Analysis Overview
SHA256
a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2
Threat Level: Known bad
The file QS1.exe was found to be: Known bad.
Malicious Activity Summary
MeshAgent
Meshagent family
Detects MeshAgent payload
Sets service image path in registry
Executes dropped EXE
Checks computer location settings
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Unsigned PE
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-25 07:28
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Meshagent family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-25 07:28
Reported
2024-09-25 07:34
Platform
win7-20240903-en
Max time kernel
120s
Max time network
284s
Command Line
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MeshAgent
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" " | C:\Users\Admin\AppData\Local\Temp\QS1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db.tmp | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.db.tmp | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.msh | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.log | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.exe | C:\Users\Admin\AppData\Local\Temp\QS1.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\wbem\wmic.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\wbem\wmic.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\wbem\wmic.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e041b9b21c0fdb01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\wbem\wmic.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\QS1.exe
"C:\Users\Admin\AppData\Local\Temp\QS1.exe"
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Users\Admin\AppData\Local\Temp\QS1.exe
"C:\Users\Admin\AppData\Local\Temp\QS1.exe" -fullinstall
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mc.kaminet.eu | udp |
| PL | 212.160.243.18:443 | mc.kaminet.eu | tcp |
| PL | 212.160.243.18:443 | mc.kaminet.eu | tcp |
Files
\Program Files\Mesh Agent\MeshAgent.exe
| MD5 | 407da4828b3b9126d6a0b6aa25a081c4 |
| SHA1 | 3aeee655ab024657da645f9a05b53d40c9456d76 |
| SHA256 | a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2 |
| SHA512 | 6f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d |
memory/2388-25-0x000000001B320000-0x000000001B602000-memory.dmp
memory/2388-26-0x0000000001C10000-0x0000000001C18000-memory.dmp
C:\Program Files\Mesh Agent\MeshAgent.msh
| MD5 | 0f14c3685282f971b22ce7ede075e24d |
| SHA1 | 2d309772a8fd743bee66e8974836fc472631e994 |
| SHA256 | ae1d2b41b538e32dd5173e9452aa5aa6191d94ccc079d4d1381bc62c1fd796a8 |
| SHA512 | cae0baea1cfc8cfe8a9c6b4633d3f3f3fc43927a46c3e852e35d500bad39d9ba1179352876c11df1926c6b83f60aaa7d19d7aae5e927b64988f8feb878734d3c |
C:\Program Files\Mesh Agent\MeshAgent.db
| MD5 | 0857a7e1fdbf7f28ebac8ef50b7c729c |
| SHA1 | d87df4c0c18a7c8ca1564f924da34c8102ffa551 |
| SHA256 | 16b700459f42c6ca1bdb4ae6b2409f64529338e281eb89ea028ec12469becc18 |
| SHA512 | 2dbd48095963e1aeb4097ed73e75dc0a7e60f758ef5dd5a210c04547dd20f47cba9134cfa485a77501bac0ccaa3c2be5cf01802e2e2dee435180908f1be38f27 |
memory/2056-62-0x0000000000610000-0x0000000000618000-memory.dmp
memory/2056-61-0x000000001B270000-0x000000001B552000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-25 07:28
Reported
2024-09-25 07:34
Platform
win10-20240404-en
Max time kernel
195s
Max time network
286s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3012 wrote to memory of 3588 | N/A | C:\Users\Admin\AppData\Local\Temp\QS1.exe | C:\Windows\system32\wbem\wmic.exe |
| PID 3012 wrote to memory of 3588 | N/A | C:\Users\Admin\AppData\Local\Temp\QS1.exe | C:\Windows\system32\wbem\wmic.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\QS1.exe
"C:\Users\Admin\AppData\Local\Temp\QS1.exe"
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-09-25 07:28
Reported
2024-09-25 07:34
Platform
win10v2004-20240802-en
Max time kernel
272s
Max time network
281s
Command Line
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MeshAgent
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" " | C:\Users\Admin\AppData\Local\Temp\QS1.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\QS1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\msvcp_win.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\comctl32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\kernelbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\shcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\apphelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\bcrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\advapi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\iphlpapi.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\kernelbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\advapi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\Kernel.Appcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\gdi32full.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\sechost.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\comctl32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\Kernel.Appcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\exe\MeshService64.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\kernelbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\sechost.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ncrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\exe\MeshService64.