Malware Analysis Report

2024-10-23 20:16

Sample ID 240925-c71jvazhkr
Target e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe
SHA256 e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3
Tags
group meshagent backdoor discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3

Threat Level: Known bad

The file e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe was found to be: Known bad.

Malicious Activity Summary

group meshagent backdoor discovery persistence rat trojan

Meshagent family

MeshAgent

Detects MeshAgent payload

Sets service image path in registry

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-25 02:43

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

Meshagent family

meshagent

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-25 02:43

Reported

2024-09-25 02:46

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe"

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

MeshAgent

rat trojan backdoor meshagent

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" " C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.msh C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wbem\wmic.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 2856 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 2856 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 2856 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 2780 wrote to memory of 2648 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2648 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2648 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2648 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 1908 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 1908 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 1908 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 1908 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 1084 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 1084 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 1084 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 1084 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2096 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2096 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2096 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2096 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2904 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2904 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2904 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2904 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2772 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2772 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2772 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 2780 wrote to memory of 2772 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 1448 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 1448 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 1448 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 1448 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2176 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2176 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2176 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2176 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2172 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2172 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2172 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2172 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2144 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2144 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2144 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2144 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2156 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2156 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2156 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1948 wrote to memory of 2156 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 1688 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 1688 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 1688 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 1688 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 1972 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 1972 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 1972 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 1972 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 760 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 760 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 760 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 760 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 696 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 696 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 696 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1724 wrote to memory of 696 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe

"C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe"

C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe

"C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

Network

Country Destination Domain Proto
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp

Files

\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe

MD5 e8bd5c14b8301039e7538298d26cf09b
SHA1 4702252fef2156b59ad61f1f397b205323b339c4
SHA256 f32426d0fc71a3a054f0fe263133aabeb25c9d7d129238cfcfc0c1a40854c67e
SHA512 7108e6379e9e2698dbac52549b5fc81d7b3c5bb02d4d3574b7be9e8ab9f6f473513e651c1ce0809d74273f02e837c36032666f739c05b71fa732899360b77cee

C:\Program Files (x86)\Mesh Agent\MeshAgent.msh

MD5 90c4989cf99b9f357020a7e07a977eea
SHA1 7e0d44a99412713401a00502fe85c2877064daa4
SHA256 4f1fdf000e1d59f66dc3c37d3de736145a2ee07bb486894b131406bc01272902
SHA512 b627eff21c9506704208e343d7e80a26f64057fa8b00265b74eb0a8f33ab1f082fd43a54bf35b25f40b63aaf44c1f8ca7c0b319028565fdf558cf72f52de241d

C:\Program Files (x86)\Mesh Agent\MeshAgent.db

MD5 e2a5fdd8118d64debc6c386b055ef2ff
SHA1 b71720fa0eb623b93c92e8e5106b1b69ca61ff54
SHA256 f3744e4a53a01fab15c6dd7227b0713da7924f662795d5ba6e8a2c016adb59ae
SHA512 64ae05caf6410dd0b2f2e91a3402b6949e1a6532b31bd9dc63a03849eb5bb22bf0d4b2f182125d307c1ff34757a5a23e11f690206c1cbfdc57b22966418231e0

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 3f0939d9a2645741e02283337993c052
SHA1 aaf8039a76bfd6dac12b48b8258aa823e4de04d6
SHA256 a7129368040d8698e499d9364aa12fde1c33afd4ba808c535f071887ba43e5bd
SHA512 fc57418f84f5f110dc29c1a8b5d0f98905e28b0ffeac9339409aaf016dba30f1f3416e5bfac82a95886a2bc7da05a70e460a087153444f532d4bf4217ce8fc8d

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 6fc110846e43e06cffedac92f72dd14b
SHA1 9f348d72fb81b81b6249fbf54cbcd842d3a611c5
SHA256 9a71e75846b50f75bfd1cffb01e7defd0a53d6eb21f6f1272b4b39397c5f67d4
SHA512 7cf3fe3a946381396d265304427aa3155f1e78014cbb0f904fb0969c325d3f1187ea0d436ba794846254470e935d0dce961e6c123701e0ebcf8a9e128283f374

