Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
24-09-2024 16:01
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
meshagent32-group.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
meshagent32-group.exe
Resource
win10v2004-20240802-en
General
-
Target
file.exe
-
Size
1.8MB
-
MD5
749bd6bf56a6d0ad6a8a4e5712377555
-
SHA1
6e4ff640a527ed497505c402d1e7bdb26f3dd472
-
SHA256
e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3
-
SHA512
250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d
-
SSDEEP
49152:UkQletNpj4NmwF1tBE6BAfTm9k9MJsuAfChboFtcZo:UFletXjoD1tBEc90XCo6Zo
Malware Config
Extracted
meshagent
2
group
http://94.131.119.184:443/agent.ashx
-
mesh_id
0x1BB80B7BD3F37219BF6F79BEE0A08A00B90168972309CA4BFD812814A9F980439E71B51CC08CC59D904B5AED18647DD0
-
server_id
B13800B3094163CC81EA68335E6D9A9B98350B3D697F92D49A06C6ADC9519150B766816EBC90ED105D4749F3F47F60B6
-
wss
wss://94.131.119.184:443/agent.ashx
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe family_meshagent -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
meshagent32-group.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" " meshagent32-group.exe -
Executes dropped EXE 16 IoCs
Processes:
meshagent32-group.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exepid process 3924 meshagent32-group.exe 3612 MeshAgent.exe 4384 MeshAgent.exe 1312 MeshAgent.exe 2060 MeshAgent.exe 3900 MeshAgent.exe 3516 MeshAgent.exe 5004 MeshAgent.exe 1368 MeshAgent.exe 3408 MeshAgent.exe 3936 MeshAgent.exe 2936 MeshAgent.exe 4208 MeshAgent.exe 4972 MeshAgent.exe 1060 MeshAgent.exe 3684 MeshAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
Processes:
MeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exedescription ioc process File opened for modification C:\Windows\SysWOW64\exe\MeshService.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wgdi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\wgdi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wkernelbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\exe\MeshService.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\wwin32u.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\ntasn1.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wuser32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\wgdi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\combase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\shcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\wrpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\shcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wntdll.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\bcryptprimitives.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\exe\MeshService.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wntdll.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wkernelbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\ntasn1.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\advapi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wwin32u.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\oleaut32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wgdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wwin32u.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wkernel32.pdb MeshAgent.exe -
Drops file in Program Files directory 34 IoCs
Processes:
meshagent32-group.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exedescription ioc process File created C:\Program Files (x86)\Mesh Agent\MeshAgent.exe meshagent32-group.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.msh MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
wmic.exewmic.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exemeshagent32-group.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exeMeshAgent.exeMeshAgent.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language meshagent32-group.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Modifies data under HKEY_USERS 16 IoCs
Processes:
MeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716672764514498" MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2784 wmic.exe Token: SeIncreaseQuotaPrivilege 2784 wmic.exe Token: SeSecurityPrivilege 2784 wmic.exe Token: SeTakeOwnershipPrivilege 2784 wmic.exe Token: SeLoadDriverPrivilege 2784 wmic.exe Token: SeSystemtimePrivilege 2784 wmic.exe Token: SeBackupPrivilege 2784 wmic.exe Token: SeRestorePrivilege 2784 wmic.exe Token: SeShutdownPrivilege 2784 wmic.exe Token: SeSystemEnvironmentPrivilege 2784 wmic.exe Token: SeUndockPrivilege 2784 wmic.exe Token: SeManageVolumePrivilege 2784 wmic.exe Token: SeAssignPrimaryTokenPrivilege 2784 wmic.exe Token: SeIncreaseQuotaPrivilege 2784 wmic.exe Token: SeSecurityPrivilege 2784 wmic.exe Token: SeTakeOwnershipPrivilege 2784 wmic.exe Token: SeLoadDriverPrivilege 2784 wmic.exe Token: SeSystemtimePrivilege 2784 wmic.exe Token: SeBackupPrivilege 2784 wmic.exe Token: SeRestorePrivilege 2784 wmic.exe Token: SeShutdownPrivilege 2784 wmic.exe Token: SeSystemEnvironmentPrivilege 2784 wmic.exe Token: SeUndockPrivilege 2784 wmic.exe Token: SeManageVolumePrivilege 2784 wmic.exe Token: SeAssignPrimaryTokenPrivilege 2312 wmic.exe Token: SeIncreaseQuotaPrivilege 2312 wmic.exe Token: SeSecurityPrivilege 2312 wmic.exe Token: SeTakeOwnershipPrivilege 2312 wmic.exe Token: SeLoadDriverPrivilege 2312 wmic.exe Token: SeSystemtimePrivilege 2312 wmic.exe Token: SeBackupPrivilege 2312 wmic.exe Token: SeRestorePrivilege 2312 wmic.exe Token: SeShutdownPrivilege 2312 wmic.exe Token: SeSystemEnvironmentPrivilege 2312 wmic.exe Token: SeUndockPrivilege 2312 wmic.exe Token: SeManageVolumePrivilege 2312 wmic.exe Token: SeAssignPrimaryTokenPrivilege 2312 wmic.exe Token: SeIncreaseQuotaPrivilege 2312 wmic.exe Token: SeSecurityPrivilege 2312 wmic.exe Token: SeTakeOwnershipPrivilege 2312 wmic.exe Token: SeLoadDriverPrivilege 2312 wmic.exe Token: SeSystemtimePrivilege 2312 wmic.exe Token: SeBackupPrivilege 2312 wmic.exe Token: SeRestorePrivilege 2312 wmic.exe Token: SeShutdownPrivilege 2312 wmic.exe Token: SeSystemEnvironmentPrivilege 2312 wmic.exe Token: SeUndockPrivilege 2312 wmic.exe Token: SeManageVolumePrivilege 2312 wmic.exe Token: SeAssignPrimaryTokenPrivilege 1992 wmic.exe Token: SeIncreaseQuotaPrivilege 1992 wmic.exe Token: SeSecurityPrivilege 1992 wmic.exe Token: SeTakeOwnershipPrivilege 1992 wmic.exe Token: SeLoadDriverPrivilege 1992 wmic.exe Token: SeSystemtimePrivilege 1992 wmic.exe Token: SeBackupPrivilege 1992 wmic.exe Token: SeRestorePrivilege 1992 wmic.exe Token: SeShutdownPrivilege 1992 wmic.exe Token: SeSystemEnvironmentPrivilege 1992 wmic.exe Token: SeUndockPrivilege 1992 wmic.exe Token: SeManageVolumePrivilege 1992 wmic.exe Token: SeAssignPrimaryTokenPrivilege 1992 wmic.exe Token: SeIncreaseQuotaPrivilege 1992 wmic.exe Token: SeSecurityPrivilege 1992 wmic.exe Token: SeTakeOwnershipPrivilege 1992 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
file.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exedescription pid process target process PID 3308 wrote to memory of 3924 3308 file.exe meshagent32-group.exe PID 3308 wrote to memory of 3924 3308 file.exe meshagent32-group.exe PID 3308 wrote to memory of 3924 3308 file.exe meshagent32-group.exe PID 3612 wrote to memory of 2784 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 2784 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 2784 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 2312 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 2312 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 2312 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 1992 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 1992 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 1992 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 2072 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 2072 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 2072 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 1040 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 1040 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 1040 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 808 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 808 3612 MeshAgent.exe wmic.exe PID 3612 wrote to memory of 808 3612 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 1012 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 