meshagent | 1f8d1578e21fc517274e3a560c57a765b622ea907d0a3ba926b28be4e8ee4abd

Analysis

max time kernel
718s
max time network
716s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
19/03/2025, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meshcmd.exe
Size

4.1MB
MD5

b8d633d731051f9095ba02cde40271c9
SHA1

100f773094541684597d90d2c393febb963b1cde
SHA256

1f8d1578e21fc517274e3a560c57a765b622ea907d0a3ba926b28be4e8ee4abd
SHA512

4f39f2ac9f813bb50d70d788b5f82959e16a1e2d98b5a2559ea5b40b4be724b686d13a3f74cf0c2f1a6bae216861d2a89d776bb65cc62a72e70b37dbc66ed74e
SSDEEP

49152:6dZEy2B6vflQf6X8uZQoy3vR6QVQy5Z+bm4M/HMFvfGW0/wZ7IbOjxw57OSghLOT:CHvfGfZvZj1/N/z/AwpD5

Score

10^/10

meshagent testforme backdoor defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

testforme

Attributes

mesh_id
0x74027A312B0AB84E62227EC7C3E867458E9AD873985FAC23F0F8E783CD81F70E77DFC0CB7FFBA5E22349C40190A873E9
server_id
6BCD039A3454760E09EE7BFA6EB2A0F65A5F903D90EBA25FEA531F167630DF6B89F39F9E1CEF9D75CAD4B57AC61E0644
wss
localhost

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000002ac7a-1198.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent64-testforme.exe

Executes dropped EXE 5 IoCs

pid	Process
1312	meshagent64-testforme.exe
4144	meshagent64-testforme.exe
1032	MeshAgent.exe
1364	meshagent64-testforme.exe
5928	meshagent64-testforme.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\FD4A6603C6E2EB6FB0490E7AEC021644162779BB	MeshAgent.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\E4065A44ABF1EB9AE6392932FA70AEBCB2EDB6C0	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\dbgcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CDC2A6CE2A618C9B4B3FC097BFA87A52438877EC	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\FD4A6603C6E2EB6FB0490E7AEC021644162779BB	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\comctl32.pdb	MeshAgent.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent64-testforme.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\meshagent64-testforme.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Internet Explorer\GPU	TextInputHost.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133868945617374376"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	meshagent64-testforme.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\MuiCache	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\localhost\NumberOfSubdomains = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost\NumberOfSubdomains = "1"	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CTLs	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost\NumberOfSubdomains = "0"	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CRLs	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	TextInputHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{26C7B05A-85D1-4E6F-A0EC-E6105BD8469B}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost\ = "0"	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\Certificates	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\localhost	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\localhost\ = "0"	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Modifies system certificate store 2 TTPs 5 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E	meshagent64-testforme.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	meshagent64-testforme.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254832000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	meshagent64-testforme.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 0400000001000000100000001bfe69d191b71933a372a80fe155e5b50f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd979625483090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e190000000100000010000000ea6089055218053dd01e37e1d806eedf2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	meshagent64-testforme.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000190000000100000010000000ea6089055218053dd01e37e1d806eedf0300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e0b00000001000000100000005300650063007400690067006f0000001d0000000100000010000000885010358d29a38f059b028559c95f901400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd253000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000003000000066b764a96581128168cf208e374dda479d54e311f32457f4aee0dbd2a6c8d171d531289e1cd22bfdbbd4cfd9796254830400000001000000100000001bfe69d191b71933a372a80fe155e5b52000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd	meshagent64-testforme.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\meshagent64-testforme.exe:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5780	TextInputHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4816	chrome.exe
4816	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe
Token: SeShutdownPrivilege	4624	chrome.exe
Token: SeCreatePagefilePrivilege	4624	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe
4624	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5780	TextInputHost.exe
5780	TextInputHost.exe
5780	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 4556	4624	chrome.exe	83
PID 4624 wrote to memory of 4556	4624	chrome.exe	83
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 6140	4624	chrome.exe	84
PID 4624 wrote to memory of 3296	4624	chrome.exe	85
PID 4624 wrote to memory of 3296	4624	chrome.exe	85
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86
PID 4624 wrote to memory of 5264	4624	chrome.exe	86