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 da99a3c6d877c4f0b29b4a191601d985
SHA1 53abcac0dab22e4fa6bb6d2e369bd983197b4133
SHA256 3e2188fc1c65d0a70695b1479ca7842d68d2fa2c6fca15caf21b8a430b3722c1
SHA512 98ba7932f8385ff4b324681cd77aae322ab364f9aac25c74c525f0e1f4684606a38809afc221f6c838f29c03ca7dc57ab80c138b30941f31a0093c5c8d0c1f49

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 8ffd6ab2bedfb953125ec81541a0152a
SHA1 2c822a3eac54e8ec6f130a1e0835d2ca942e7f2e
SHA256 fca6e59b2e82e57b66e93f512beb834120d261106c4d9885972ba699150d89a4
SHA512 b1dd4eb93c63ca8d12bc90fa55e396e3800c0f5678591759598b564cf936c59afb89d59bb6468eb20d8ec8df145abd2e91e6c63147752fbb4616f090dae52cc2

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 2946688efd02943436456d5f5c061033
SHA1 d32cb012ff5d0212d250b3b3f6f51ee233a3cb82
SHA256 5c39d130333794f728e430b09780bff61a748a864f665a7ec86fe43f2134eb9e
SHA512 988fefdc5e535adcdec51a993452ab2a5e2d270ed0e171fa7f9de4b4dc60aa8a0adcfee254569002ea931361249d4ed93e8f30885c79a6e68bce09fb698a8955

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 85585acb934beeaa63b7122dfc638a86
SHA1 f33eebf39ff22028970e6117c95572dd495b859c
SHA256 612263b9f39bd4e22b6d6db1a86124fbf4950e62ac514fefe44b280813f61919
SHA512 8290b721bbaebbec81d555fa4681eb50d22c206f14411c01d40ac4624d1454df37432e110c78daa86922ce9e1a233107cb89e5ed58e0e7caf76d19029610946a

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 e21014e29d8b3ab7aa9124373ae5980e
SHA1 c1af17945367c33559abcb6b1a9e971096cd3843
SHA256 e247f178ff14898f22b7d2d8f8933071878cca7ecc73348e60f716b1942f9f5d
SHA512 ddb064323eafc1c050ba8eadcdf57d9a96d69d2f85618e03d5ce2a46a7efcaf4781db73e330e682efed6707ee77b1e9352f8eee38d89bf85f05c5ee08b78facc

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 f95596450150d239f43227717b4d800a
SHA1 9b279bbca8a6490fbaee73f3c76da833a594c93e
SHA256 1d2f20a3d944ebac0f0ccd8e27fd8745edbadefeec57237a6e89f6d2fd32ce3f
SHA512 1f4b7c7aa3dbb3e1782d1ac34ece67cfb0bb2773f24468e534aa74fcb70c84f84607c95357077af77130c8b07c83db9e40aee8250d794d8f9651998c39f61d15

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 d67ebe33d0f67010023a12390ff06f65
SHA1 f1de7508f973e338859f98862843390e71a3fdb7
SHA256 886bc22fe7b080dd41ac5269f85045f32bc6744451b6cb0a14cd4f3369e7a3db
SHA512 649cd2a6e43b93125654cc027fe6caba421e2fcc089d23573d538dc346bde7f779871e3743ef78dcfe2cd1de31d56a2c97d6da0a0c46453bf84cdfb93ac80da0

C:\Program Files (x86)\Mesh Agent\MeshAgent.db

MD5 b334c4e4aff1140e6c2c843f9dfa6c0b
SHA1 ed39f360d52ab5885b49363968bde7a65b561d47
SHA256 ce288f26fdbf56347b681e6156590fae11717c609373f790f25e1aadfc7cf46e
SHA512 4e49995b5033481c13f546c1fea7bb34c2e23e13c1375cfff702dfe26058889c719ff8c255581fc72cfc232d285abc73f4083469f5a6183e8c2a83e2700c6763

