

    B13800B3094163CC81EA68335E6D9A9B98350B3D697F92D49A06C6ADC9519150B766816EBC90ED105D4749F3F47F60B6

  • wss

    wss://94.131.119.184:443/agent.ashx

Signatures

  • Detects MeshAgent payload 1 IoCs
  • MeshAgent

    MeshAgent is an open source remote access trojan written in C++.

  • Sets service image path in registry 2 TTPs 1 IoCs
  • Executes dropped EXE 16 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 34 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3308
    • C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
      "C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall
      2⤵
      • Sets service image path in registry
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:3924
  • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
    "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Modifies data under HKEY_USERS
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Windows\SysWOW64\wbem\wmic.exe
      wmic SystemEnclosure get ChassisTypes
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Windows\SysWOW64\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2312
    • C:\Windows\SysWOW64\wbem\wmic.exe
      wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1992
    • C:\Windows\SysWOW64\wbem\wmic.exe
      wmic os get oslanguage /FORMAT:LIST
      2⤵
        PID:2072
      • C:\Windows\SysWOW64\wbem\wmic.exe
        wmic SystemEnclosure get ChassisTypes
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1040
      • C:\Windows\SysWOW64\wbem\wmic.exe
        wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
        2⤵
        • System Location Discovery: System Language Discovery
        PID:808
    • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
      "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:4384
      • C:\Windows\SysWOW64\wbem\wmic.exe
        wmic SystemEnclosure get ChassisTypes
        2⤵
          PID:1012
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic os get oslanguage /FORMAT:LIST
          2⤵
          • System Location Discovery: System Language Discovery
          PID:3872
        • C:\Windows\SysWOW64\wbem\wmic.exe
          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
          2⤵
            PID:4816
          • C:\Windows\SysWOW64\wbem\wmic.exe
            wmic SystemEnclosure get ChassisTypes
            2⤵
              PID:4012
            • C:\Windows\SysWOW64\wbem\wmic.exe
              wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
              2⤵
                PID:2188
            • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
              "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
              1⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Modifies data under HKEY_USERS
              • Suspicious use of WriteProcessMemory
              PID:1312
              • C:\Windows\SysWOW64\wbem\wmic.exe
                wmic SystemEnclosure get ChassisTypes
                2⤵
                • System Location Discovery: System Language Discovery
                PID:3264
              • C:\Windows\SysWOW64\wbem\wmic.exe
                wmic os get oslanguage /FORMAT:LIST
                2⤵
                • System Location Discovery: System Language Discovery
                PID:3408
              • C:\Windows\SysWOW64\wbem\wmic.exe
                wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                2⤵
                • System Location Discovery: System Language Discovery
                PID:4072
              • C:\Windows\SysWOW64\wbem\wmic.exe
                wmic SystemEnclosure get ChassisTypes
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2540
              • C:\Windows\SysWOW64\wbem\wmic.exe
                wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                2⤵
                  PID:772
              • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
                "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
                1⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Drops file in Program Files directory
                • System Location Discovery: System Language Discovery
                • Modifies data under HKEY_USERS
                • Suspicious use of WriteProcessMemory
                PID:2060
                • C:\Windows\SysWOW64\wbem\wmic.exe
                  wmic SystemEnclosure get ChassisTypes
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:3636
                • C:\Windows\SysWOW64\wbem\wmic.exe
                  wmic os get oslanguage /FORMAT:LIST
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:4424
                • C:\Windows\SysWOW64\wbem\wmic.exe
                  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1544
                • C:\Windows\SysWOW64\wbem\wmic.exe
                  wmic SystemEnclosure get ChassisTypes
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1776
                • C:\Windows\SysWOW64\wbem\wmic.exe
                  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:4644
              • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
                "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
                1⤵
                • Executes dropped EXE
                • Drops file in System32 directory
                • Drops file in Program Files directory
                • Modifies data under HKEY_USERS
                PID:3900
                • C:\Windows\SysWOW64\wbem\wmic.exe
                  wmic SystemEnclosure get ChassisTypes
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:4620
                • C:\Windows\SysWOW64\wbem\wmic.exe
                  wmic os get oslanguage /FORMAT:LIST
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:3404
                • C:\Windows\SysWOW64\wbem\wmic.exe
                  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                  2⤵
                    PID:4332
                  • C:\Windows\SysWOW64\wbem\wmic.exe
                    wmic SystemEnclosure get ChassisTypes
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1216
                  • C:\Windows\SysWOW64\wbem\wmic.exe
                    wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                    2⤵
                      PID:3584
                  • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
                    "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
                    1⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Drops file in Program Files directory
                    • System Location Discovery: System Language Discovery
                    • Modifies data under HKEY_USERS
                    PID:3516
                    • C:\Windows\SysWOW64\wbem\wmic.exe
                      wmic SystemEnclosure get ChassisTypes
                      2⤵
                        PID:3432
                      • C:\Windows\SysWOW64\wbem\wmic.exe
                        wmic os get oslanguage /FORMAT:LIST
                        2⤵
                          PID:3260
                        • C:\Windows\SysWOW64\wbem\wmic.exe
                          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                          2⤵
                            PID:4040
                          • C:\Windows\SysWOW64\wbem\wmic.exe
                            wmic os get oslanguage /FORMAT:LIST
                            2⤵
                              PID:1620
                            • C:\Windows\SysWOW64\wbem\wmic.exe
                              wmic SystemEnclosure get ChassisTypes
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:1876
                            • C:\Windows\SysWOW64\wbem\wmic.exe
                              wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                              2⤵
                              • System Location Discovery: System Language Discovery
                              PID:1200
                          • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
                            "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
                            1⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Drops file in Program Files directory
                            • System Location Discovery: System Language Discovery