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\apphelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\win32u.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\332344099BFB44C83A7737B30C276CADB4C4698C | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\bcryptprimitives.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\iphlpapi.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\apphelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\comctl32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ncrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\kernel32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\shcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ntasn1.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db.tmp | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.db.tmp | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.msh | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.exe | C:\Users\Admin\AppData\Local\Temp\QS1.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717229876064941" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\QS1.exe
"C:\Users\Admin\AppData\Local\Temp\QS1.exe"
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Users\Admin\AppData\Local\Temp\QS1.exe
"C:\Users\Admin\AppData\Local\Temp\QS1.exe" -fullinstall
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get F: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get F: -Type recoverypassword
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mc.kaminet.eu | udp |
| PL | 212.160.243.18:443 | mc.kaminet.eu | tcp |
| US | 8.8.8.8:53 | 18.243.160.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Program Files\Mesh Agent\MeshAgent.exe
| MD5 | 407da4828b3b9126d6a0b6aa25a081c4 |
| SHA1 | 3aeee655ab024657da645f9a05b53d40c9456d76 |
| SHA256 | a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2 |
| SHA512 | 6f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d |
memory/3188-28-0x0000023870E90000-0x0000023870EB2000-memory.dmp
C:\Windows\Temp\__PSScriptPolicyTest_aouwf0fz.t4l.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3188-38-0x0000023871350000-0x0000023871394000-memory.dmp
memory/3188-39-0x0000023871420000-0x0000023871496000-memory.dmp
C:\Program Files\Mesh Agent\MeshAgent.db.tmp
| MD5 | f8d15271bbace86ee8e8a3310065ac93 |
| SHA1 | 0beb317a18787c3e574332ac0c4114f2b110517f |
| SHA256 | 78daeced42769d8b06e47d7257ef9cfe126e84188818e2bf3cc59ba6fabe544b |
| SHA512 | b8160baa14c95a95e9e16d915f321d6c67e3bf1db02a233773ec1a3e6bb94b7fd54d2cefc8e27c31d878ccecd0ce36c0e4fd1b07fd15f4b95514a002ea36c42b |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 06d16fea6ab505097d16fcaa32949d47 |
| SHA1 | 0c1c719831fa41cd102d0d72d61c0f46ec5b8de8 |
| SHA256 | 54e15de2bef9f651d7717e2a336ac6b2ea2b723e6f29d2b153d8fbbc89aef723 |
| SHA512 | 03c00f1eebb51cec11703141ae9d9c3ac589f5495bc04d8a4b043714089a9d50bd3a520e4d72b4a4c99f5b9bf5f689bf2585fa5c7d4ddbe6f71cbba0172f593a |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2c0bdf06d302688498d4e7f9cd669ab5 |
| SHA1 | 18186323d93499e03f737f137b4ad795eb7f470b |
| SHA256 | 86cd6b95819282eee4bd6c900b27ebeddf453a90a9f6147978e9137479f36bd6 |
| SHA512 | f8f02ab1cb6906975695369183d00d7f25ec4c54c40aba5ac0a1f42312c5eff5a6774a8e84c3357415555405f7e9754deebe8335dd1fdcf693137ab044cc18fe |
memory/1532-70-0x0000013FD6850000-0x0000013FD686C000-memory.dmp
memory/1532-71-0x0000013FD6910000-0x0000013FD69C5000-memory.dmp
memory/1532-72-0x0000013FD67B0000-0x0000013FD67BA000-memory.dmp
memory/1532-73-0x0000013FD69D0000-0x0000013FD69EC000-memory.dmp
memory/1532-74-0x0000013FD6870000-0x0000013FD687A000-memory.dmp
memory/1532-75-0x0000013FD6A10000-0x0000013FD6A2A000-memory.dmp
memory/1532-76-0x0000013FD6880000-0x0000013FD6888000-memory.dmp
memory/1532-77-0x0000013FD69F0000-0x0000013FD69F6000-memory.dmp
memory/1532-78-0x0000013FD6A00000-0x0000013FD6A0A000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | eb3ef0f644137e818b7f8aa2d04b3f16 |
| SHA1 | c4465d34bb0906aeb2f8de2774a8c81b14bb0fba |
| SHA256 | 197e2b4ff0068651cee86675fce5e775acb4e0b45e16c93da75eaafbb0248515 |
| SHA512 | 5346fc1bf262fb42c901c9a51f4d7f7f0466d9e04bf3cb9e44b49b1ddd05c48b135c0196749cdb638b7c74c373f0713331aa871917ad20e6f65700bfd0ed840f |
memory/1572-122-0x000001223CB50000-0x000001223CB7A000-memory.dmp
memory/1572-123-0x000001223CB50000-0x000001223CB74000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-09-25 07:28
Reported
2024-09-25 07:34
Platform
win11-20240802-en
Max time kernel
91s
Max time network
284s
Command Line
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MeshAgent
