Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 02:43
Behavioral task
behavioral1
Sample
e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
meshagent32-group.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
meshagent32-group.exe
Resource
win10v2004-20240802-en
General
-
Target
e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe
-
Size
1.8MB
-
MD5
749bd6bf56a6d0ad6a8a4e5712377555
-
SHA1
6e4ff640a527ed497505c402d1e7bdb26f3dd472
-
SHA256
e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3
-
SHA512
250f1825f5d2577124606818a8c370bb862d74dfebddd8c25ec2b43448626b583e166e101f65ebe12b66b8767af7ad75a8d9f5a3afd4e10f4dd3e6239efe9a7d
-
SSDEEP
49152:UkQletNpj4NmwF1tBE6BAfTm9k9MJsuAfChboFtcZo:UFletXjoD1tBEc90XCo6Zo
Malware Config
Extracted
meshagent
2
group
http://94.131.119.184:443/agent.ashx
-
mesh_id
0x1BB80B7BD3F37219BF6F79BEE0A08A00B90168972309CA4BFD812814A9F980439E71B51CC08CC59D904B5AED18647DD0
-
server_id
B13800B3094163CC81EA68335E6D9A9B98350B3D697F92D49A06C6ADC9519150B766816EBC90ED105D4749F3F47F60B6
-
wss
wss://94.131.119.184:443/agent.ashx
Signatures
-
Detects MeshAgent payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe family_meshagent -
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
meshagent32-group.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" " meshagent32-group.exe -
Executes dropped EXE 12 IoCs
Processes:
meshagent32-group.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exepid process 2444 meshagent32-group.exe 4220 MeshAgent.exe 1988 MeshAgent.exe 768 MeshAgent.exe 4272 MeshAgent.exe 1360 MeshAgent.exe 4964 MeshAgent.exe 4224 MeshAgent.exe 2888 MeshAgent.exe 1504 MeshAgent.exe 1984 MeshAgent.exe 5112 MeshAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
Processes:
MeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exedescription ioc process File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\sechost.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\combase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\ntasn1.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wntdll.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\DLL\iphlpapi.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\DLL\wkernel32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\oleaut32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\exe\MeshService.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\bcryptprimitives.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\exe\MeshService.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wkernelbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wgdi32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\DLL\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ncrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wrpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wrpcrt4.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\msvcp_win.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\wwin32u.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dbghelp.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\shell32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\DLL\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\oleaut32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wkernelbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\ws2_32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\gdiplus.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\bcryptprimitives.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\DLL\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ole32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\DLL\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\msvcrt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\bcrypt.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\ntasn1.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\wwin32u.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\DLL\dbgcore.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\dll\comctl32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\crypt32.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wkernelbase.pdb MeshAgent.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb MeshAgent.exe -
Drops file in Program Files directory 26 IoCs
Processes:
MeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exemeshagent32-group.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exedescription ioc process File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.exe meshagent32-group.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.msh MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log MeshAgent.exe File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db MeshAgent.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
