Malware Analysis Report

2024-10-23 20:16

Sample ID 240924-tf86casbjn
Target file.exe
SHA256 e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3
Tags
discovery group meshagent backdoor persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

discovery group meshagent backdoor persistence rat trojan

Detects MeshAgent payload

MeshAgent

Meshagent family

Sets service image path in registry

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-24 16:01

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

Meshagent family

meshagent

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-24 16:01

Reported

2024-09-24 16:03

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe

"C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-24 16:01

Reported

2024-09-24 16:03

Platform

win10v2004-20240802-en

Max time kernel

96s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe

"C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-24 16:01

Reported

2024-09-24 16:03

Platform

win7-20240903-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

MeshAgent

rat trojan backdoor meshagent

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" " C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.msh C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2288 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 2288 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 2288 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 2288 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 1064 wrote to memory of 2576 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2576 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2576 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2576 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2744 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2744 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2744 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2744 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 3020 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 3020 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 3020 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 3020 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2648 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2648 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2648 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2648 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2556 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2556 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2556 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2556 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2656 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2656 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2656 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1064 wrote to memory of 2656 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 1992 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 1992 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 1992 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 1992 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 1972 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 1972 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 1972 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 1972 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 1924 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 1924 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 1924 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 1924 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 2704 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 2704 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 2704 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 2704 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 2932 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 2932 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 2932 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2244 wrote to memory of 2932 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 608 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 608 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 608 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 608 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 1372 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 1372 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 1372 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 1372 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 2160 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 2160 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 2160 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 2160 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 344 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 344 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 344 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1444 wrote to memory of 344 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe

"C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

Network

Country Destination Domain Proto
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp

Files

\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe

MD5 e8bd5c14b8301039e7538298d26cf09b
SHA1 4702252fef2156b59ad61f1f397b205323b339c4
SHA256 f32426d0fc71a3a054f0fe263133aabeb25c9d7d129238cfcfc0c1a40854c67e
SHA512 7108e6379e9e2698dbac52549b5fc81d7b3c5bb02d4d3574b7be9e8ab9f6f473513e651c1ce0809d74273f02e837c36032666f739c05b71fa732899360b77cee

C:\Program Files (x86)\Mesh Agent\MeshAgent.msh

MD5 90c4989cf99b9f357020a7e07a977eea
SHA1 7e0d44a99412713401a00502fe85c2877064daa4
SHA256 4f1fdf000e1d59f66dc3c37d3de736145a2ee07bb486894b131406bc01272902
SHA512 b627eff21c9506704208e343d7e80a26f64057fa8b00265b74eb0a8f33ab1f082fd43a54bf35b25f40b63aaf44c1f8ca7c0b319028565fdf558cf72f52de241d

C:\Program Files (x86)\Mesh Agent\MeshAgent.db

MD5 4bed07e5f457379e6ab615116df7b91a
SHA1 c353276095ee7cfb6285a3c3491a41909945fd7b
SHA256 4e183e610bb0f400cb1ab8056137a22d5a2685ff8d3d897a12f97da429cf341d
SHA512 56fbad4161e14de305da82798c4b11f1ea1ae4b0b589fb22af0bac677e19a9ece7e3a43db6c33a26559249b79f5174a250ae317323ae09f0bb2710a12c71398f

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 323bab9b012486dece4228de73a077b2
SHA1 45eab7b96b084434caa04a8d45d3712455e96e01
SHA256 e16808c984e1b2a42b43cd462639930e67690de347d1f8d60641a5c03ad9f085
SHA512 b6cb02f9879529ac953f0e6722b98455fc2101e7b149568e488ddc9a5ab4fd5d459b1c856c509d6221bca6ddedcd173f8234245e78915f4c533473027ed9b755

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 aa1e11a623b3556bd8a90e9b511b9071
SHA1 39c8bf66cba6c4ae0d475c16e0fb2eec34decf20
SHA256 61de4b3949801c08d892e5519ff17784e66dc6463cf120fb8981ab4c63ef34dc
SHA512 827275aaed4d26e874b99d4a0f804daf3cb1b2d0af0526842d453aefbe3d87dbc4ecc2fc83e1e7576f119fb11325520d4360f3c03b070a0addac4443de5e521c