1012 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 1012 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 3872 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 3872 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 3872 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 4816 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 4816 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 4816 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 4012 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 4012 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 4012 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 2188 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 2188 4384 MeshAgent.exe wmic.exe PID 4384 wrote to memory of 2188 4384 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 3264 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 3264 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 3264 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 3408 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 3408 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 3408 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 4072 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 4072 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 4072 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 2540 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 2540 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 2540 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 772 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 772 1312 MeshAgent.exe wmic.exe PID 1312 wrote to memory of 772 1312 MeshAgent.exe wmic.exe PID 2060 wrote to memory of 3636 2060 MeshAgent.exe wmic.exe PID 2060 wrote to memory of 3636 2060 MeshAgent.exe wmic.exe PID 2060 wrote to memory of 3636 2060 MeshAgent.exe wmic.exe PID 2060 wrote to memory of 4424 2060 MeshAgent.exe wmic.exe PID 2060 wrote to memory of 4424 2060 MeshAgent.exe wmic.exe PID 2060 wrote to memory of 4424 2060 MeshAgent.exe wmic.exe PID 2060 wrote to memory of 1544 2060 MeshAgent.exe wmic.exe PID 2060 wrote to memory of 1544 2060 MeshAgent.exe wmic.exe PID 2060 wrote to memory of 1544 2060 MeshAgent.exe wmic.exe PID 2060 wrote to memory of 1776 2060 MeshAgent.exe wmic.exe PID 2060 wrote to memory of 1776 2060 MeshAgent.exe wmic.exe PID 2060 wrote to memory of 1776 2060 MeshAgent.exe wmic.exe PID 2060 wrote to memory of 4644 2060 MeshAgent.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe"C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall2⤵
- Sets service image path in registry
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3924
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2312 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1992 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:2072
-
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:808
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:1012
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:3872 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:4816
-
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:4012
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2188
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:3264 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:3408 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:4072 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:772
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:3636 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:4424 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:4644
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3900 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:4620 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:3404 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:4332
-
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:3584
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3516 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:3432
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:3260
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:4040
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:1620