                            • Modifies data under HKEY_USERS
                            PID:5004
                            • C:\Windows\SysWOW64\wbem\wmic.exe
                              wmic SystemEnclosure get ChassisTypes
                              2⤵
                                PID:4288
                              • C:\Windows\SysWOW64\wbem\wmic.exe
                                wmic os get oslanguage /FORMAT:LIST
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:808
                              • C:\Windows\SysWOW64\wbem\wmic.exe
                                wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:3176
                              • C:\Windows\SysWOW64\wbem\wmic.exe
                                wmic os get oslanguage /FORMAT:LIST
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:1084
                              • C:\Windows\SysWOW64\wbem\wmic.exe
                                wmic SystemEnclosure get ChassisTypes
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:3824
                              • C:\Windows\SysWOW64\wbem\wmic.exe
                                wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                2⤵
                                • System Location Discovery: System Language Discovery
                                PID:4008
                            • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
                              "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
                              1⤵
                              • Executes dropped EXE
                              • Drops file in System32 directory
                              • Drops file in Program Files directory
                              • System Location Discovery: System Language Discovery
                              • Modifies data under HKEY_USERS
                              PID:1368
                              • C:\Windows\SysWOW64\wbem\wmic.exe
                                wmic SystemEnclosure get ChassisTypes
                                2⤵
                                  PID:2220
                                • C:\Windows\SysWOW64\wbem\wmic.exe
                                  wmic os get oslanguage /FORMAT:LIST
                                  2⤵
                                    PID:4776
                                  • C:\Windows\SysWOW64\wbem\wmic.exe
                                    wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                    2⤵
                                    • System Location Discovery: System Language Discovery
                                    PID:1192
                                  • C:\Windows\SysWOW64\wbem\wmic.exe
                                    wmic SystemEnclosure get ChassisTypes
                                    2⤵
                                      PID:2432
                                    • C:\Windows\SysWOW64\wbem\wmic.exe
                                      wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                      2⤵
                                        PID:1088
                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
                                      "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
                                      1⤵
                                      • Executes dropped EXE
                                      • Drops file in System32 directory
                                      • Drops file in Program Files directory
                                      • System Location Discovery: System Language Discovery
                                      • Modifies data under HKEY_USERS
                                      PID:3408
                                      • C:\Windows\SysWOW64\wbem\wmic.exe
                                        wmic SystemEnclosure get ChassisTypes
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:1624
                                      • C:\Windows\SysWOW64\wbem\wmic.exe
                                        wmic os get oslanguage /FORMAT:LIST
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:3628
                                      • C:\Windows\SysWOW64\wbem\wmic.exe
                                        wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                        2⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:4856
                                      • C:\Windows\SysWOW64\wbem\wmic.exe
                                        wmic SystemEnclosure get ChassisTypes
                                        2⤵
                                          PID:1312
                                        • C:\Windows\SysWOW64\wbem\wmic.exe
                                          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:4476
                                      • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
                                        "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
                                        1⤵
                                        • Executes dropped EXE
                                        • Drops file in System32 directory
                                        • Drops file in Program Files directory
                                        • Modifies data under HKEY_USERS
                                        PID:3936
                                        • C:\Windows\SysWOW64\wbem\wmic.exe
                                          wmic SystemEnclosure get ChassisTypes
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:640
                                        • C:\Windows\SysWOW64\wbem\wmic.exe
                                          wmic os get oslanguage /FORMAT:LIST
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:1776
                                        • C:\Windows\SysWOW64\wbem\wmic.exe
                                          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:536
                                        • C:\Windows\SysWOW64\wbem\wmic.exe
                                          wmic SystemEnclosure get ChassisTypes
                                          2⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:2720
                                        • C:\Windows\SysWOW64\wbem\wmic.exe
                                          wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                          2⤵
                                            PID:2252
                                        • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
                                          "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
                                          1⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Drops file in Program Files directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies data under HKEY_USERS
                                          PID:2936
                                          • C:\Windows\SysWOW64\wbem\wmic.exe
                                            wmic SystemEnclosure get ChassisTypes
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:4716
                                          • C:\Windows\SysWOW64\wbem\wmic.exe
                                            wmic os get oslanguage /FORMAT:LIST
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:3848
                                          • C:\Windows\SysWOW64\wbem\wmic.exe
                                            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:4460
                                          • C:\Windows\SysWOW64\wbem\wmic.exe
                                            wmic SystemEnclosure get ChassisTypes
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:3488
                                          • C:\Windows\SysWOW64\wbem\wmic.exe
                                            wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                            2⤵
                                            • System Location Discovery: System Language Discovery
                                            PID:3988
                                        • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
                                          "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