wmic.exewmic.exewmic.exeMeshAgent.exewmic.exemeshagent32-group.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exeMeshAgent.exewmic.exeMeshAgent.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exee6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exeMeshAgent.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exeMeshAgent.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language meshagent32-group.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MeshAgent.exe -
Modifies data under HKEY_USERS 12 IoCs
Processes:
MeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717058369997922" MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry MeshAgent.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
wmic.exewmic.exewmic.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 1336 wmic.exe Token: SeIncreaseQuotaPrivilege 1336 wmic.exe Token: SeSecurityPrivilege 1336 wmic.exe Token: SeTakeOwnershipPrivilege 1336 wmic.exe Token: SeLoadDriverPrivilege 1336 wmic.exe Token: SeSystemtimePrivilege 1336 wmic.exe Token: SeBackupPrivilege 1336 wmic.exe Token: SeRestorePrivilege 1336 wmic.exe Token: SeShutdownPrivilege 1336 wmic.exe Token: SeSystemEnvironmentPrivilege 1336 wmic.exe Token: SeUndockPrivilege 1336 wmic.exe Token: SeManageVolumePrivilege 1336 wmic.exe Token: SeAssignPrimaryTokenPrivilege 1336 wmic.exe Token: SeIncreaseQuotaPrivilege 1336 wmic.exe Token: SeSecurityPrivilege 1336 wmic.exe Token: SeTakeOwnershipPrivilege 1336 wmic.exe Token: SeLoadDriverPrivilege 1336 wmic.exe Token: SeSystemtimePrivilege 1336 wmic.exe Token: SeBackupPrivilege 1336 wmic.exe Token: SeRestorePrivilege 1336 wmic.exe Token: SeShutdownPrivilege 1336 wmic.exe Token: SeSystemEnvironmentPrivilege 1336 wmic.exe Token: SeUndockPrivilege 1336 wmic.exe Token: SeManageVolumePrivilege 1336 wmic.exe Token: SeAssignPrimaryTokenPrivilege 1068 wmic.exe Token: SeIncreaseQuotaPrivilege 1068 wmic.exe Token: SeSecurityPrivilege 1068 wmic.exe Token: SeTakeOwnershipPrivilege 1068 wmic.exe Token: SeLoadDriverPrivilege 1068 wmic.exe Token: SeSystemtimePrivilege 1068 wmic.exe Token: SeBackupPrivilege 1068 wmic.exe Token: SeRestorePrivilege 1068 wmic.exe Token: SeShutdownPrivilege 1068 wmic.exe Token: SeSystemEnvironmentPrivilege 1068 wmic.exe Token: SeUndockPrivilege 1068 wmic.exe Token: SeManageVolumePrivilege 1068 wmic.exe Token: SeAssignPrimaryTokenPrivilege 1068 wmic.exe Token: SeIncreaseQuotaPrivilege 1068 wmic.exe Token: SeSecurityPrivilege 1068 wmic.exe Token: SeTakeOwnershipPrivilege 1068 wmic.exe Token: SeLoadDriverPrivilege 1068 wmic.exe Token: SeSystemtimePrivilege 1068 wmic.exe Token: SeBackupPrivilege 1068 wmic.exe Token: SeRestorePrivilege 1068 wmic.exe Token: SeShutdownPrivilege 1068 wmic.exe Token: SeSystemEnvironmentPrivilege 1068 wmic.exe Token: SeUndockPrivilege 1068 wmic.exe Token: SeManageVolumePrivilege 1068 wmic.exe Token: SeAssignPrimaryTokenPrivilege 3040 wmic.exe Token: SeIncreaseQuotaPrivilege 3040 wmic.exe Token: SeSecurityPrivilege 3040 wmic.exe Token: SeTakeOwnershipPrivilege 3040 wmic.exe Token: SeLoadDriverPrivilege 3040 wmic.exe Token: SeSystemtimePrivilege 3040 wmic.exe Token: SeBackupPrivilege 3040 wmic.exe Token: SeRestorePrivilege 3040 wmic.exe Token: SeShutdownPrivilege 3040 wmic.exe Token: SeSystemEnvironmentPrivilege 3040 wmic.exe Token: SeUndockPrivilege 3040 wmic.exe Token: SeManageVolumePrivilege 3040 wmic.exe Token: SeAssignPrimaryTokenPrivilege 3040 wmic.exe Token: SeIncreaseQuotaPrivilege 3040 wmic.exe Token: SeSecurityPrivilege 3040 wmic.exe Token: SeTakeOwnershipPrivilege 3040 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exeMeshAgent.exeMeshAgent.exeMeshAgent.exeMeshAgent.exedescription pid process target process PID 4424 wrote to memory of 2444 4424 e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe meshagent32-group.exe PID 4424 wrote to memory of 2444 4424 e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe meshagent32-group.exe PID 4424 wrote to memory of 2444 4424 e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe meshagent32-group.exe PID 4220 wrote to memory of 1336 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 1336 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 1336 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 1068 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 1068 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 1068 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 3040 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 3040 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 3040 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 4540 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 4540 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 4540 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 4708 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 4708 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 4708 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 2688 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 2688 4220 MeshAgent.exe wmic.exe PID 4220 wrote to memory of 2688 4220 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 4060 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 4060 