meshagent | 39a7fd947f44b1916b412937848dceefb9ee06a514d8f35740cf15ddff3f71bf

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
16-02-2025 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe
Size

2.9MB
MD5

9eb9c3fa9a8a4a673edf0e6b6057997c
SHA1

6d3456442b8b8bd40b85a580b90011fb8aa4ca44
SHA256

39a7fd947f44b1916b412937848dceefb9ee06a514d8f35740cf15ddff3f71bf
SHA512

a4a41b0e8ee7feebb1221e984050ca8253f7747060f8cbf8038f683761340105e906fdda496f436ad1ca601aefb1f51db0d06901bbaf57cffba1300a5efee1df
SSDEEP

49152:6iQagHg5EVhwQd+qrW+i1w+Tqc0KxZbDOCwMDbyeKw3FGMFvfjPW21I3iIJK:Pg7hRdj9iMlHBSFBWZK

Score

10^/10

meshagent family backdoor discovery persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

family

http://puta.dyndns.org:443/meshcentral/agent.ashx

Attributes

mesh_id
0xD4A168AB85CC42538347307026CFA907128B771A898DC41A668CAD35BE7E04146D0E7D4B81049883102F751C8D282B70
server_id
DF4AB92F3C8857999E467656003AE5A1785E8424F7659E7546274B911B930CAB20F5BCA3D8302EC6D3C5E7DFAC9F1A44
wss
wss://puta.dyndns.org:443/meshcentral/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023e0f-80.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Downloads MZ/PE file 1 IoCs

flow	pid	Process
53	4384	Process not Found

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" --installedByUser=\"S-1-5-21-1639772215-809007892-4072230623-1000\""	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe