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 e5514bffaba763239b342a2b504ef383
SHA1 8ba60fad918bf7a0c6e4660faf098c7e65603b29
SHA256 c0185ec7735c0056a19bd4d8caa2f51922e72767736f65e33017540afe851f6a
SHA512 dfdcabf2ac4a763da03af53048e155d5b81cc26132fd4a0b31511133ddd04adff08270670f1a351fefd13b13b4419550d0e2195ea0695f37aa67f145c981865d

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 5efb57d61a79fa1eebd08d201a6c5745
SHA1 6c1ae4f45dce03eaf5ca04902b97518fef30ae7f
SHA256 7d0f715671bff0176f031c096843bf1cbe1888b90598b9cf714671e7a667d062
SHA512 bf8451b5c9af92c3d711d5e546518e83dc2502b53d59420b3f22f19410ac9eb0f091ae1339af39c982b8ac09296a67449bc4567cb01c2609829623bc5617ebc2

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 9a1b453580443bacdf4adc98ee4ac3b3
SHA1 7e40f97583557609df302954208d0fdd4b33ba7f
SHA256 8641d799bb7e7240c927d1230472a00521d741e3eca1f98df6f0c4fb47a5daa2
SHA512 ea82e6a32c3711510b9ce249f1b69d04e0a0a0d62eeeed015508c3686917c3995ad12325ab1af3ad45bfef27ee385b7a3e1ca5da238ccceda4497654af418e12

C:\Program Files (x86)\Mesh Agent\MeshAgent.db

MD5 348c5f72992e31da054603543e219f3b
SHA1 f6ad1c29868b68ded109493c550840db640ef3d9
SHA256 305a0fe57d6695ce743ddf25bc893a69e2c066dafd18072cb111643bc3b13ca2
SHA512 6d43b1267dd711e9a6a0a8f5d37548ca6e7516576662e8e28c5484b05890dfd421abbd80dec44cca02d91bab529118fc17db4278df763b641cd18c6f06be9884

C:\Program Files (x86)\Mesh Agent\MeshAgent.db

MD5 3f9a5667777ccec0a3167f0cd7f2d835
SHA1 9e8779f9f43cf012585f3b6a27a2174d540af5cd
SHA256 526174bc641929f0d286a56b204bb07b45545e0250e6230fbdefd7801ee15e5b
SHA512 d0203528baec6a1f0c34a80892ae270bcf6970f7e05e0c78eaeeab1aa4219994bcccda17ccfdd77a303b470834d805cc530071e640945e1a3bc48e0715058575

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 bef4964bfd22155f66409cd14fabb5ce
SHA1 2dff4e38f5d69d148a50524703b4036e8804408f
SHA256 9c671c8d8481ba57203fe4becc687f46e410ec138a0d0189827e69b5b3f94ff8
SHA512 0a8798127fadd3d3e0f34d276e60af874307a8ba143ce4bb8a9e2ef6e84814d11858ac7be4d40e68b3cf693045893b73b7bc7a5e9c806fb4a4d5cb9742af3e88

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 4fc1ab0739c03e627bd78f302f17502d
SHA1 295db7bf4d9939ae44d1f0ce5b2f47f9133c219a
SHA256 9239410d07a0ee8ae333082f33011832c15ee6d8fe94a141cf7d4180a390f55d
SHA512 efb82641d61620536acf29cac79761de90485605a7631d2aeca45e8bfab2a6432de9f8206e815096aa39f5c07a9be05fc6570a8625a71726d79e01be22eb7664

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 554193c12f8b71d7fbb4be2360863932
SHA1 fd40a860b06a643d227318cd414c4d496f3e7ffa
SHA256 d6a8c4a3c18a7072d1b5d02f9b4039f9b6c7f1dee8ca366e7cf314c1bf3cf6a3
SHA512 2109606d0dcb8361d1874683d10d6039841de59a2bb3dea84aa6386d21866e10adbe2e2c78dfacfade7d29c8db9ed193a3149dba8a72eb6a435f6abfec351b6b