C:\Program Files (x86)\Mesh Agent\MeshAgent.db

MD5 5a7db252fb35d3cb19122749f7532da1
SHA1 69ac08378419c27b51158cc5840829bfe943bf3a
SHA256 48ca5b46b588354a2607f615bd107a01042f312c96986426e99117a28c945925
SHA512 e946956a7e833f31b49740debff93356f537606a2b73a9d8b330b8a76dbf8f47ca1a2272b1ba0c4e696050ebd7631223677ebdca924327ea3980e10f541c7a8c

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 60927e9f787fdff31ff94a022fb52cc2
SHA1 9b0513db8f5a9d14adf0ce0e99728daee14f4d13
SHA256 44769fd5f8c09c3349a92d111e0b6a37d21abf9830049c08db675e91dddca86b
SHA512 d51d5a9029a9cb35933c13f795efdf6b3f565790d9d4f9800f643096a52ed61f72859786b4f62b1ab9b8edbe2a1eff278a1061d7742d05c933440bfd1f5a84ac

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-25 02:43

Reported

2024-09-25 02:46

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe"

Signatures

Detects MeshAgent payload

Description Indicator Process Target
N/A N/A N/A N/A

MeshAgent

rat trojan backdoor meshagent

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" " C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\ws2_32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\sechost.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\combase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\ntasn1.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcrt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\msvcrt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\shell32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wntdll.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\iphlpapi.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\comctl32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\dbghelp.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\wkernel32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ws2_32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\comctl32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\shell32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\oleaut32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\shell32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\exe\MeshService.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\bcryptprimitives.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\exe\MeshService.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\shell32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\msvcrt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dbghelp.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wkernelbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wgdi32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\comctl32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\DLL\bcrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ncrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ole32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wrpcrt4.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wrpcrt4.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\msvcp_win.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\wwin32u.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ole32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dbghelp.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ucrtbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\shell32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\DLL\bcrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\oleaut32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wkernelbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ws2_32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\crypt32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\gdiplus.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\bcryptprimitives.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\ucrtbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\bcrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ole32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\bcrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\msvcrt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\bcrypt.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\ntasn1.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\wwin32u.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\DLL\dbgcore.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\dll\comctl32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\crypt32.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wkernelbase.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.msh C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.log C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File created C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
File opened for modification C:\Program Files (x86)\Mesh Agent\MeshAgent.db C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717058369997922" C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Mesh Agent\MeshAgent.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4424 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 4424 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 4424 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe
PID 4220 wrote to memory of 1336 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 1336 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 1336 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 1068 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 1068 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 1068 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 3040 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 3040 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 3040 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 4540 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 4540 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 4540 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 4708 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 4708 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 4708 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 2688 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 2688 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4220 wrote to memory of 2688 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 4060 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 4060 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 4060 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 3016 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 3016 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 3016 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 4112 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 4112 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 4112 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 3644 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 3644 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 3644 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 5104 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 5104 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 1988 wrote to memory of 5104 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 2236 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 2236 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 2236 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 2752 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 2752 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 2752 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 872 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 872 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 872 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 2004 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 2004 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 2004 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 1604 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 1604 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 768 wrote to memory of 1604 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4272 wrote to memory of 5024 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4272 wrote to memory of 5024 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4272 wrote to memory of 5024 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4272 wrote to memory of 3600 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4272 wrote to memory of 3600 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4272 wrote to memory of 3600 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4272 wrote to memory of 3316 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4272 wrote to memory of 3316 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4272 wrote to memory of 3316 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4272 wrote to memory of 4380 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4272 wrote to memory of 4380 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4272 wrote to memory of 4380 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe
PID 4272 wrote to memory of 1372 N/A C:\Program Files (x86)\Mesh Agent\MeshAgent.exe C:\Windows\SysWOW64\wbem\wmic.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe

"C:\Users\Admin\AppData\Local\Temp\e6148c7e8cec3a4565e97a139d2b09dbdf2f30460054fa168624fdc1050421d3.exe"

C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe

"C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe" -fullinstall

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe

"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic SystemEnclosure get ChassisTypes

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

C:\Windows\SysWOW64\wbem\wmic.exe

wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RO 94.131.119.184:443 tcp
US 8.8.8.8:53 184.119.131.94.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
RO 94.131.119.184:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RO 94.131.119.184:443 tcp