Executes dropped EXE 1 IoCs

pid	Process
516	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\0A00C29205E0C7597EA637E2B60257519FBCEDE3	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E9A5493B98BC5DDC708803B26C2513F0A031450E	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\6A9608F73ADDEDD68351AC205100D1CA2DC625EC	MeshAgent.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\7C056A47C9887078637714EAABD2247C25654C17	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\version.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\version.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\dbgcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E9A5493B98BC5DDC708803B26C2513F0A031450E	MeshAgent.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4832	MicrosoftEdgeUpdate.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133842039228604066"	MeshAgent.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1544	powershell.exe
1544	powershell.exe
5020	powershell.exe
5020	powershell.exe
3588	powershell.exe
3588	powershell.exe
3876	powershell.exe
3876	powershell.exe
2492	powershell.exe
2492	powershell.exe
2492	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3976	wmic.exe
Token: SeSecurityPrivilege	3976	wmic.exe
Token: SeTakeOwnershipPrivilege	3976	wmic.exe
Token: SeLoadDriverPrivilege	3976	wmic.exe
Token: SeSystemProfilePrivilege	3976	wmic.exe
Token: SeSystemtimePrivilege	3976	wmic.exe
Token: SeProfSingleProcessPrivilege	3976	wmic.exe
Token: SeIncBasePriorityPrivilege	3976	wmic.exe
Token: SeCreatePagefilePrivilege	3976	wmic.exe
Token: SeBackupPrivilege	3976	wmic.exe
Token: SeRestorePrivilege	3976	wmic.exe
Token: SeShutdownPrivilege	3976	wmic.exe
Token: SeDebugPrivilege	3976	wmic.exe
Token: SeSystemEnvironmentPrivilege	3976	wmic.exe
Token: SeRemoteShutdownPrivilege	3976	wmic.exe
Token: SeUndockPrivilege	3976	wmic.exe
Token: SeManageVolumePrivilege	3976	wmic.exe
Token: 33	3976	wmic.exe
Token: 34	3976	wmic.exe
Token: 35	3976	wmic.exe
Token: 36	3976	wmic.exe
Token: SeIncreaseQuotaPrivilege	3976	wmic.exe
Token: SeSecurityPrivilege	3976	wmic.exe
Token: SeTakeOwnershipPrivilege	3976	wmic.exe
Token: SeLoadDriverPrivilege	3976	wmic.exe
Token: SeSystemProfilePrivilege	3976	wmic.exe
Token: SeSystemtimePrivilege	3976	wmic.exe
Token: SeProfSingleProcessPrivilege	3976	wmic.exe
Token: SeIncBasePriorityPrivilege	3976	wmic.exe
Token: SeCreatePagefilePrivilege	3976	wmic.exe
Token: SeBackupPrivilege	3976	wmic.exe
Token: SeRestorePrivilege	3976	wmic.exe
Token: SeShutdownPrivilege	3976	wmic.exe
Token: SeDebugPrivilege	3976	wmic.exe
Token: SeSystemEnvironmentPrivilege	3976	wmic.exe
Token: SeRemoteShutdownPrivilege	3976	wmic.exe
Token: SeUndockPrivilege	3976	wmic.exe
Token: SeManageVolumePrivilege	3976	wmic.exe
Token: 33	3976	wmic.exe
Token: 34	3976	wmic.exe
Token: 35	3976	wmic.exe
Token: 36	3976	wmic.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeIncreaseQuotaPrivilege	5020	powershell.exe
Token: SeSecurityPrivilege	5020	powershell.exe
Token: SeTakeOwnershipPrivilege	5020	powershell.exe
Token: SeLoadDriverPrivilege	5020	powershell.exe
Token: SeSystemProfilePrivilege	5020	powershell.exe
Token: SeSystemtimePrivilege	5020	powershell.exe
Token: SeProfSingleProcessPrivilege	5020	powershell.exe
Token: SeIncBasePriorityPrivilege	5020	powershell.exe
Token: SeCreatePagefilePrivilege	5020	powershell.exe
Token: SeBackupPrivilege	5020	powershell.exe
Token: SeRestorePrivilege	5020	powershell.exe
Token: SeShutdownPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeSystemEnvironmentPrivilege	5020	powershell.exe
Token: SeRemoteShutdownPrivilege	5020	powershell.exe
Token: SeUndockPrivilege	5020	powershell.exe
Token: SeManageVolumePrivilege	5020	powershell.exe
Token: 33	5020	powershell.exe
Token: 34	5020	powershell.exe
Token: 35	5020	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 3976	3744	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	88
PID 3744 wrote to memory of 3976	3744	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	88
PID 3744 wrote to memory of 1116	3744	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	94
PID 3744 wrote to memory of 1116	3744	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	94
PID 1116 wrote to memory of 1544	1116	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	97
PID 1116 wrote to memory of 1544	1116	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	97
PID 1116 wrote to memory of 5020	1116	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	99
PID 1116 wrote to memory of 5020	1116	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	99
PID 1116 wrote to memory of 3588	1116	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	104
PID 1116 wrote to memory of 3588	1116	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	104
PID 1116 wrote to memory of 3876	1116	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	106
PID 1116 wrote to memory of 3876	1116	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	106
PID 1116 wrote to memory of 2492	1116	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	108
PID 1116 wrote to memory of 2492	1116	2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe	108

C:\Users\Admin\AppData\Local\Temp\2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe
"C:\Users\Admin\AppData\Local\Temp\2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Windows\system32\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Users\Admin\AppData\Local\Temp\2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe
  "C:\Users\Admin\AppData\Local\Temp\2025-02-16_9eb9c3fa9a8a4a673edf0e6b6057997c_ismagent_ryuk_sliver.exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "Get-Module -ListAvailable -Name netsecurity"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Management Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Management Traffic (TCP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol TCP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-1)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16990 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    /C "New-NetFirewallRule -Action Allow -Description \"Mesh Central Agent Peer-to-Peer Traffic\" -Direction Inbound -DisplayName \"Mesh Agent Peer-to-Peer Traffic (UDP-2)\" -DynamicTarget Any -EdgeTraversalPolicy Allow -Enabled True -InterfaceType Any -LocalPort 16991 -Profile \"Public, Private, Domain\" -Program \"C:\Program Files\Mesh Agent\MeshAgent.exe\" -Protocol UDP"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2492

