Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 02:43
Behavioral task
behavioral1
Sample
e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
meshagent32-group.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
meshagent32-group.exe
Resource
win10v2004-20240802-en
General
-
Target
e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe
-
Size
1.8MB
-
MD5
749bd6bf56a6d0ad6a8a4e5712377555
-
SHA1
6e4ff640a527ed497505c402d1e7bdb26f3dd472
-
SHA256
e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3
-
SHA512
250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d
-
SSDEEP
49152:UkQletNpj4NmwF1tBE6BAfTm9k9MJsuAfChboFtcZo:UFletXjoD1tBEc90XCo6Zo
Malware Config
Extracted
meshagent
2
group
http://94.131.119.184:443/agent.ashx
-
mesh_id
0x1BB80B7BD3F37219BF6F79BEE0A08A00B90168972309CA4BFD812814A9F980439E71B51CC08CC59D904B5AED18647DD0
-
server_id
B13800B3094163CC81EA68335E6D9A9B98350B3D697F92D49A06C6ADC9519150B766816EBC90ED105D4749F3F47F60B6
-
wss
wss://94.131.119.184:443/agent.ashx
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe family_meshagent -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
meshagent32-group.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" " meshagent32-group.exe -
Executes dropped EXE 13 IoCs
Processes:
meshagent32-group.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exepid process 2632 meshagent32-group.exe 2780 MeshAgent.exe 1948 MeshAgent.exe 1724 MeshAgent.exe 2668 MeshAgent.exe 2708 MeshAgent.exe 2052 MeshAgent.exe 1000 MeshAgent.exe 2980 MeshAgent.exe 2072 MeshAgent.exe 2260 MeshAgent.exe 1904 MeshAgent.exe 2772 MeshAgent.exe -
Loads dropped DLL 1 IoCs
Processes:
e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exepid process 2856 e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 28 IoCs
Processes:
MeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exemeshagent32-group.exeMeshAgent.exeMeshAgent.exeMeshAgent.exedescription ioc process File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.exe meshagent32-group.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.msh MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MeshAgent.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exemeshagent32-group.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exeMeshAgent.exewmic.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exeMeshAgent.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exee6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language meshagent32-group.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe -
Modifies data under HKEY_USERS 35 IoCs
Processes:
wmic.exewmic.exewmic.exeMeshAgent.exeMeshAgent.exewmic.exewmic.exewmic.exeMeshAgent.exeMeshAgent.exeMeshAgent.exewmic.exewmic.exewmic.exeMeshAgent.exeMeshAgent.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exeMeshAgent.exeMeshAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MeshAgent.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2648 wmic.exe Token: SeIncreaseQuotaPrivilege 2648 wmic.exe Token: SeSecurityPrivilege 2648 wmic.exe Token: SeTakeOwnershipPrivilege 2648 wmic.exe Token: SeLoadDriverPrivilege 2648 wmic.exe Token: SeSystemtimePrivilege 2648 wmic.exe Token: SeBackupPrivilege 2648 wmic.exe Token: SeRestorePrivilege 2648 wmic.exe Token: SeShutdownPrivilege 2648 wmic.exe Token: SeSystemEnvironmentPrivilege 2648 wmic.exe Token: SeUndockPrivilege 2648 wmic.exe Token: SeManageVolumePrivilege 2648 wmic.exe Token: SeAssignPrimaryTokenPrivilege 2648 wmic.exe Token: SeIncreaseQuotaPrivilege 2648 wmic.exe Token: SeSecurityPrivilege 2648 wmic.exe Token: SeTakeOwnershipPrivilege 2648 wmic.exe Token: SeLoadDriverPrivilege 2648 wmic.exe Token: SeSystemtimePrivilege 2648 wmic.exe Token: SeBackupPrivilege 2648 wmic.exe Token: SeRestorePrivilege 2648 wmic.exe Token: SeShutdownPrivilege 2648 wmic.exe Token: SeSystemEnvironmentPrivilege 2648 wmic.exe Token: SeUndockPrivilege 2648 wmic.exe Token: SeManageVolumePrivilege 2648 wmic.exe Token: SeAssignPrimaryTokenPrivilege 1908 wmic.exe Token: SeIncreaseQuotaPrivilege 1908 wmic.exe Token: SeSecurityPrivilege 1908 wmic.exe Token: SeTakeOwnershipPrivilege 1908 wmic.exe Token: SeLoadDriverPrivilege 1908 wmic.exe Token: SeSystemtimePrivilege 1908 wmic.exe Token: SeBackupPrivilege 1908 wmic.exe Token: SeRestorePrivilege 1908 wmic.exe Token: SeShutdownPrivilege 1908 wmic.exe Token: SeSystemEnvironmentPrivilege 