C:\Users\Admin\AppData\Local\Temp\meshcmd.exe
"C:\Users\Admin\AppData\Local\Temp\meshcmd.exe"
1⤵
PID:5204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffa1479dcf8,0x7ffa1479dd04,0x7ffa1479dd10
  2⤵
  PID:4556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1888,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1368,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2244 /prefetch:11
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2308,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2368 /prefetch:13
  2⤵
  PID:5264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4152,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4196 /prefetch:9
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4664,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4776,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4784 /prefetch:14
  2⤵
  PID:6044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3704,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4812 /prefetch:14
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5184,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5260 /prefetch:14
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5512,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5524 /prefetch:14
  2⤵
  PID:104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5708,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5784 /prefetch:14
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5808,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5848 /prefetch:14
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5840,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5880 /prefetch:14
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4324,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4260 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3176,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4564 /prefetch:14
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=2524,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5900,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3604,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3556 /prefetch:12
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3316,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3600 /prefetch:14
  2⤵
  - Modifies registry class
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3608,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5904,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4628 /prefetch:14
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4728,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5340,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4944 /prefetch:14
  2⤵
  PID:5844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=1468,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=4248,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6064,i,11696292547232054689,14435843240492124969,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3404 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1896
- C:\Users\Admin\Downloads\meshagent64-testforme.exe
  "C:\Users\Admin\Downloads\meshagent64-testforme.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:1312
- - C:\Users\Admin\Downloads\meshagent64-testforme.exe
    "C:\Users\Admin\Downloads\meshagent64-testforme.exe" -fullinstall
    3⤵
    - Sets service image path in registry
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4144
- C:\Users\Admin\Downloads\meshagent64-testforme.exe
  "C:\Users\Admin\Downloads\meshagent64-testforme.exe"
  2⤵
  - Executes dropped EXE
  PID:1364
- - C:\Users\Admin\Downloads\meshagent64-testforme.exe
    "C:\Users\Admin\Downloads\meshagent64-testforme.exe" connect --disableUpdate=1 --hideConsole=1 --exitPID=1364
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:5928

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3708

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4072

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2552

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:6092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
1⤵
PID:4960

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5780

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E8
1⤵
PID:1904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
1⤵
PID:3096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
1⤵
PID:988

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:220

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
69c4d2aa057cdff9b8df6c0a2d8a8703

SHA1
e1d7107e671dfa9e782e6000473fbd39e9363748

SHA256
6a7b34b36b2135d819d2fe3f6162ae030ea472c4fc76433b961b89b4973f7d9f

SHA512
807af5a99394425bef7f484f5ea5bf4b2a172b65665bbfcc9a1d0a32cd60418ca0a9b3da853a8077a02c587122fec5ebd1e18f738fa30d565b6236f8f3cdea1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
63KB

MD5
55df25a7686879a4d246310fd4737a79

SHA1
5933c3ddf1ab92b253d2aaed09b8b04720011ced

SHA256
7fbcff1a8543b5c2e3593434e7762f03fd3fd00fdfdafae0cb8e94720439a15f

SHA512
a912d34b6d24b18e8541053f4158523ff5ddfca2fb8d24dd8a735707dd7355dbbef3dca976f42082d338d8a51b7bb1c2aabe9a6e1f6f5384ca226f8b6c856a68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
25KB

MD5
3663069479015650d0846a3cdd49888e

SHA1
a6215df3e60a8c546d077a1fe32bddfd59095285

SHA256
622e986737ab05dc235708168dd91e349c3daf7156c3ea6c3113707c624d65b7

SHA512
bb82c91bb0270b058421f22b62a3dd622850b25955a3245c95ac5d721b8bd93cf6ab971f5078db1a1b1d1a7378c8a575bbfefca497e15e1d973680ffe0b595e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
129KB