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1639772215-809007892-4072230623-1000"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:516

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkVBMkQ3QUUtRTc1NS00NTY4LThCQjUtREE5RjdDNTY2MEVEfSIgdXNlcmlkPSJ7MUJFNTU2QzMtMjlEMy00NDJCLUEwRjMtNTBERkFERkZBRUFGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NzhFOEUzODYtNTJDRS00RDZELUI1MzAtMjc4N0Y1RjY4MUQ5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI5IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTI3OTc5OTM0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
2.9MB

MD5
9eb9c3fa9a8a4a673edf0e6b6057997c

SHA1
6d3456442b8b8bd40b85a580b90011fb8aa4ca44

SHA256
39a7fd947f44b1916b412937848dceefb9ee06a514d8f35740cf15ddff3f71bf

SHA512
a4a41b0e8ee7feebb1221e984050ca8253f7747060f8cbf8038f683761340105e906fdda496f436ad1ca601aefb1f51db0d06901bbaf57cffba1300a5efee1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
b5f63423f55e96fabcd1b186b27ce0c4

SHA1
581b488265a2f159836409853f4b97eb5941bd48

SHA256
451cd58d101dc6219943589eedc0789ff95f35be417f63555ebde5d354e7c11a

SHA512
f1e9873c6c88964035589f1dbfa28bff55315a66d471e69332f96c837855252187b719d5660baee2d5e3bb5d86b8c42e54826546b6e0d949010a6c7d2facadeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc08d9efbf45b4045fdf2cfc507ddceb

SHA1
7a1095765f0b9ed6a04afeb084f4e78cc25aed5c

SHA256
b11437cfbe0773154d082440842d8754f31a0ff920b86a1c518cefbe9e0bc92e

SHA512
2f765d087a043d05720445383409bbab5f2a17f46c10257589a94a8dfa22e5888692879d25df2e78192e6a226ad3c44921689104a3e40f2a45ffe2cc0ba10571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a32acacabcd084b8b00334db21c49074

SHA1
19d670e8e5df29b6cb87eb03d616a87a3fd97076

SHA256
a43aefe1c17a953158e452e8b0d5c5cd41aac43b3b56680d660c0d763e900738

SHA512
50de17248f0fac33c273e0bd7f17a9cefa0be44a4ee8f6e1480bd4e2bdbdcf7f307154ee23fd192cfe44f6bb0e89ac700dbfcbfb16855503e22e16770ceefed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5d64197b02216f6011517112a53196b9

SHA1
4a4ffa74d1d0598be73bd7e21c34ff69f36a3076

SHA256
14047d703f608d9dda4286dc932c7b18ea932eac8e4a0a099a99f311ec837786

SHA512
f80d4cd16691812c1a4fdb4edbbc5f5f604b892e2afd7a862211b7d8c557641aa3c886a4d8a7a0ce55359ae3d730d60748100b78b7e92053244edb1599516911

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dxnsif5u.x3j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\E9A5493B98BC5DDC708803B26C2513F0A031450E

Filesize
1KB

MD5
1f36ef778c09d83354774ce290d555d7

SHA1
ffee7bfc66e3992f3c4949ac78db322abb577b4b

SHA256
c7308e1d9dc6dd037d104028ef446c155aba4025af78b7b69024f2f13fc4a375

SHA512
100155ce7fc30c0c2b7db27007a2bec3e70fbb6aa6f4ebfba64284d062e0833708a4ffeab371aa4be259a44439dac8cad485d9447d4139dfc74c719f7837e181

Download Submit
memory/1544-11-0x0000023B0B6D0000-0x0000023B0B6F2000-memory.dmp

Filesize
136KB

Download
memory/1544-21-0x0000023B0B750000-0x0000023B0B75E000-memory.dmp

Filesize
56KB

Download
memory/1544-22-0x0000023B23BE0000-0x0000023B23BFA000-memory.dmp

Filesize
104KB

Download