-
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1200
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5004 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:4288
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:3176 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:3824 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:4008
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1368 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:2220
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:4776
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:2432
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1088
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3408 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:3628 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:4856 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:1312
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:4476
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3936 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:640 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2252
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2936 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:4716 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:3848 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:3488 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:3988
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4208 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:2968
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:4484
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4972 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:452
-
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:4892 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:4940
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1060 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:1864
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:4976
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:5012 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:3128
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2520
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3684 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:3908 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:3860 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:5052 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:3744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
153KB
MD5e98d708162031e585813371882de48ca
SHA1a272ed281d599b1222ecb6236284a4060e81e9e9
SHA2567227282da12ebc445645663163403d00bb8e924d59ac390482c54572c46527f7
SHA51240c1e3170090756deed5ab1583ad954fb88a4946d913a127ecb0456e9e62945ddb7c8166aa1d5d30993a5f92ea8b8173160bf710ba7fc0bee0f7b87dfa28d0ab
-
Filesize
271KB
MD5e710a8d4efefa751157d659e0989231c
SHA1f88f7e3aed1ba298ecd84ed5efc86a6d5758a0df
SHA256b52977cb8fd38bf18df2f4535f31e1becd793ad81217a0deca8facc83e054239
SHA512e2282d94c35e799da1b370b47adc0488084f3e39da53f2765003d1435f2da6af428b6b75e9c439c077ea574f939c0e0add0f8d046d87d573764e22117880f133
-
Filesize
388KB
MD5ba41ef87bd331f638cf29778e45e1ced
SHA1f66c4d0d5d7903e47175293c0786962123116440
SHA2569651a0258274764913512effb7fe45f60aecf26f7734b1bea204466fc303d4f6
SHA5129f2cdeb1cbc1c67a4d7a81edd9ceea140a0b01c760ed75d8f7764a190e31e2ff1480f72e0e6cff349ef8f38ae8535095d702f54507a347e17c9ebb78083eb9d6
-
Filesize
1KB
MD54a01e92354e25f1f6b9293cee4579900
SHA1d0528ccf1a1bb8e1e01d93c91185378123c9dc01
SHA2562cb3117b86cb9d798b9a36456d37b285a18e241e91ccfc19fca09d463871d78d
SHA512751dcf077f523918a1b256ff207613fc6419908a11c9aaccf77852700ac405999dec214260710b2a574ec779c22d03981e5b6e1db5aa64729145863c4b5fac6d
-
Filesize
1KB
MD5d0bef5462ebe2ad5031b5638a728b17a
SHA19661d392d5a81d08a03d9c130f9e16d719885775
SHA256724119b52a5eb9e06938458ebd2c2cb8a70b4d69de55d3bb2cf741785a023985
SHA5128f9380a67b647f5016db70a526070cb94c6bbf1798e1998d910123654086fdbd38fa90c9686c8440ff181da9ec860b4601725633f96b4f216402a3f1b9f950c3
-
Filesize
1KB
MD5568b1de90de3640b2221bdf77c573c0f
SHA17d02ff9f3984b73e0cdebdab928a2ebc2699c4b3
SHA256c6fd5753486d045eb2450c6eac1a55320736f0d88f1e55ce87db20c582ea2ba1