MD5
5da3e69440ec8f619999bec715408aea

SHA1
5ed68b6e69822fe26d3addd236290c864e8789cd

SHA256
b1b1daabda519f039f2fcce2c4ca9a23f664c6b8b825beb631752a1c3118ce6a

SHA512
7d6ad9c04051e0a83e14c5fe854b731eb52a4ae85c191f30bf002ba6555dccb1ac52a1ec7fdb5582eccc9813d65cf7b68e12479f7da7bbc72ea1d315dbc80995

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
194KB

MD5
2ee56e13cfe827189b81117217aaa04c

SHA1
9337c287e56bf1c7b2c38c397ed24fa07e729de3

SHA256
242802e3ba36c8fe4eb4d39a01ce0f7aacf21653cb0e1bb544d63a416a142bea

SHA512
406253803bc114913b060a3f452e123eb3d9c1ecb020a8ae5074aeee80b83c3f738c0e6d17765807fb19947e631f7ac06278c9afacfeda484f02aca4d8c464c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
61d0269de076332f51853722ffabd188

SHA1
f95449fb8cf7e76778c4f94809df7727a91bc943

SHA256
f54e72d9c7196960934c5badb5ed9f6702f81d6628aaa9b0b8e0893144527e1e

SHA512
fe7bed3a1992715e37248591a943fd45ab88b617b678414724cd0aaadc2a692a7e5ac4d1e0ac187a676ce6181b69399820b4d4f1f4faf6184f96e27b561e455c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5e22e5e51ee8f55eb25170d890a1d044

SHA1
b297d4d963ce03022c68278350c8897be0492436

SHA256
a91c8828f01f75b41d7bc4fbed2e4a52705b3042d784a82d257bc8b61d9a7b30

SHA512
def2ed375ba4c0d43001134148dc25045a87f84cced16868c0e53bb13a9808137c95f5f52cadbd070cbe7ca18aede2cf27f7e08e26b1876a0b99a2a047aafd63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
e582de1945837cff9107c8a11e5535dd

SHA1
732c4b060e2b29ab200c7ec86b3e87ff2d034051

SHA256
bb79c994787c5a05e1629191c48c4a2927cdf8014e6b629bd91dd9727c445753

SHA512
094f430356501fcfc49d5b11f551ca52ba4edc9605d6e8cf1382dc2c2c6002edf4d272f3fa8b5940388fffb1f3d97c09113b8829b319fb6989066ad9b143b070

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d3ff3c760fa0c00b48e403cb9d49a64c

SHA1
435a676770761c17e65b4d1db062f99c2959cccf

SHA256
10d010584c78cd7078ae79ec6c1ec00ea8b96648d33861369d272dd9590dc9a1

SHA512
90a2b6d0bfdcda237ece31129797aae31e5600a951daedbe7072a467b80f9262d547bf5c86e55766f869b61919a2f4985bfaf72dd3570f6d6dea531f68a95b22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
ebd8818268bf37a24bd33715b814539f

SHA1
9a2b389a536212b5e6fba740a1512242d3c4184f

SHA256
86775e884f6d942cff1d47cb7a671acb4d4ef1aebcfd0a59d321ae24bf41cbb8

SHA512
1980b059729c03ead92ad1ca75c3b04ce992b1b46915ebd9d3c27ffa0c5588ee83b46fe6fc165b1aff370009090cf751c24ee730795e28f44ffdcf92b4045875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
06dea3af406053a37b68b290654afbbe