Files

C:\Users\Admin\AppData\Roaming\MSIX\meshagent32-group.exe

MD5 e8bd5c14b8301039e7538298d26cf09b
SHA1 4702252fef2156b59ad61f1f397b205323b339c4
SHA256 f32426d0fc71a3a054f0fe263133aabeb25c9d7d129238cfcfc0c1a40854c67e
SHA512 7108e6379e9e2698dbac52549b5fc81d7b3c5bb02d4d3574b7be9e8ab9f6f473513e651c1ce0809d74273f02e837c36032666f739c05b71fa732899360b77cee

C:\Program Files (x86)\Mesh Agent\MeshAgent.db

MD5 fdac77bed4dfc4777405faf374cc17e0
SHA1 e9023f27c51334eb89dc8fe82127b328b5ff1f2d
SHA256 2b1f8c86bcdc2b55eede05de59bd22137c3f639f1931a36bb8562e01ab2336e4
SHA512 9524a2b5456679edc7daad01076add19ae10c23e50364cd4f22e8e1bd2cec94683d5713c437f8b7f124125e320d5cbbb0fc7e55e375080674a8e1350d9f8e128

C:\Program Files (x86)\Mesh Agent\MeshAgent.msh

MD5 90c4989cf99b9f357020a7e07a977eea
SHA1 7e0d44a99412713401a00502fe85c2877064daa4
SHA256 4f1fdf000e1d59f66dc3c37d3de736145a2ee07bb486894b131406bc01272902
SHA512 b627eff21c9506704208e343d7e80a26f64057fa8b00265b74eb0a8f33ab1f082fd43a54bf35b25f40b63aaf44c1f8ca7c0b319028565fdf558cf72f52de241d

C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\3F015550341E3E07E40741008DA01E9CEC2AFF68

MD5 53bf9bb768756cd26d632eecfbf73746
SHA1 0232e8230bd5c44015fc26c2c42340205bff1c0c
SHA256 b04c380b8b5c8518d841db27d03e2116f08be87902a394045aee66d7d7f21edc
SHA512 45745eb825c640bbbcf2890cd0ae3e2228b1942755365bcc0ca11d696b4ab359746f66ecf59e033cac9dcefd779ee7d0fc556307428cbf135f85640e68390342

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 dfc7268d5292de055de4c5499a8896e3
SHA1 c1d2b5cd21779ae72f28352db820474fd122267b
SHA256 4c00564a05b480fdf0e440a1cfb9530520fa89dcd9465c0d9c297e83ff013cd6
SHA512 a2ea82889e7c9592cc9c6cece3e64d26fb2e671bb15361107bb164c2a0b036142a21ae145e82793b3c80004efb5fe168f6a0968883f6d098a7a310b47ba6a98e

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 8e210976ff6cc0b2199cfba58b33e3dd
SHA1 7a4be618554a1730405afc3bc94c34642ddae99e
SHA256 4ecad35b718aeb3b053d3ae768cc9c06929a468631659bcd0e5b908fa7a040ad
SHA512 50aa6d99ced79f73f077a1166e576172f4f52bacd596f4aa6d86f8949dd9fc6d2fcc4e60bffdbad5ff60a2a016c8202968ecbc79f42862365e043da7fd4d1b0b

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 b1aa65146fe3cb44d3ea4a41fe3ccf87
SHA1 0a6fa21f2c1a164de62e11cfcb07c6ac0bd24c5c
SHA256 627b10f6d074de1d17d9d68161feed97aa17fc592a3b097a991a83e2ab649d9d
SHA512 c1504fe191a45cd8696bb5c5c6aaaf5e01da98f478270001e1a84aab53af5d6b50823200fa3572b333ec3c779a2b0ee13383227a68b2b84cc6e59b162a4dcbb5

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 01611e5a5709701c644efa7da24aa1f8
SHA1 61d864d2487fe0924907254608a01f7edb7b1ba0
SHA256 a68e84acb1bb5300cf2710ea12732d8e121733a680fdd3f72d21af5c759264e4
SHA512 dd366b8c7913d44054f04bd1e23b36268ab623df037dc0cfe5e4118ca21a27b2aff948f7f711db5bc407a7e9214dc4b3fa1c7627e9c986e283d0b0fef22ff04c