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 f0ffe7949d0bfc1218aa809e867a11d1
SHA1 6c8c454c7d352f83bb64771273682d76a7818818
SHA256 5e5552b6e45e61ebdd874dec40f9e48eec4a0111d06d5c0a642a251f0e61d94f
SHA512 454811607b0672b8190545a6c41cff0fda209781b5ffd31c1dccdbfabbea94427da69d3394b49ed1c3ae999eb9948af5e9ed99039c3fb97abc2d6d2ddc17f31c

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-24 16:01

Reported

2024-09-24 16:03

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

MeshAgent

rat trojan backdoor meshagent

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" " C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\exe\MeshService.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wgdi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\crypt32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\ole32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wgdi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wkernelbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\exe\MeshService.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ucrtbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ws2_32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ws2_32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\crypt32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wwin32u.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ws2_32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ntasn1.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wuser32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ucrtbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wgdi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\combase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\advapi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\shcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ucrtbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wrpcrt4.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\shcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wntdll.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\bcryptprimitives.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\crypt32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\advapi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\exe\MeshService.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wntdll.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\shell32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\crypt32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wkernelbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ntasn1.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\advapi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wwin32u.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\comctl32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\oleaut32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ws2_32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wgdi32full.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dbghelp.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\crypt32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\ole32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\sechost.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\ws2_32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wwin32u.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\bcrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dbghelp.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wkernel32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.msh C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133716672764514498" C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3308 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 3308 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 3308 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 3612 wrote to memory of 2784 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 2784 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 2784 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 2312 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 2312 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 2312 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 1992 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 1992 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 1992 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 2072 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 2072 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 2072 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 1040 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 1040 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 1040 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 808 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 808 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 3612 wrote to memory of 808 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 1012 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 1012 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 1012 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 3872 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 3872 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 3872 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 4816 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 4816 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 4816 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 4012 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 4012 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 4012 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 2188 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 2188 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4384 wrote to memory of 2188 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 3264 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 3264 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 3264 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 3408 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 3408 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 3408 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 4072 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 4072 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 4072 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 2540 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 2540 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 2540 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 772 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 772 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1312 wrote to memory of 772 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2060 wrote to memory of 3636 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2060 wrote to memory of 3636 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2060 wrote to memory of 3636 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2060 wrote to memory of 4424 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2060 wrote to memory of 4424 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2060 wrote to memory of 4424 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2060 wrote to memory of 1544 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2060 wrote to memory of 1544 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2060 wrote to memory of 1544 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2060 wrote to memory of 1776 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2060 wrote to memory of 1776 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2060 wrote to memory of 1776 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2060 wrote to memory of 4644 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe

"C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
RO 94.131.119.184:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 184.119.131.94.in-addr.arpa udp
RO 94.131.119.184:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RO 94.131.119.184:443 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
RO 94.131.119.184:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe

MD5 e8bd5c14b8301039e7538298d26cf09b
SHA1 4702252fef2156b59ad61f1f397b205323b339c4
SHA256 f32426d0fc71a3a054f0fe263133aabeb25c9d7d129238cfcfc0c1a40854c67e
SHA512 7108e6379e9e2698dbac52549b5fc81d7b3c5bb02d4d3574b7be9e8ab9f6f473513e651c1ce0809d74273f02e837c36032666f739c05b71fa732899360b77cee

C:\Program Files (x86)\Mesh Agent\MeshAgent.db

MD5 e98d708162031e585813371882de48ca
SHA1 a272ed281d599b1222ecb6236284a4060e81e9e9
SHA256 7227282da12ebc445645663163403d00bb8e924d59ac390482c54572c46527f7
SHA512 40c1e3170090756deed5ab1583ad954fb88a4946d913a127ecb0456e9e62945ddb7c8166aa1d5d30993a5f92ea8b8173160bf710ba7fc0bee0f7b87dfa28d0ab

C:\Program Files (x86)\Mesh Agent\MeshAgent.msh

MD5 90c4989cf99b9f357020a7e07a977eea
SHA1 7e0d44a99412713401a00502fe85c2877064daa4
SHA256 4f1fdf000e1d59f66dc3c37d3de736145a2ee07bb486894b131406bc01272902
SHA512 b627eff21c9506704208e343d7e80a26f64057fa8b00265b74eb0a8f33ab1f082fd43a54bf35b25f40b63aaf44c1f8ca7c0b319028565fdf558cf72f52de241d