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" " | C:\Users\Admin\AppData\Local\Temp\QS1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\dll\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\win32u.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\sechost.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\kernel32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdi32full.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\exe\MeshService64.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\apphelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\win32u.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\09170613DE92CF6D0081016E77A16A6315F214E1 | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\sechost.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\advapi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\comctl32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\iphlpapi.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\msvcp_win.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\bcryptprimitives.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\apphelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\iphlpapi.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\MeshService64.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ncrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\09170613DE92CF6D0081016E77A16A6315F214E1 | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ntasn1.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\gdi32full.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\53778E7467E64C68F9023AFFF7BD988A7B5A895E | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\msvcp_win.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ntasn1.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\046A31934854C4134E037FD745BFA4E0EAB0B05E | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\bcrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\kernel32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db.tmp | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.db.tmp | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.msh | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.exe | C:\Users\Admin\AppData\Local\Temp\QS1.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133717229898846795" | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\wmic.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\QS1.exe
"C:\Users\Admin\AppData\Local\Temp\QS1.exe"
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Users\Admin\AppData\Local\Temp\QS1.exe
"C:\Users\Admin\AppData\Local\Temp\QS1.exe" -fullinstall
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\system32\wbem\wmic.exe
wmic os get oslanguage /FORMAT:LIST
C:\Windows\System32\wbem\wmic.exe
wmic SystemEnclosure get ChassisTypes
C:\Windows\System32\wbem\wmic.exe
wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get F: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get F: -Type recoverypassword
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mc.kaminet.eu | udp |
| PL | 212.160.243.18:443 | mc.kaminet.eu | tcp |
| US | 8.8.8.8:53 | 18.243.160.212.in-addr.arpa | udp |
Files
C:\Program Files\Mesh Agent\MeshAgent.exe
| MD5 | 407da4828b3b9126d6a0b6aa25a081c4 |
| SHA1 | 3aeee655ab024657da645f9a05b53d40c9456d76 |
| SHA256 | a262b898726cdc4e487a7cbaa3d6440496897a2b406e0a049becb91d288eb0c2 |
| SHA512 | 6f0fa435233a357e5c93f54b5d82a85ac9df1be8150a94ba47ac7920cdac50c7b630a89faa20509f369b9cb49314734e038c677f4c0ed7431847720825df489d |
C:\Windows\Temp\__PSScriptPolicyTest_sc1twoyd.imz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1676-36-0x0000025A606B0000-0x0000025A606D2000-memory.dmp
memory/1676-37-0x0000025A60AB0000-0x0000025A60AF6000-memory.dmp
C:\Program Files\Mesh Agent\MeshAgent.db.tmp
| MD5 | 0717e2bbee03d2f5184a3dfdd7954951 |
| SHA1 | 162452e62fd2e78efc53debf803238744008069f |
| SHA256 | e0cc8f974f973108636dc2be1631f7cf8cd42e659081def8ef84351b58b6d544 |
| SHA512 | 626dea9ef891b000e42afbd879a5f50b428ba9c4ed85263e86d5f36905c8b4ae62798a176513fa57bcb17b1a746cd9bfad92a596d5eb0a4917f9701e5f89179a |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 88dc70c361a22feac57b031dd9c1f02f |
| SHA1 | a9b4732260c2a323750022a73480f229ce25d46d |
| SHA256 | 43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59 |
| SHA512 | 19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 27c89c41a1eaa307b93a14b61197b717 |
| SHA1 | ae17aa045f1cc8875842bad7537cd4ce30c81294 |
| SHA256 | f36e4bc274085c7afed3372be7dee8e376ef53b63955922c70077db59b1fcdb4 |
| SHA512 | 5bc44126b73110103df9260dacacf21ecf396c8fc9bc0d9479e6b28ae8520eb258bbd98b0c3450ec099c646654e4bd4a5a4ac98fb60d1e488b0a12a4f5c70daa |
memory/5536-66-0x0000019CB1330000-0x0000019CB134C000-memory.dmp
memory/5536-67-0x0000019CB1350000-0x0000019CB1403000-memory.dmp
memory/5536-68-0x0000019CB11D0000-0x0000019CB11DA000-memory.dmp
memory/5536-69-0x0000019CB1430000-0x0000019CB144C000-memory.dmp
memory/5536-70-0x0000019CB1410000-0x0000019CB141A000-memory.dmp
memory/5536-71-0x0000019CB1470000-0x0000019CB148A000-memory.dmp
memory/5536-72-0x0000019CB1420000-0x0000019CB1428000-memory.dmp
memory/5536-73-0x0000019CB1450000-0x0000019CB1456000-memory.dmp
memory/5536-74-0x0000019CB1460000-0x0000019CB146A000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 36689773469dd22140cd5fb2e0fe159f |
| SHA1 | 37ff6fc154f5f1c2c86835d2383e1deb06415f87 |
| SHA256 | be2185c5181d3af79bd6b6e566d923850b3ec7ec1253952fc7c7b2a97e844aa4 |
| SHA512 | 8cd7847540bcf5e4ba3904469af1c1418730a026b4caacd279181b1e51665c205f7abf5407a24632d1c3832060967db70658ea732114d878e9adea6ff7e30281 |
memory/2964-94-0x000001AEFB720000-0x000001AEFB72A000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9274c2c9a4e2973024a6a45cc59ea982 |
| SHA1 | 9d8dc5f596e8384fd2e97f77531b83855033544b |
| SHA256 | 23575f692024020e1cbc6f716ca9aedb436d06f7fff1088109561374ed045d05 |
| SHA512 | 66560f9001c15d4bde5d44a535e7e0fc153423c6af1337f1204b919535f2ec480b71b022f4101841baf1b61ea62d5714aaf860a2aa4e1899b5285ad4be7a6c75 |
memory/5104-116-0x00000204E9720000-0x00000204E9744000-memory.dmp
memory/5104-115-0x00000204E9720000-0x00000204E974A000-memory.dmp