                                          1⤵
                                          • Executes dropped EXE
                                          • Drops file in System32 directory
                                          • Drops file in Program Files directory
                                          • System Location Discovery: System Language Discovery
                                          • Modifies data under HKEY_USERS
                                          PID:4208
                                          • C:\Windows\SysWOW64\wbem\wmic.exe
                                            wmic SystemEnclosure get ChassisTypes
                                            2⤵
                                              PID:2968
                                            • C:\Windows\SysWOW64\wbem\wmic.exe
                                              wmic os get oslanguage /FORMAT:LIST
                                              2⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:1604
                                            • C:\Windows\SysWOW64\wbem\wmic.exe
                                              wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                              2⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:1300
                                            • C:\Windows\SysWOW64\wbem\wmic.exe
                                              wmic SystemEnclosure get ChassisTypes
                                              2⤵
                                              • System Location Discovery: System Language Discovery
                                              PID:2192
                                            • C:\Windows\SysWOW64\wbem\wmic.exe
                                              wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                              2⤵
                                                PID:4484
                                            • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
                                              "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
                                              1⤵
                                              • Executes dropped EXE
                                              • Drops file in System32 directory
                                              • Drops file in Program Files directory
                                              • System Location Discovery: System Language Discovery
                                              • Modifies data under HKEY_USERS
                                              PID:4972
                                              • C:\Windows\SysWOW64\wbem\wmic.exe
                                                wmic SystemEnclosure get ChassisTypes
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2800
                                              • C:\Windows\SysWOW64\wbem\wmic.exe
                                                wmic os get oslanguage /FORMAT:LIST
                                                2⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:2644
                                              • C:\Windows\SysWOW64\wbem\wmic.exe
                                                wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                                2⤵
                                                  PID:452
                                                • C:\Windows\SysWOW64\wbem\wmic.exe
                                                  wmic SystemEnclosure get ChassisTypes
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4892
                                                • C:\Windows\SysWOW64\wbem\wmic.exe
                                                  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                                  2⤵
                                                  • System Location Discovery: System Language Discovery
                                                  PID:4940
                                              • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
                                                "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
                                                1⤵
                                                • Executes dropped EXE
                                                • Drops file in System32 directory
                                                • Drops file in Program Files directory
                                                • Modifies data under HKEY_USERS
                                                PID:1060
                                                • C:\Windows\SysWOW64\wbem\wmic.exe
                                                  wmic SystemEnclosure get ChassisTypes
                                                  2⤵
                                                    PID:1864
                                                  • C:\Windows\SysWOW64\wbem\wmic.exe
                                                    wmic os get oslanguage /FORMAT:LIST
                                                    2⤵
                                                      PID:4976
                                                    • C:\Windows\SysWOW64\wbem\wmic.exe
                                                      wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                                      2⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:5012
                                                    • C:\Windows\SysWOW64\wbem\wmic.exe
                                                      wmic SystemEnclosure get ChassisTypes
                                                      2⤵
                                                        PID:3128
                                                      • C:\Windows\SysWOW64\wbem\wmic.exe
                                                        wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:2520
                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
                                                      "C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
                                                      1⤵
                                                      • Executes dropped EXE
                                                      • Drops file in System32 directory
                                                      • Drops file in Program Files directory
                                                      • System Location Discovery: System Language Discovery
                                                      • Modifies data under HKEY_USERS
                                                      PID:3684
                                                      • C:\Windows\SysWOW64\wbem\wmic.exe
                                                        wmic SystemEnclosure get ChassisTypes
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:3532
                                                      • C:\Windows\SysWOW64\wbem\wmic.exe
                                                        wmic os get oslanguage /FORMAT:LIST
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:3908
                                                      • C:\Windows\SysWOW64\wbem\wmic.exe
                                                        wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:3860
                                                      • C:\Windows\SysWOW64\wbem\wmic.exe
                                                        wmic os get oslanguage /FORMAT:LIST
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:4668
                                                      • C:\Windows\SysWOW64\wbem\wmic.exe
                                                        wmic SystemEnclosure get ChassisTypes
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:5052
                                                      • C:\Windows\SysWOW64\wbem\wmic.exe
                                                        wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
                                                        2⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:3744