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\544800BE89111FF70004D652A3D4EB73B24BF24F

MD5 a2a90b49408615864bef9736cad0c6a5
SHA1 4bd89ac7290c671fbba5f509ae4b69aaf66e2312
SHA256 725cf091d12387ead2556e79b95f8ba813bfe078237f4ff645fc4cb5f2f30bce
SHA512 e31ceec64a6ca92f33aa37887193399563538adcf137b72eac9aef251a3690b7e52703d4c9c39e8ac6ad32bf999ee03439eee999e4f124a4b73520a0be85bb44

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 ba2d749be2f69325ef17d530d4910b66
SHA1 2e6b2dd8ca1874b490c19b9750512ce6bbfe6f2b
SHA256 87f374bced529b32fcc364d2f0389a4109335237f236d6973c7a9fc78f00fcc9
SHA512 b1708fc9815dc615b3d7c0e6c6d5e2c55de24580c137dba3e0780623370460db2b09125e27d50069bb11a8ab7c4c670da939c1845f254a43adceb69b8b015688

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 51b44c731b8d291aeea3881b5ecb07f1
SHA1 a76edabbe19b860f86e46ce4c64cb89fe26414e3
SHA256 da3962d96a4ce722e9f4c81b4336dc9ac9d10cc3d8bc682df8026bc5abb2d9ef
SHA512 1be6490c138407e4064d2c33c64abf9d609531f92f511ada7a123bffd1ccbd1242e597ebbeff27fb96d6830188748483c6ce369686c9572ee7c9a4394e44c08e

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 4ad7ffb7b2d2990d7693f559560e54e6
SHA1 e9babb9dc28cea56bcdb6190732e0b23d527e5db
SHA256 19b6a79d2b36db7c546079e59371f4e3b2891518989d584529f4fab7d21e0f31
SHA512 2d5a7ae6d54d0345919812618a882d21542e4ab823133108d82b03559b5b5686f15685ed77c932f2a355b132b0241c7e72b724b1c67058d1bde8f1693a7dc84e

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 44acfed07fe4ce4322212977c4c0a7ed
SHA1 da0a31c5e675eb2ebd7ee423111313a4fd8eced2
SHA256 4ab0add3deff3b5d6df1dad067f0813f44c0190a61d99492798739ce590f3cd4
SHA512 009a7d40aeb67a50040f82603b34ba7cd3244a34154d78b5c4079f482eab0c435bfb380721ee088f1c1713867c02116ea847bc073cb850eaf5fcde2520a4d6e3

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 319472f5bde9b885fd3d97bffe7db589
SHA1 4cdcfcce33b08372779a3c8064b0a0ead144cda6
SHA256 1237a27324e6208f7cfc9ba335fc184db1a2d169bc7ef308dcbe0b5ae6151ab4
SHA512 f53f687c1635ecfcc24c5a88f90bcf92bdc23b94193150600b90095594a1d929de2635b02829e1e6be7ad40a42ece92ad4974e483f6c1fcf63541c66a6777850

C:\Program Files (x86)\Mesh Agent\MeshAgent.db

MD5 e710a8d4efefa751157d659e0989231c
SHA1 f88f7e3aed1ba298ecd84ed5efc86a6d5758a0df
SHA256 b52977cb8fd38bf18df2f4535f31e1becd793ad81217a0deca8facc83e054239
SHA512 e2282d94c35e799da1b370b47adc0488084f3e39da53f2765003d1435f2da6af428b6b75e9c439c077ea574f939c0e0add0f8d046d87d573764e22117880f133

C:\Program Files (x86)\Mesh Agent\MeshAgent.db

MD5 ba41ef87bd331f638cf29778e45e1ced
SHA1 f66c4d0d5d7903e47175293c0786962123116440
SHA256 9651a0258274764913512effb7fe45f60aecf26f7734b1bea204466fc303d4f6
SHA512 9f2cdeb1cbc1c67a4d7a81edd9ceea140a0b01c760ed75d8f7764a190e31e2ff1480f72e0e6cff349ef8f38ae8535095d702f54507a347e17c9ebb78083eb9d6