SHA5125218f53a5ef7992dbbd2427dfc8be679b98e63e15b74840a5cfbae9462b6a2c244751f7d6b763f27b6ee625883543c370c6cfca29ccfedee99047696cfb6de2b
-
Filesize
1KB
MD5ca03d2700e18a6fcdeef2390e9e8fb67
SHA1ff99779187756b9050c953da022876958b5cc127
SHA256887470e5dc078541e566eb8a2292062139cdd2e37bc5b371ca1928b3c4c64144
SHA51263be65ed6d990a0ccb606e6fdec58f97d8759fea9ffd03d21010a2c73d36e7af694dbfc219d8e2b93795a0f568a6f9ed1e2f8aa2c489d44ba22d46aac76705e3
-
Filesize
1KB
MD54de67657f3b63b999b0e88b619478346
SHA1feb2fb98084841bf0984f59200e7de4838161c3e
SHA256e913ddbc0a294b5b33259a928920e26fdbf023af3c30548aea4742b9a4ec81ca
SHA512f09d2c5232ee4a152c49b93234dfc2a9d3214c041bf8f6bc4856c1195c2c3ea48adc618ace439e7e8f93b0e101c484462ba5ac4b4cd0018beb83c799176a0a33
-
Filesize
1KB
MD561f8b811decf34cd4fc14b322e38eed6
SHA12746adf473be40c44724a4617aa0f4d37320813f
SHA256c5fbaa3643074716ee02d5586a3d1e94e1bc171bd584eb43329738726306a4e7
SHA512721761dce28144a646ec7f6c37652b4fd5bf9c936c6f98460f9a9b6f2a44c066493ef227931d05f3e414b4de2093ff6f2a6bd47f046d2830a6e8b8d5ab79e376
-
Filesize
2KB
MD5962c33329586342f2a0241a656ba20fb
SHA171b5e79376fe49d629d3a634593ef19194531cfc
SHA256ea4745fc9f6241dab45353f9f167e438215f473c6753e8eb8dba2596165a03e5
SHA51235eb9745eddfe5fa736f002f6239c4be02f778857f56b17a3fecb53f3437f9bba62a08ab73d73a4ac13596c09ba1461ce78a7df8d07b4b20f27d0b6d0605c27a
-
Filesize
2KB
MD5ab305bc744b5025e4d96f3d6f3f6961f
SHA1fb0470f1eb9e26c1cd99cbb691023d943a411629
SHA256d83dc03477a77a43da71f8566ca43f46d56a5c9b27cea94335ae420d2dda8a7a
SHA51261657d2ca6dbe01c5c488c5f974d2405f3f5b4f09c4a4faaf06ff3e6444953be4fcb65a0927ae5b4c4b2896fb5336a5e4fd8ae2ef4bbd4f27375ae3476028e70
-
Filesize
334B
MD5ba2d749be2f69325ef17d530d4910b66
SHA12e6b2dd8ca1874b490c19b9750512ce6bbfe6f2b
SHA25687f374bced529b32fcc364d2f0389a4109335237f236d6973c7a9fc78f00fcc9
SHA512b1708fc9815dc615b3d7c0e6c6d5e2c55de24580c137dba3e0780623370460db2b09125e27d50069bb11a8ab7c4c670da939c1845f254a43adceb69b8b015688
-
Filesize
501B
MD551b44c731b8d291aeea3881b5ecb07f1
SHA1a76edabbe19b860f86e46ce4c64cb89fe26414e3
SHA256da3962d96a4ce722e9f4c81b4336dc9ac9d10cc3d8bc682df8026bc5abb2d9ef
SHA5121be6490c138407e4064d2c33c64abf9d609531f92f511ada7a123bffd1ccbd1242e597ebbeff27fb96d6830188748483c6ce369686c9572ee7c9a4394e44c08e
-
Filesize
668B
MD54ad7ffb7b2d2990d7693f559560e54e6
SHA1e9babb9dc28cea56bcdb6190732e0b23d527e5db
SHA25619b6a79d2b36db7c546079e59371f4e3b2891518989d584529f4fab7d21e0f31
SHA5122d5a7ae6d54d0345919812618a882d21542e4ab823133108d82b03559b5b5686f15685ed77c932f2a355b132b0241c7e72b724b1c67058d1bde8f1693a7dc84e
-
Filesize
835B
MD544acfed07fe4ce4322212977c4c0a7ed
SHA1da0a31c5e675eb2ebd7ee423111313a4fd8eced2
SHA2564ab0add3deff3b5d6df1dad067f0813f44c0190a61d99492798739ce590f3cd4
SHA512009a7d40aeb67a50040f82603b34ba7cd3244a34154d78b5c4079f482eab0c435bfb380721ee088f1c1713867c02116ea847bc073cb850eaf5fcde2520a4d6e3
-
Filesize
1002B
MD5319472f5bde9b885fd3d97bffe7db589
SHA14cdcfcce33b08372779a3c8064b0a0ead144cda6
SHA2561237a27324e6208f7cfc9ba335fc184db1a2d169bc7ef308dcbe0b5ae6151ab4
SHA512f53f687c1635ecfcc24c5a88f90bcf92bdc23b94193150600b90095594a1d929de2635b02829e1e6be7ad40a42ece92ad4974e483f6c1fcf63541c66a6777850
-
Filesize
31KB
MD590c4989cf99b9f357020a7e07a977eea
SHA17e0d44a99412713401a00502fe85c2877064daa4
SHA2564f1fdf000e1d59f66dc3c37d3de736145a2ee07bb486894b131406bc01272902
SHA512b627eff21c9506704208e343d7e80a26f64057fa8b00265b74eb0a8f33ab1f082fd43a54bf35b25f40b63aaf44c1f8ca7c0b319028565fdf558cf72f52de241d
-
Filesize
3.7MB
MD5e8bd5c14b8301039e7538298d26cf09b
SHA14702252fef2156b59ad61f1f397b205323b339c4
SHA256f32426d0fc71a3a054f0fe263133aabeb25c9d7d129238cfcfc0c1a40854c67e
SHA5127108e6379e9e2698dbac52549b5fc81d7b3c5bb02d4d3574b7be9e8ab9f6f473513e651c1ce0809d74273f02e837c36032666f739c05b71fa732899360b77cee
-
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\544800BE89111FF70004D652A3D4EB73B24BF24F
Filesize1KB
MD5a2a90b49408615864bef9736cad0c6a5
SHA14bd89ac7290c671fbba5f509ae4b69aaf66e2312
SHA256725cf091d12387ead2556e79b95f8ba813bfe078237f4ff645fc4cb5f2f30bce
SHA512e31ceec64a6ca92f33aa37887193399563538adcf137b72eac9aef251a3690b7e52703d4c9c39e8ac6ad32bf999ee03439eee999e4f124a4b73520a0be85bb44