1908 wmic.exe Token: SeUndockPrivilege 1908 wmic.exe Token: SeManageVolumePrivilege 1908 wmic.exe Token: SeAssignPrimaryTokenPrivilege 1908 wmic.exe Token: SeIncreaseQuotaPrivilege 1908 wmic.exe Token: SeSecurityPrivilege 1908 wmic.exe Token: SeTakeOwnershipPrivilege 1908 wmic.exe Token: SeLoadDriverPrivilege 1908 wmic.exe Token: SeSystemtimePrivilege 1908 wmic.exe Token: SeBackupPrivilege 1908 wmic.exe Token: SeRestorePrivilege 1908 wmic.exe Token: SeShutdownPrivilege 1908 wmic.exe Token: SeSystemEnvironmentPrivilege 1908 wmic.exe Token: SeUndockPrivilege 1908 wmic.exe Token: SeManageVolumePrivilege 1908 wmic.exe Token: SeAssignPrimaryTokenPrivilege 1084 wmic.exe Token: SeIncreaseQuotaPrivilege 1084 wmic.exe Token: SeSecurityPrivilege 1084 wmic.exe Token: SeTakeOwnershipPrivilege 1084 wmic.exe Token: SeLoadDriverPrivilege 1084 wmic.exe Token: SeSystemtimePrivilege 1084 wmic.exe Token: SeBackupPrivilege 1084 wmic.exe Token: SeRestorePrivilege 1084 wmic.exe Token: SeShutdownPrivilege 1084 wmic.exe Token: SeSystemEnvironmentPrivilege 1084 wmic.exe Token: SeUndockPrivilege 1084 wmic.exe Token: SeManageVolumePrivilege 1084 wmic.exe Token: SeAssignPrimaryTokenPrivilege 1084 wmic.exe Token: SeIncreaseQuotaPrivilege 1084 wmic.exe Token: SeSecurityPrivilege 1084 wmic.exe Token: SeTakeOwnershipPrivilege 1084 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exeMeshAgent.exeMeshAgent.exeMeshAgent.exedescription pid process target process PID 2856 wrote to memory of 2632 2856 e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe meshagent32-group.exe PID 2856 wrote to memory of 2632 2856 e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe meshagent32-group.exe PID 2856 wrote to memory of 2632 2856 e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe meshagent32-group.exe PID 2856 wrote to memory of 2632 2856 e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe meshagent32-group.exe PID 2780 wrote to memory of 2648 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2648 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2648 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2648 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 1908 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 1908 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 1908 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 1908 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 1084 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 1084 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 1084 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 1084 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2096 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2096 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2096 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2096 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2904 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2904 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2904 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2904 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2772 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2772 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2772 2780 MeshAgent.exe wmic.exe PID 2780 wrote to memory of 2772 2780 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 1448 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 1448 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 1448 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 1448 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2176 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2176 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2176 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2176 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2172 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2172 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2172 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2172 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2144 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2144 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2144 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2144 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2156 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2156 