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 4a01e92354e25f1f6b9293cee4579900
SHA1 d0528ccf1a1bb8e1e01d93c91185378123c9dc01
SHA256 2cb3117b86cb9d798b9a36456d37b285a18e241e91ccfc19fca09d463871d78d
SHA512 751dcf077f523918a1b256ff207613fc6419908a11c9aaccf77852700ac405999dec214260710b2a574ec779c22d03981e5b6e1db5aa64729145863c4b5fac6d

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 d0bef5462ebe2ad5031b5638a728b17a
SHA1 9661d392d5a81d08a03d9c130f9e16d719885775
SHA256 724119b52a5eb9e06938458ebd2c2cb8a70b4d69de55d3bb2cf741785a023985
SHA512 8f9380a67b647f5016db70a526070cb94c6bbf1798e1998d910123654086fdbd38fa90c9686c8440ff181da9ec860b4601725633f96b4f216402a3f1b9f950c3

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 568b1de90de3640b2221bdf77c573c0f
SHA1 7d02ff9f3984b73e0cdebdab928a2ebc2699c4b3
SHA256 c6fd5753486d045eb2450c6eac1a55320736f0d88f1e55ce87db20c582ea2ba1
SHA512 5218f53a5ef7992dbbd2427dfc8be679b98e63e15b74840a5cfbae9462b6a2c244751f7d6b763f27b6ee625883543c370c6cfca29ccfedee99047696cfb6de2b

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 ca03d2700e18a6fcdeef2390e9e8fb67
SHA1 ff99779187756b9050c953da022876958b5cc127
SHA256 887470e5dc078541e566eb8a2292062139cdd2e37bc5b371ca1928b3c4c64144
SHA512 63be65ed6d990a0ccb606e6fdec58f97d8759fea9ffd03d21010a2c73d36e7af694dbfc219d8e2b93795a0f568a6f9ed1e2f8aa2c489d44ba22d46aac76705e3

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 4de67657f3b63b999b0e88b619478346
SHA1 feb2fb98084841bf0984f59200e7de4838161c3e
SHA256 e913ddbc0a294b5b33259a928920e26fdbf023af3c30548aea4742b9a4ec81ca
SHA512 f09d2c5232ee4a152c49b93234dfc2a9d3214c041bf8f6bc4856c1195c2c3ea48adc618ace439e7e8f93b0e101c484462ba5ac4b4cd0018beb83c799176a0a33

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 61f8b811decf34cd4fc14b322e38eed6
SHA1 2746adf473be40c44724a4617aa0f4d37320813f
SHA256 c5fbaa3643074716ee02d5586a3d1e94e1bc171bd584eb43329738726306a4e7
SHA512 721761dce28144a646ec7f6c37652b4fd5bf9c936c6f98460f9a9b6f2a44c066493ef227931d05f3e414b4de2093ff6f2a6bd47f046d2830a6e8b8d5ab79e376

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 962c33329586342f2a0241a656ba20fb
SHA1 71b5e79376fe49d629d3a634593ef19194531cfc
SHA256 ea4745fc9f6241dab45353f9f167e438215f473c6753e8eb8dba2596165a03e5
SHA512 35eb9745eddfe5fa736f002f6239c4be02f778857f56b17a3fecb53f3437f9bba62a08ab73d73a4ac13596c09ba1461ce78a7df8d07b4b20f27d0b6d0605c27a

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 ab305bc744b5025e4d96f3d6f3f6961f
SHA1 fb0470f1eb9e26c1cd99cbb691023d943a411629
SHA256 d83dc03477a77a43da71f8566ca43f46d56a5c9b27cea94335ae420d2dda8a7a
SHA512 61657d2ca6dbe01c5c488c5f974d2405f3f5b4f09c4a4faaf06ff3e6444953be4fcb65a0927ae5b4c4b2896fb5336a5e4fd8ae2ef4bbd4f27375ae3476028e70