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 4060 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 3016 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 3016 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 3016 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 4112 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 4112 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 4112 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 3644 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 3644 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 3644 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 5104 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 5104 1988 MeshAgent.exe wmic.exe PID 1988 wrote to memory of 5104 1988 MeshAgent.exe wmic.exe PID 768 wrote to memory of 2236 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 2236 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 2236 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 2752 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 2752 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 2752 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 872 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 872 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 872 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 2004 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 2004 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 2004 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 1604 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 1604 768 MeshAgent.exe wmic.exe PID 768 wrote to memory of 1604 768 MeshAgent.exe wmic.exe PID 4272 wrote to memory of 5024 4272 MeshAgent.exe wmic.exe PID 4272 wrote to memory of 5024 4272 MeshAgent.exe wmic.exe PID 4272 wrote to memory of 5024 4272 MeshAgent.exe wmic.exe PID 4272 wrote to memory of 3600 4272 MeshAgent.exe wmic.exe PID 4272 wrote to memory of 3600 4272 MeshAgent.exe wmic.exe PID 4272 wrote to memory of 3600 4272 MeshAgent.exe wmic.exe PID 4272 wrote to memory of 3316 4272 MeshAgent.exe wmic.exe PID 4272 wrote to memory of 3316 4272 MeshAgent.exe wmic.exe PID 4272 wrote to memory of 3316 4272 MeshAgent.exe wmic.exe PID 4272 wrote to memory of 4380 4272 MeshAgent.exe wmic.exe PID 4272 wrote to memory of 4380 4272 MeshAgent.exe wmic.exe PID 4272 wrote to memory of 4380 4272 MeshAgent.exe wmic.exe PID 4272 wrote to memory of 1372 4272 MeshAgent.exe wmic.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe"C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe"C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall2⤵
- Sets service image path in registry
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2444
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1336 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1068 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3040 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:4708 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2688
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:4060
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:4112 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:3644 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:5104
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵PID:2236
-
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1604
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:3600 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:3316 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:4380 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1372
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1360 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:3192 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:4368
-
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1512
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4964 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:3800 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2272 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:428 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:4612
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4224 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1468
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2888 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:3452 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:3688 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:3232
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1504 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:4820 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:2372
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1984 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:752 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:4864 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵
- System Location Discovery: System Language Discovery
PID:1016
-
C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5112 -