SHA1
a49a69187fa248e82cecdeb6f117d82722e2ce22

SHA256
50050c1f6d9c50ccdfa8b5a695856b57000e8e97b3af473dc59e780a4cf42d9e

SHA512
3e169aff0e95209f1a5bf476e674441b9c7f3925e5725b53ab5d5240326725457ba7fd57f3fe8ca4ecfdcbd35de8296b68b8f18dff097ae184ce656888578e59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
3a3aebb3cef4952e0338dde66e3bf766

SHA1
6ebaf0a83c26df7d565046e9733e990c9f347182

SHA256
dc44b5c407fa659a04fee8110cafe3f0313d3f99794660320d713af2eb4755d2

SHA512
7bf69d7fa17a13722b405433ff46026d59f0bee88f62c0b9e4e14db17d8e71f43267f190163f7b78891c8c3ac5f5c9a28d946c8803f1918b2df6834a9f49fb22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
d8373fd01e321dda90e7733df06e905c

SHA1
1ddbd42d47f6d1f5d4249f964ec5c3a3a38624cd

SHA256
8388f4aaaa260e031ca114dbf7821b25295a0de4dba4a502c132ccc15912273c

SHA512
0f1e22b2d89cb1783ac5bf07dd7f00d49198e478dfd937f78d440567a0463e6ef272373250cdeaa8b63c7ee4115c8cb6a4f13ca679abc30a949f8ec0d62650c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
007f77e19779ff76abc6238aaaed2b50

SHA1
d1506080c1722494baaec5ce059eac01ed28d826

SHA256
9e514c339819d5fc2353e7a9efa2fd5e417c9715728ebb0698f8452e3ac743bb

SHA512
08236a51fc767b780ad10f94ad5f62e41ab0b6ff60348157028841488491d15ba43603fdc68bf60cc503f2e7b0da84e44807d98c4a0d4fd0046e31c6315b8371

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6574817be5bf5e3c1b0384d7f3d048d8

SHA1
2a4a187a29c2e1b4fe5bcd057659046f360d0e1c

SHA256
3ab36af9bfbe7bde0b3b96751dafb58df02cf74e528a89d318a03f340cf38780

SHA512
4794017827bb3d99eea265aec2f20a2383fe05cfad532295aa05fe5d05ae0e8ec45320f891eaf2f66b2cff0817ebc50889ab50c7cc2aa57bbbec4c886d394c82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
51634996d817aecc76462e6cc76e4320

SHA1
f4f452ba4bba83dfa3ad447acca3d1969d8d7fc3

SHA256
ed236d6412667163f5af0ccb2fb343fcabd344d0230a317af74f02fa25243bbd

SHA512
ee5c278d01445cdbb91ba29d884738cda7928cc788e661ca017d0cffc255e3a46449dcc3803dd0f6a1808d9cf2ffe93bc95f75224a93bac73939226e6aa1f11f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9132a51a7c38045e911dbf07ffed0a70

SHA1
b19cc35d6ed90f8e4570f53681479cd3a888a6ab

SHA256
f924ea91acc2ce44e86bcc68ed5e540267181747ca7c29ba2a7f9c194f898aa0

SHA512
db6977eb12841b0c4dacbc698a51db7cc7602aa22eabd537e8195b52761b37e8282c269b6cb30233549f92a56efd12e057772769a238ffe49208194d21176430

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
d9e4c5a31230eeed04d2db6a45c39eca

SHA1
06789b6e3069768dab1772d39ea207357919c315

SHA256
fb7a223dcd683866735e491d66f1745132da6d687120f0e3f43edb5894be6c8c

SHA512
7671c475a27f08f7ef02604df335379a5965f1298f13e6ed815b5f978dd7c07891262d43eee774b488de75169df04f0aff8a97419ff25f27ec2e1f04553e0139

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
17b197036b3368893b1dcc77abb22a89

SHA1
b0aef36c77e92f7345e7d8bb6ccbc1a34cf7d25a

SHA256
2495dd30b04035f44d749427f609987da2d52e9412b4ec78410a1d56dd672266

SHA512
cd932d6abb61d1299fe02bc29266041601768ab47a190931642f183a941552bb64ffb059575d45c506567ea1d3d6214087087e1a3f86e3692560c78e0a716bde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
dee7adc08b289d094d321fa916ebbc4f