                                                    Network

                                                    MITRE ATT&CK Enterprise v15

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.db

                                                      Filesize

                                                      153KB

                                                      MD5

                                                      e98d708162031e585813371882de48ca

                                                      SHA1

                                                      a272ed281d599b1222ecb6236284a4060e81e9e9

                                                      SHA256

                                                      7227282da12ebc445645663163403d00bb8e924d59ac390482c54572c46527f7

                                                      SHA512

                                                      40c1e3170090756deed5ab1583ad954fb88a4946d913a127ecb0456e9e62945ddb7c8166aa1d5d30993a5f92ea8b8173160bf710ba7fc0bee0f7b87dfa28d0ab

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.db

                                                      Filesize

                                                      271KB

                                                      MD5

                                                      e710a8d4efefa751157d659e0989231c

                                                      SHA1

                                                      f88f7e3aed1ba298ecd84ed5efc86a6d5758a0df

                                                      SHA256

                                                      b52977cb8fd38bf18df2f4535f31e1becd793ad81217a0deca8facc83e054239

                                                      SHA512

                                                      e2282d94c35e799da1b370b47adc0488084f3e39da53f2765003d1435f2da6af428b6b75e9c439c077ea574f939c0e0add0f8d046d87d573764e22117880f133

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.db

                                                      Filesize

                                                      388KB

                                                      MD5

                                                      ba41ef87bd331f638cf29778e45e1ced

                                                      SHA1

                                                      f66c4d0d5d7903e47175293c0786962123116440

                                                      SHA256

                                                      9651a0258274764913512effb7fe45f60aecf26f7734b1bea204466fc303d4f6

                                                      SHA512

                                                      9f2cdeb1cbc1c67a4d7a81edd9ceea140a0b01c760ed75d8f7764a190e31e2ff1480f72e0e6cff349ef8f38ae8535095d702f54507a347e17c9ebb78083eb9d6

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      4a01e92354e25f1f6b9293cee4579900

                                                      SHA1

                                                      d0528ccf1a1bb8e1e01d93c91185378123c9dc01

                                                      SHA256

                                                      2cb3117b86cb9d798b9a36456d37b285a18e241e91ccfc19fca09d463871d78d

                                                      SHA512

                                                      751dcf077f523918a1b256ff207613fc6419908a11c9aaccf77852700ac405999dec214260710b2a574ec779c22d03981e5b6e1db5aa64729145863c4b5fac6d

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      d0bef5462ebe2ad5031b5638a728b17a

                                                      SHA1

                                                      9661d392d5a81d08a03d9c130f9e16d719885775

                                                      SHA256

                                                      724119b52a5eb9e06938458ebd2c2cb8a70b4d69de55d3bb2cf741785a023985

                                                      SHA512

                                                      8f9380a67b647f5016db70a526070cb94c6bbf1798e1998d910123654086fdbd38fa90c9686c8440ff181da9ec860b4601725633f96b4f216402a3f1b9f950c3