C:\Windows\SysWOW64\wbem\wmic.exewmic SystemEnclosure get ChassisTypes2⤵
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Windows\SysWOW64\wbem\wmic.exewmic os get oslanguage /FORMAT:LIST2⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\wbem\wmic.exewmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"2⤵PID:3612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271KB
MD588c75aa130372900ef0859ce48f6dd63
SHA1b7d658a123f5aecb68522a6a9ac4a6a462988533
SHA256cbe718733b3e62e83d67649ed76e2a20fe3991676b001da15d0e457c1a06e487
SHA512b3967e24eea39c9b65bea707c7ca1755f3eb49c0e54ea72dbb608fd2d94779e533bb906ffa53a09744a8c8a5568f1f3f84dc449ec7fab8450d0624f3b12d4000
-
Filesize
388KB
MD5bc1f2c01b9ba91916b0b16f67e9b7631
SHA1286190fe0412df737f11de05f501cec529850e41
SHA256a6bd64b9b9a5ad28c704b368ccaa6c24431b0b3a21dcccd4b60065a05129e66c
SHA512800ba72c1d095b7b28ea376692785f56c6b975728ee3e087e2e77621e937a83e32aaa810823cd6e444de87eb7de20ea0dc5b1b899e3645676b1a50fb0843bae7
-
Filesize
153KB
MD5fdac77bed4dfc4777405faf374cc17e0
SHA1e9023f27c51334eb89dc8fe82127b328b5ff1f2d
SHA2562b1f8c86bcdc2b55eede05de59bd22137c3f639f1931a36bb8562e01ab2336e4
SHA5129524a2b5456679edc7daad01076add19ae10c23e50364cd4f22e8e1bd2cec94683d5713c437f8b7f124125e320d5cbbb0fc7e55e375080674a8e1350d9f8e128
-
Filesize
1KB
MD53ce2418e92d58324231754e1268269b2
SHA1918d42a717cde2e8840b50d83be220943ba6a7cb
SHA2566b36239b5c755a03ef31a4290e7bd12b8eb609b448e67f0b4c84763199ca8033
SHA5129098a8d690ee0296ab3b57b0fde59b7806bd63adf9280c51bad1b0fdb0037ac3c1cc0f3138c1845184e695d7c83ce569c59e2681336aa3f8c5da66a60be58311
-
Filesize
1KB
MD5419f6c6b0f2333c73540a8a78c27288f
SHA1d85c3619d38461451a64f0fbdf8a23cabc2ce58c
SHA2562137bcf17e7e6e69791ac899711f47f70b8ed83b093c9b0176efd89d47d6cc72
SHA512feddc348bb62e46f5aef8241f3b9fbdb50edb589628db31037ec7a37e8b3f9b116e4f0053ba0e7b18f56ff2e8634cf456725345e4fcccc26e996a2252a6b9fea
-
Filesize
1KB
MD5199c86615643738dfe54bf60f73efbcd
SHA15d2d69bc53ed8c53609d992df7d2ad419a0ba558
SHA2569ac118430edc23170e4c704e6e33261983237538bc3f763a47a3d7025e5b3332
SHA5121712f54cd586317c336e3f6e17b2dc02c4882c7bb089186b7a82741604cd7e7418b35f25e41a790e621e6f35ff8e0305ed9b1d5fd4efccdb65fc52288a6de5b0
-
Filesize
334B
MD5dfc7268d5292de055de4c5499a8896e3
SHA1c1d2b5cd21779ae72f28352db820474fd122267b
SHA2564c00564a05b480fdf0e440a1cfb9530520fa89dcd9465c0d9c297e83ff013cd6
SHA512a2ea82889e7c9592cc9c6cece3e64d26fb2e671bb15361107bb164c2a0b036142a21ae145e82793b3c80004efb5fe168f6a0968883f6d098a7a310b47ba6a98e
-
Filesize
501B
MD58e210976ff6cc0b2199cfba58b33e3dd
SHA17a4be618554a1730405afc3bc94c34642ddae99e
SHA2564ecad35b718aeb3b053d3ae768cc9c06929a468631659bcd0e5b908fa7a040ad
SHA51250aa6d99ced79f73f077a1166e576172f4f52bacd596f4aa6d86f8949dd9fc6d2fcc4e60bffdbad5ff60a2a016c8202968ecbc79f42862365e043da7fd4d1b0b
-
Filesize
668B
MD5b1aa65146fe3cb44d3ea4a41fe3ccf87
SHA10a6fa21f2c1a164de62e11cfcb07c6ac0bd24c5c
SHA256627b10f6d074de1d17d9d68161feed97aa17fc592a3b097a991a83e2ab649d9d
SHA512c1504fe191a45cd8696bb5c5c6aaaf5e01da98f478270001e1a84aab53af5d6b50823200fa3572b333ec3c779a2b0ee13383227a68b2b84cc6e59b162a4dcbb5
-
Filesize
835B
MD501611e5a5709701c644efa7da24aa1f8
SHA161d864d2487fe0924907254608a01f7edb7b1ba0
SHA256a68e84acb1bb5300cf2710ea12732d8e121733a680fdd3f72d21af5c759264e4
SHA512dd366b8c7913d44054f04bd1e23b36268ab623df037dc0cfe5e4118ca21a27b2aff948f7f711db5bc407a7e9214dc4b3fa1c7627e9c986e283d0b0fef22ff04c
-
Filesize
1002B
MD591b7985e3497641408eb3d3f2cff2052
SHA1c8bdfe8c6d6df994f025fb5fbaa635d61c2fa238
SHA256e6229a92e3e75d27d7e9d106c640edc2e0fcfa3764ed77644ab74891ef8520d6
SHA51243b715a8877dc7b00f844902e01ea2c17bf108f9cb4032ca489622f35d36f86eaa02be99d11b7bc56e113d4e44f79547c8cf93125328a9fe843469d7630cd32e
-
Filesize
1KB
MD54a2fee677205b4ea5853ce25c1d70b75
SHA1be178e7ec1079193e3f28fb7a4832b3b5377ce44
SHA25642ed968c519d59cfd2e60882d23bc8b297aacce0d3d544925ff1a0ff11312405
SHA512087282dd161c23bce35bd6362323473d84b948b1576ad10d27558d5453c7aecd1536a744df6d22ee93cc53b77364bbac59702c04f00f83b273521cca57976266
-
Filesize
31KB
MD590c4989cf99b9f357020a7e07a977eea
SHA17e0d44a99412713401a00502fe85c2877064daa4
SHA2564f1fdf000e1d59f66dc3c37d3de736145a2ee07bb486894b131406bc01272902
SHA512b627eff21c9506704208e343d7e80a26f64057fa8b00265b74eb0a8f33ab1f082fd43a54bf35b25f40b63aaf44c1f8ca7c0b319028565fdf558cf72f52de241d
-
Filesize
3.7MB
MD5e8bd5c14b8301039e7538298d26cf09b
SHA14702252fef2156b59ad61f1f397b205323b339c4
SHA256f32426d0fc71a3a054f0fe263133aabeb25c9d7d129238cfcfc0c1a40854c67e
SHA5127108e6379e9e2698dbac52549b5fc81d7b3c5bb02d4d3574b7be9e8ab9f6f473513e651c1ce0809d74273f02e837c36032666f739c05b71fa732899360b77cee
-
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\3F015550341E3E07E40741008DA01E9CEC2AFF68
Filesize1KB
MD553bf9bb768756cd26d632eecfbf73746
SHA10232e8230bd5c44015fc26c2c42340205bff1c0c
SHA256b04c380b8b5c8518d841db27d03e2116f08be87902a394045aee66d7d7f21edc
SHA51245745eb825c640bbbcf2890cd0ae3e2228b1942755365bcc0ca11d696b4ab359746f66ecf59e033cac9dcefd779ee7d0fc556307428cbf135f85640e68390342