SHA1
b175c4ee431ee4bda35eab85f086cb2c2f9ca210

SHA256
20acd5c795dadca5d6e769a22c9e61f23258984c4cb7dc403d2f99ce76ef56d2

SHA512
5b12cdc949454362c99fa1e73ab22bc8347c259ff798321beaece406dca00bd775c357ec9a08a87316267e142e9871605c2d91abbd6e9cdbd4f06a5ae19ffe2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0c035fe288554f0e724c449ac8ef4e4b

SHA1
5faa54bba973b81638a832c0f424e609bea0fcee

SHA256
d0f8737580e6c0511101ea6e4a446243ed7f3891439caa343efd4637f5d8b84a

SHA512
7d48d228f02942936ed96485f4c5d34b126ccfb65b13eb31d54784e94b90ea4e4c1c5247bcb142bd0dcd5d514bbb23a7517130fdd4abdc0563c14b8f47c740ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c139f500ecb510123e6adc73d31e121e

SHA1
8023d98427585542a7f8c08735301eacf6c7e6a1

SHA256
fa3b423df9a1a0165df254acc093a90b094d7092542a80620ff88570ebda41c8

SHA512
1aed0c9849017bee59cc99acdbb2d7fea11e080b354f0f7ea2c06f868fd52915c46218bf6a5ceb4a8f26916fc4774c155e4402c53091669379753eda6ef5ff76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
64759d47771a5be5f6256a44ae5cfdf5

SHA1
c2e69c31bc4fe1a430a5c801d4cde93195200c06

SHA256
fd4463ddb2678a0111c424cb2acd22734f77f931bb6cdff164859a629056bfef

SHA512
2564882a8ddc7023ff83a749095749fb6735f11e23ef789f4fae3cd2a6fde1b38e5cf6fb759367716e0fe56f14b62cb1605c29cfe77e3c8e6eec1fe6773ed13a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
18645c20d7af9e1a7a4035627bd10e6d

SHA1
57a1b1a2071a091274bc7490b8994c6cc180fcf1

SHA256
93d78d3d22c0fbdc02fc484c8a949fad40b83f0e59ccd4f5f40f424335d8d101

SHA512
b19f458212ddc7ec6ac3c6ff9478a9ee5fa748fafc0bde2591914ef95d35a337a55b20648ba9fcf16dd1e7e3fa343d00479bfd41a35e258234023dda24479e75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4ccd057500a856643a3f59480a3d9292

SHA1
04d982ee91192f8adefe8dbf76f4623da37c0bd3

SHA256
edffb0d7c9ce2c0c7ec472f862ed700bbf7b237457906cc8e2b0b33c7bb53723

SHA512
9073da3d6a3f2834f5ad15ebd13873e231e5a59d893049e1474a31d70104a0165468acd92437a3ae8a1fbc995145f596fffa0c738a363e2184dbfd95e77118a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ee52e23832ad9e7f7554cb4d1a73c51b

SHA1
69b70a7e81b36cc7dcbdd8d54d97c0465a33b10f

SHA256
bb9afefca3469ff4dcb570b551a46be11afdca76b70a99f5c60b762af7a0fb1d

SHA512
756e584e3f2e1cab75d5f2313578d505437b1a041b5dbb9e542603adbe220b7954ac5c77c1c035e64682d8332b154f53d460f31804182e1a79e91ed2c416787a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e741bfbce932de6e820348fc998e7309

SHA1
54d2dff964ed70e88ef1685282844a88cdcb81cc

SHA256
1972abde94d73a00618bd9761cf207d2373549e543c6dde20955824a85ef7203

SHA512
25073376025dcd3f03c1a832f2277274f21be250be111427c32413f374b47f6e8618e2790050bb7b088179a75981181e28767b732cea729bb0e035f7e5f218fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
84ce142ffacfbd2f0d81bbbe7c470e14