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      568b1de90de3640b2221bdf77c573c0f

                                                      SHA1

                                                      7d02ff9f3984b73e0cdebdab928a2ebc2699c4b3

                                                      SHA256

                                                      c6fd5753486d045eb2450c6eac1a55320736f0d88f1e55ce87db20c582ea2ba1

                                                      SHA512

                                                      5218f53a5ef7992dbbd2427dfc8be679b98e63e15b74840a5cfbae9462b6a2c244751f7d6b763f27b6ee625883543c370c6cfca29ccfedee99047696cfb6de2b

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      ca03d2700e18a6fcdeef2390e9e8fb67

                                                      SHA1

                                                      ff99779187756b9050c953da022876958b5cc127

                                                      SHA256

                                                      887470e5dc078541e566eb8a2292062139cdd2e37bc5b371ca1928b3c4c64144

                                                      SHA512

                                                      63be65ed6d990a0ccb606e6fdec58f97d8759fea9ffd03d21010a2c73d36e7af694dbfc219d8e2b93795a0f568a6f9ed1e2f8aa2c489d44ba22d46aac76705e3

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      4de67657f3b63b999b0e88b619478346

                                                      SHA1

                                                      feb2fb98084841bf0984f59200e7de4838161c3e

                                                      SHA256

                                                      e913ddbc0a294b5b33259a928920e26fdbf023af3c30548aea4742b9a4ec81ca

                                                      SHA512

                                                      f09d2c5232ee4a152c49b93234dfc2a9d3214c041bf8f6bc4856c1195c2c3ea48adc618ace439e7e8f93b0e101c484462ba5ac4b4cd0018beb83c799176a0a33

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      61f8b811decf34cd4fc14b322e38eed6

                                                      SHA1

                                                      2746adf473be40c44724a4617aa0f4d37320813f

                                                      SHA256

                                                      c5fbaa3643074716ee02d5586a3d1e94e1bc171bd584eb43329738726306a4e7

                                                      SHA512

                                                      721761dce28144a646ec7f6c37652b4fd5bf9c936c6f98460f9a9b6f2a44c066493ef227931d05f3e414b4de2093ff6f2a6bd47f046d2830a6e8b8d5ab79e376

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

                                                      Filesize

                                                      2KB

                                                      MD5

                                                      962c33329586342f2a0241a656ba20fb

                                                      SHA1

                                                      71b5e79376fe49d629d3a634593ef19194531cfc

                                                      SHA256

                                                      ea4745fc9f6241dab45353f9f167e438215f473c6753e8eb8dba2596165a03e5

                                                      SHA512

                                                      35eb9745eddfe5fa736f002f6239c4be02f778857f56b17a3fecb53f3437f9bba62a08ab73d73a4ac13596c09ba1461ce78a7df8d07b4b20f27d0b6d0605c27a

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

                                                      Filesize

                                                      2KB

                                                      MD5

                                                      ab305bc744b5025e4d96f3d6f3f6961f

                                                      SHA1

                                                      fb0470f1eb9e26c1cd99cbb691023d943a411629

                                                      SHA256

                                                      d83dc03477a77a43da71f8566ca43f46d56a5c9b27cea94335ae420d2dda8a7a

                                                      SHA512

                                                      61657d2ca6dbe01c5c488c5f974d2405f3f5b4f09c4a4faaf06ff3e6444953be4fcb65a0927ae5b4c4b2896fb5336a5e4fd8ae2ef4bbd4f27375ae3476028e70

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

                                                      Filesize

                                                      334B

                                                      MD5

                                                      ba2d749be2f69325ef17d530d4910b66

                                                      SHA1

                                                      2e6b2dd8ca1874b490c19b9750512ce6bbfe6f2b

                                                      SHA256

                                                      87f374bced529b32fcc364d2f0389a4109335237f236d6973c7a9fc78f00fcc9

                                                      SHA512

                                                      b1708fc9815dc615b3d7c0e6c6d5e2c55de24580c137dba3e0780623370460db2b09125e27d50069bb11a8ab7c4c670da939c1845f254a43adceb69b8b015688