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2156 1948 MeshAgent.exe wmic.exe PID 1948 wrote to memory of 2156 1948 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 1688 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 1688 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 1688 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 1688 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 1972 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 1972 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 1972 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 1972 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 760 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 760 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 760 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 760 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 696 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 696 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 696 1724 MeshAgent.exe wmic.exe PID 1724 wrote to memory of 696 1724 MeshAgent.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe"C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe"C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall2⤵
- Sets service image path in registry
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2632
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2648 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1908 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1084 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2904 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2772
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1448 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2144 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2156
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1688 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:696 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:1432
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2668 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:2836 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1600 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2624
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2708 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2932 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2336 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2172
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2052 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:668 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:392
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:940 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:756
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1000 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2264 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3028 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2760
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2980 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1072 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2548 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2988
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2072 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:960 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1044 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1016
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2260 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:756 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2808 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2648
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1904 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:1920 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2876
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- Modifies data under HKEY_USERS
PID:2148 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2100
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2772 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:964 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵PID:1640
-
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271KB
MD5b334c4e4aff1140e6c2c843f9dfa6c0b
SHA1ed39f360d52ab5885b49363968bde7a65b561d47
SHA256ce288f26fdbf56347b681e6156590fae11717c609373f790f25e1aadfc7cf46e
SHA5124e49995b5033481c13f546c1fea7bb34c2e23e13c1375cfff702dfe26058889c719ff8c255581fc72cfc232d285abc73f4083469f5a6183e8c2a83e2700c6763
-
Filesize
388KB
MD55a7db252fb35d3cb19122749f7532da1
SHA169ac08378419c27b51158cc5840829bfe943bf3a
SHA25648ca5b46b588354a2607f615bd107a01042f312c96986426e99117a28c945925
SHA512e946956a7e833f31b49740debff93356f537606a2b73a9d8b330b8a76dbf8f47ca1a2272b1ba0c4e696050ebd7631223677ebdca924327ea3980e10f541c7a8c
-
Filesize
153KB
MD5e2a5fdd8118d64debc6c386b055ef2ff
SHA1b71720fa0eb623b93c92e8e5106b1b69ca61ff54
SHA256f3744e4a53a01fab15c6dd7227b0713da7924f662795d5ba6e8a2c016adb59ae
SHA51264ae05caf6410dd0b2f2e91a3402b6949e1a6532b31bd9dc63a03849eb5bb22bf0d4b2f182125d307c1ff34757a5a23e11f690206c1cbfdc57b22966418231e0
-
Filesize
1KB
MD5da99a3c6d877c4f0b29b4a191601d985
SHA153abcac0dab22e4fa6bb6d2e369bd983197b4133
SHA2563e2188fc1c65d0a70695b1479ca7842d68d2fa2c6fca15caf21b8a430b3722c1
SHA51298ba7932f8385ff4b324681cd77aae322ab364f9aac25c74c525f0e1f4684606a38809afc221f6c838f29c03ca7dc57ab80c138b30941f31a0093c5c8d0c1f49
-
Filesize
1KB
MD58ffd6ab2bedfb953125ec81541a0152a
SHA12c822a3eac54e8ec6f130a1e0835d2ca942e7f2e
SHA256fca6e59b2e82e57b66e93f512beb834120d261106c4d9885972ba699150d89a4
SHA512b1dd4eb93c63ca8d12bc90fa55e396e3800c0f5678591759598b564cf936c59afb89d59bb6468eb20d8ec8df145abd2e91e6c63147752fbb4616f090dae52cc2
-
Filesize
1KB
MD52946688efd02943436456d5f5c061033
SHA1d32cb012ff5d0212d250b3b3f6f51ee233a3cb82
SHA2565c39d130333794f728e430b09780bff61a748a864f665a7ec86fe43f2134eb9e
SHA512988fefdc5e535adcdec51a993452ab2a5e2d270ed0e171fa7f9de4b4dc60aa8a0adcfee254569002ea931361249d4ed93e8f30885c79a6e68bce09fb698a8955
-
Filesize
1KB
MD585585acb934beeaa63b7122dfc638a86
SHA1f33eebf39ff22028970e6117c95572dd495b859c
SHA256612263b9f39bd4e22b6d6db1a86124fbf4950e62ac514fefe44b280813f61919
SHA5128290b721bbaebbec81d555fa4681eb50d22c206f14411c01d40ac4624d1454df37432e110c78daa86922ce9e1a233107cb89e5ed58e0e7caf76d19029610946a
-
Filesize
1KB
MD5e21014e29d8b3ab7aa9124373ae5980e
SHA1c1af17945367c33559abcb6b1a9e971096cd3843
SHA256e247f178ff14898f22b7d2d8f8933071878cca7ecc73348e60f716b1942f9f5d
SHA512ddb064323eafc1c050ba8eadcdf57d9a96d69d2f85618e03d5ce2a46a7efcaf4781db73e330e682efed6707ee77b1e9352f8eee38d89bf85f05c5ee08b78facc
-
Filesize
1KB
MD5f95596450150d239f43227717b4d800a
SHA19b279bbca8a6490fbaee73f3c76da833a594c93e
SHA2561d2f20a3d944ebac0f0ccd8e27fd8745edbadefeec57237a6e89f6d2fd32ce3f
SHA5121f4b7c7aa3dbb3e1782d1ac34ece67cfb0bb2773f24468e534aa74fcb70c84f84607c95357077af77130c8b07c83db9e40aee8250d794d8f9651998c39f61d15
-
Filesize
1KB
MD5d67ebe33d0f67010023a12390ff06f65
SHA1f1de7508f973e338859f98862843390e71a3fdb7
SHA256886bc22fe7b080dd41ac5269f85045f32bc6744451b6cb0a14cd4f3369e7a3db
SHA512649cd2a6e43b93125654cc027fe6caba421e2fcc089d23573d538dc346bde7f779871e3743ef78dcfe2cd1de31d56a2c97d6da0a0c46453bf84cdfb93ac80da0
-
Filesize
2KB
MD560927e9f787fdff31ff94a022fb52cc2
SHA19b0513db8f5a9d14adf0ce0e99728daee14f4d13
SHA25644769fd5f8c09c3349a92d111e0b6a37d21abf9830049c08db675e91dddca86b
SHA512d51d5a9029a9cb35933c13f795efdf6b3f565790d9d4f9800f643096a52ed61f72859786b4f62b1ab9b8edbe2a1eff278a1061d7742d05c933440bfd1f5a84ac
-
Filesize
703B
MD53f0939d9a2645741e02283337993c052
SHA1aaf8039a76bfd6dac12b48b8258aa823e4de04d6
SHA256a7129368040d8698e499d9364aa12fde1c33afd4ba808c535f071887ba43e5bd
SHA512fc57418f84f5f110dc29c1a8b5d0f98905e28b0ffeac9339409aaf016dba30f1f3416e5bfac82a95886a2bc7da05a70e460a087153444f532d4bf4217ce8fc8d
-
Filesize
870B
MD56fc110846e43e06cffedac92f72dd14b
SHA19f348d72fb81b81b6249fbf54cbcd842d3a611c5
SHA2569a71e75846b50f75bfd1cffb01e7defd0a53d6eb21f6f1272b4b39397c5f67d4
SHA5127cf3fe3a946381396d265304427aa3155f1e78014cbb0f904fb0969c325d3f1187ea0d436ba794846254470e935d0dce961e6c123701e0ebcf8a9e128283f374
-
Filesize
31KB
MD590c4989cf99b9f357020a7e07a977eea
SHA17e0d44a99412713401a00502fe85c2877064daa4
SHA2564f1fdf000e1d59f66dc3c37d3de736145a2ee07bb486894b131406bc01272902
SHA512b627eff21c9506704208e343d7e80a26f64057fa8b00265b74eb0a8f33ab1f082fd43a54bf35b25f40b63aaf44c1f8ca7c0b319028565fdf558cf72f52de241d
-
Filesize
3.7MB
MD5e8bd5c14b8301039e7538298d26cf09b
SHA14702252fef2156b59ad61f1f397b205323b339c4
SHA256f32426d0fc71a3a054f0fe263133aabeb25c9d7d129238cfcfc0c1a40854c67e
SHA5127108e6379e9e2698dbac52549b5fc81d7b3c5bb02d4d3574b7be9e8ab9f6f473513e651c1ce0809d74273f02e837c36032666f739c05b71fa732899360b77cee