SHA1
c753336a0b90ce5d10acb1ef5ce45cd8a07f5f80

SHA256
2d041947eaa896cf96a0b903949e9d7bf8a13435e35329692de84188f2f23090

SHA512
f1a020c1cd24b38b790319d1b8e0b98e8444fbd245022b3d3d9697f0bbeace58fb5a0b805c523c696524eb44b8995b17008e3c2a8317122406d93cf9480bea59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a09cf10d28dc86bcd3a1035e134e63d1

SHA1
b8259aa150d6cf2e4a53ec99602e13f81d052159

SHA256
24c97e16350ca2a2d5c6b5557423ec944f071ec63fe6e9fe2da199c89413159f

SHA512
5d0a3621848a40c770b86b8137abb1748636573a9af78f7cf3fde746ff72229322b173c120179462cad26465cae5a6fcbeac71f51eec2f84fbdab09a0e33dff8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ffbd342634ffbdeeb19910539cfb5b41

SHA1
260a56d2f7bddac805b1c92612696648999d6e20

SHA256
42fd9ae60ef3c0b8fc4cc7554616283eb3653a32243e506947d3581fef13daa7

SHA512
a0bb133e6375b24cb7064d97d4a8a722f9e4ae55c54c8b0d8d3ac80dd4cd7dfe51a74ad12be51dd02bf2e31abce283ec449b35d7ecbba9245711fdf95afd2d9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
312fb91124deee50ceb4cecc1a26eaec

SHA1
3ad4c76b4830dd830fa18be237a9e9e51ef7fb17

SHA256
1eefd671773ed37b5f02fe2f6c73d4e87bd9d4b8aa8e0e029b03f8416f070dd3

SHA512
72a3a72667abc8a390401466fe743011228940763c350e49265162f09c5fe90f462117cbc6a0191858009a09998654499947ffef66f81d7f7cedd0f151171247

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b0c99ee1337ac620f22524073224ddb4

SHA1
d9de919cf5604933ed8a6ca1bbfb74ccdec83e2e

SHA256
90f49f61813fd6c954b9ecd865e59d3b9134891caf08f348b138fd1440fdd81b

SHA512
d5c1bac8feeb58d6a2edfe03928ae1a3157f3dc6fda0f935236b21f9287ed94b01d226b1a16062b8082ad86b6147ae76c0ff5bb3b62d0cc1108e23e8d668a744

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
bd2cfad7697afb2cd4df372c1027b7cc

SHA1
746df05af2591aa492c59ef6ac04b1ff93317f57

SHA256
a9461a6d545e5ec5e3aeaabca3c186000acd24cdfb8da40f7ac5dfcd9ecf650f

SHA512
89d5b4df4f685a8ff66a7f12af9b98cce7ce8d082fd9520d36a6c2096a63effe4172961d255148829637d189343136fa3a90630a7eec27dbc35b8057cb5b7519

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
90bc288ab3ad6cc9c594a9aca4f7aa22

SHA1
e66b36c23a387c58bc27364d8f9ef9bce700b475

SHA256
216ce2f881339be71c2d6c9cc82ac8c51d347aceb991370ce8a5a4340f18013f

SHA512
ed64a6aa9267bd5e9ebf07c9cec1b05650fa9ec003efc235eb98a91df19fdd57de450c6da34df02481b5f3b9e0599a9c991f427faf34453036c6e081a1799d19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5220141a4887affd5cd55fc81b3edc3d

SHA1
36440a4b436c82d89432a40f235ddd75960e4bf4

SHA256
61328c0643365966399b3029b2fdb46ec34a7b1603ab5dfc6a9965dc516f1506

SHA512
412f9acbb896ee81244cfaca13100e8d71b794f2f2a5293a1ec877949bad89a1eb158e1f856ca245a94f88d9bd82ce4bcc26a8a72c3ddc8d4cd69af590ab3bd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
e8c7be34e59f9eed8ac8ece48c6ccd47