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 91b7985e3497641408eb3d3f2cff2052
SHA1 c8bdfe8c6d6df994f025fb5fbaa635d61c2fa238
SHA256 e6229a92e3e75d27d7e9d106c640edc2e0fcfa3764ed77644ab74891ef8520d6
SHA512 43b715a8877dc7b00f844902e01ea2c17bf108f9cb4032ca489622f35d36f86eaa02be99d11b7bc56e113d4e44f79547c8cf93125328a9fe843469d7630cd32e

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 4a2fee677205b4ea5853ce25c1d70b75
SHA1 be178e7ec1079193e3f28fb7a4832b3b5377ce44
SHA256 42ed968c519d59cfd2e60882d23bc8b297aacce0d3d544925ff1a0ff11312405
SHA512 087282dd161c23bce35bd6362323473d84b948b1576ad10d27558d5453c7aecd1536a744df6d22ee93cc53b77364bbac59702c04f00f83b273521cca57976266

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 3ce2418e92d58324231754e1268269b2
SHA1 918d42a717cde2e8840b50d83be220943ba6a7cb
SHA256 6b36239b5c755a03ef31a4290e7bd12b8eb609b448e67f0b4c84763199ca8033
SHA512 9098a8d690ee0296ab3b57b0fde59b7806bd63adf9280c51bad1b0fdb0037ac3c1cc0f3138c1845184e695d7c83ce569c59e2681336aa3f8c5da66a60be58311

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 419f6c6b0f2333c73540a8a78c27288f
SHA1 d85c3619d38461451a64f0fbdf8a23cabc2ce58c
SHA256 2137bcf17e7e6e69791ac899711f47f70b8ed83b093c9b0176efd89d47d6cc72
SHA512 feddc348bb62e46f5aef8241f3b9fbdb50edb589628db31037ec7a37e8b3f9b116e4f0053ba0e7b18f56ff2e8634cf456725345e4fcccc26e996a2252a6b9fea

C:\Program Files (x86)\Mesh Agent\MeshAgent.db

MD5 88c75aa130372900ef0859ce48f6dd63
SHA1 b7d658a123f5aecb68522a6a9ac4a6a462988533
SHA256 cbe718733b3e62e83d67649ed76e2a20fe3991676b001da15d0e457c1a06e487
SHA512 b3967e24eea39c9b65bea707c7ca1755f3eb49c0e54ea72dbb608fd2d94779e533bb906ffa53a09744a8c8a5568f1f3f84dc449ec7fab8450d0624f3b12d4000

C:\Program Files (x86)\Mesh Agent\MeshAgent.db

MD5 bc1f2c01b9ba91916b0b16f67e9b7631
SHA1 286190fe0412df737f11de05f501cec529850e41
SHA256 a6bd64b9b9a5ad28c704b368ccaa6c24431b0b3a21dcccd4b60065a05129e66c
SHA512 800ba72c1d095b7b28ea376692785f56c6b975728ee3e087e2e77621e937a83e32aaa810823cd6e444de87eb7de20ea0dc5b1b899e3645676b1a50fb0843bae7

C:\Program Files (x86)\Mesh Agent\MeshAgent.log

MD5 199c86615643738dfe54bf60f73efbcd
SHA1 5d2d69bc53ed8c53609d992df7d2ad419a0ba558
SHA256 9ac118430edc23170e4c704e6e33261983237538bc3f763a47a3d7025e5b3332
SHA512 1712f54cd586317c336e3f6e17b2dc02c4882c7bb089186b7a82741604cd7e7418b35f25e41a790e621e6f35ff8e0305ed9b1d5fd4efccdb65fc52288a6de5b0

Analysis: behavioral3

Detonation Overview

Submitted

2024-09-25 02:43

Reported

2024-09-25 02:46

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe

"C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-09-25 02:43

Reported

2024-09-25 02:46

Platform

win10v2004-20240802-en

Max time kernel

92s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\wbem\wmic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\wbem\wmic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe

"C:\Users\Admin\AppData\Local\Temp\meshagent32-group.exe"

C:\Windows\SysWOW64\wbem\wmic.exe

wmic os get oslanguage /FORMAT:LIST

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

N/A