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

                                                      Filesize

                                                      501B

                                                      MD5

                                                      51b44c731b8d291aeea3881b5ecb07f1

                                                      SHA1

                                                      a76edabbe19b860f86e46ce4c64cb89fe26414e3

                                                      SHA256

                                                      da3962d96a4ce722e9f4c81b4336dc9ac9d10cc3d8bc682df8026bc5abb2d9ef

                                                      SHA512

                                                      1be6490c138407e4064d2c33c64abf9d609531f92f511ada7a123bffd1ccbd1242e597ebbeff27fb96d6830188748483c6ce369686c9572ee7c9a4394e44c08e

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

                                                      Filesize

                                                      668B

                                                      MD5

                                                      4ad7ffb7b2d2990d7693f559560e54e6

                                                      SHA1

                                                      e9babb9dc28cea56bcdb6190732e0b23d527e5db

                                                      SHA256

                                                      19b6a79d2b36db7c546079e59371f4e3b2891518989d584529f4fab7d21e0f31

                                                      SHA512

                                                      2d5a7ae6d54d0345919812618a882d21542e4ab823133108d82b03559b5b5686f15685ed77c932f2a355b132b0241c7e72b724b1c67058d1bde8f1693a7dc84e

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

                                                      Filesize

                                                      835B

                                                      MD5

                                                      44acfed07fe4ce4322212977c4c0a7ed

                                                      SHA1

                                                      da0a31c5e675eb2ebd7ee423111313a4fd8eced2

                                                      SHA256

                                                      4ab0add3deff3b5d6df1dad067f0813f44c0190a61d99492798739ce590f3cd4

                                                      SHA512

                                                      009a7d40aeb67a50040f82603b34ba7cd3244a34154d78b5c4079f482eab0c435bfb380721ee088f1c1713867c02116ea847bc073cb850eaf5fcde2520a4d6e3

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.log

                                                      Filesize

                                                      1002B

                                                      MD5

                                                      319472f5bde9b885fd3d97bffe7db589

                                                      SHA1

                                                      4cdcfcce33b08372779a3c8064b0a0ead144cda6

                                                      SHA256

                                                      1237a27324e6208f7cfc9ba335fc184db1a2d169bc7ef308dcbe0b5ae6151ab4

                                                      SHA512

                                                      f53f687c1635ecfcc24c5a88f90bcf92bdc23b94193150600b90095594a1d929de2635b02829e1e6be7ad40a42ece92ad4974e483f6c1fcf63541c66a6777850

                                                    • C:\Program Files (x86)\Mesh Agent\MeshAgent.msh

                                                      Filesize

                                                      31KB

                                                      MD5

                                                      90c4989cf99b9f357020a7e07a977eea

                                                      SHA1

                                                      7e0d44a99412713401a00502fe85c2877064daa4

                                                      SHA256

                                                      4f1fdf000e1d59f66dc3c37d3de736145a2ee07bb486894b131406bc01272902

                                                      SHA512

                                                      b627eff21c9506704208e343d7e80a26f64057fa8b00265b74eb0a8f33ab1f082fd43a54bf35b25f40b63aaf44c1f8ca7c0b319028565fdf558cf72f52de241d

                                                    • C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe

                                                      Filesize

                                                      3.7MB

                                                      MD5

                                                      e8bd5c14b8301039e7538298d26cf09b

                                                      SHA1

                                                      4702252fef2156b59ad61f1f397b205323b339c4

                                                      SHA256

                                                      f32426d0fc71a3a054f0fe263133aabeb25c9d7d129238cfcfc0c1a40854c67e

                                                      SHA512

                                                      7108e6379e9e2698dbac52549b5fc81d7b3c5bb02d4d3574b7be9e8ab9f6f473513e651c1ce0809d74273f02e837c36032666f739c05b71fa732899360b77cee

                                                    • C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\544800BE89111FF70004D652A3D4EB73B24BF24F

                                                      Filesize

                                                      1KB

                                                      MD5

                                                      a2a90b49408615864bef9736cad0c6a5

                                                      SHA1

                                                      4bd89ac7290c671fbba5f509ae4b69aaf66e2312

                                                      SHA256

                                                      725cf091d12387ead2556e79b95f8ba813bfe078237f4ff645fc4cb5f2f30bce

                                                      SHA512

                                                      e31ceec64a6ca92f33aa37887193399563538adcf137b72eac9aef251a3690b7e52703d4c9c39e8ac6ad32bf999ee03439eee999e4f124a4b73520a0be85bb44