SHA1
90d9e3151bbc623f05dc9f3199bbf31d03713b7d

SHA256
57c179fa59c148b01398913c76bef9e7693e1f25d054a7745e07c6faf237160d

SHA512
87426351a51e73937037ff3e8b04d475745f708ea9f2948e239bd5cadd505b2e4c3ed5226a39c3609d0cd6b36d9d18e3d59ba3a80636cf81a91b7841532a313f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8fc4c59564f4ed5c6bfc9ecab7b98f15

SHA1
207e421e509e5e6e2f417d9028f8547c098511c5

SHA256
c32dcc11a03773a47ee506a4e3235ae9612c377d151705dc7aea4a37a8e4dab1

SHA512
fefe9093485b03933be99dc2ecd20389d75f7613bdc2749669b6296ced0a677681b110a5223c80d0fe7d5b027d5d32300efd4f4bc9460863cf49642a87a4dbbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
17a457055acc070cc729bfcde6ed1769

SHA1
bee83877769c1eaebb638a983d45a2e1810e3866

SHA256
b05d613f6c87b36e08bca824c05fa7ec192499c1882c10892af115977de9d5bc

SHA512
c5d666b11401235644590303acff60b72cb9e7f9fea2424dc19546578f99f0ecd97ae1a11ab762645e12120441975a68338e3928126073c82527bf980f6d1c10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
f0b4f9e355ff4bc12b2b99f431e51916

SHA1
e3a786a5a26f9972e3ade35d56a878d344e10e61

SHA256
3310af5c2f121ff01ffd8496c4a833cc0f9a92f0a751e746e3523738be412722

SHA512
32a2d8c405ba0f8635306db44b84c7342da973af520257f9a1850ffc2d31b8a232162cd595295e91cab4ca5fdd372c999c5c007a9915865d60b6e80e4fcb5861

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4c8f1a8f511edee944410cd7c8c1eb6d

SHA1
f567d19949b168ea7cd371b6ad8b334d8431f5f1

SHA256
258587dfa00bd36f80b94bdbe954ed4693f3a8a9328bd3798724617f02f75231

SHA512
34beed077b4ef3be1b6ccd71d4b55537c452a75bebd48832b0876607ab78f2447ad05961a1061f2bebb6047d869e937e1910b4e8c2f4b9642695781f71c17a8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e5d2a43631472d85e3bafd5a908e6e14

SHA1
23f3980848b0710575da2323e72bc55d273b01f2

SHA256
6d0a4991d1c56cd6f99dd50713e3464d36439d107987b4a84d930999719e2582

SHA512
328d3f7a683569c4f3900fd0268852f8605bebc9b72acba18c663e76252f3f2db12cac6952e66942e00a87efba6e5517be3ed6e2fbcd33029562fdacdcbce1a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581d09.TMP

Filesize
48B

MD5
467318f540aace081163896563f00b88

SHA1
a6cf99c6a67624de1dacb77252b9ebfe20155f1d

SHA256
7883258df71a76fdf864e8519000d794133bff7311355737c1a38e71efe49b4f

SHA512
d16f61a53426b232f6df9eb4f4c8b5f69612f60567ccbafd1dc7070d1e1718ee917a9eff70f74b6504ab23f7fb8b9ef835104dec1171e059dce457f1bebbdfd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
d939f048ad7b56da2b14644f668dbe68

SHA1
5b7a323583f8ce580b41c7774f125403889753c5

SHA256
15e1b5614b7e53c63a1877f992bb9f0ed44f3f535c0f10692d1db29d0728f44b

SHA512
31cbff47b9106926404a8cd0325354aff626d6c953b67834ef8cb611b14a82d5839be3a8f4442cacbd3a3eb4e97abc8d7538fc372ed9bcd8daa5d56920abd5fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
6b0694be4de042eb162173509cc25581

SHA1
a957ef6d338f4bf83e31c1ad3b8e3e9e7b8672b7

SHA256
8ba1c80953b40256b17eaaf271915a8ab56fe2f7bdd1b34ff783e50b1246ab5b

SHA512
8e5a2ba2803a3eabc942290671ffee2a8d8cae9ae5aebc0cf5cc987a085fd17a08eadf00367fbafd8f6bc09f242add1142e7a37b853f947fe09eb31f434a2995

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
23160182b788a84f275cfb4234993bc5

SHA1
e5ebac0f4c82e8d550194ff1003611655a12445a

SHA256
47f9fadaa241b0b0ea9d08db1d206a24f4b9557b5b76c77b8b537a6b47532902

SHA512
024a74ff7c153b31530c69c74c58037e48b0c7688ba2d429301852e1986bac8a0fdd280ec8472fa0efe8986e69be8710c25126cb056a306288b2ff89eaa6830f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
0eceff4a11bbc5eec8ad0fffc5c9c2de

SHA1
1c5de2fe351b74e17a64a5abffe086dc6780d39f

SHA256
c0c2cf1e528a41a685ecb2b3c55091667e9405c3754f76f02284f3508eee17d3

SHA512
81cdb9fe846d0a84cdc5f669ad820bebbec79bf18fc943cd2c587a285a397a2b3c20ced38b349b157545b9d1a15809336017a017018344330e28a07f93e224c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
156KB

MD5
de27400cbc4523be724b9796035f3905

SHA1
61fdc3c575bd93cb52b25a1abdeabde7ff3b176f

SHA256
868b3d6042dd3aea3366e02ee314e7174a3237cb1a03b1c7b44612d0f65c4b99

SHA512
d4df40126164cc01c3b88c25e269ee354cb26bb88b80de84d1a1792ebda6cd248aee576875e1221d6da6f047cc2138b871dad59ede8b45cc27e5b9f2fe19e32a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\4da2aecc-773e-461e-9b15-e19446a956c1.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\APPX.41x5ip65lkqse6jkldh7gjfye.tmp

Filesize
2KB

MD5
530f1945913c81b38450c5a468428ee6

SHA1
0c6d47f5376342002ffdbc9a26ebec22c48dca37

SHA256
4112d529734d33abda74478c199f6ddc5098767e69214a00d80f23d2ea7291ff

SHA512
3906427ffb8f2dfea76ba9bb8cac6bd7dece3ebee7e94ea92da5bbdb55d8859c41260a2bda4e84fab7e1fb857ad12a2e286694ea64d00d0aa6cab200fbbf64f0

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\APPX.8ibkvr4zk4jg5wbb0e1ng12df.tmp

Filesize
9KB

MD5
24ebdb1228a1818eee374bc8794869b7

SHA1
79fc3adb42a5d7ee12ff6729ef5f7a81e563cd2d

SHA256
92a7d7d3b0bfac458ddcef07afcdad3646653ba7f4ad048fdd7a5ec673235923

SHA512
63764d99a0118fac409327d5bf70f2aa9b31caf5277c4bc1e595016a50c524cd6c3d67924321b0fcad12cd968de1a62bd292151e35fd907034efd0f40b743d6a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\APPX.vj2prbur103i4asrf11rc2mic.tmp

Filesize
1KB

MD5
4085b7b25606706f1a1ad9a88211a9b7

SHA1
31019f39a5e0bf2b1aa9fe5dda31856b30e963cc

SHA256
b64efcb638291c1e1c132ed5636afbb198031cee44384f3ecf67d82b73accecc

SHA512
9537559523839e3e708feabe8c04f40236add7d200ec36bad00c10a69337a15001103c17093dcc0d8cadb4713d911f39a6411624c1db4cbf1ea1af272a716168

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\F6ED2A97E649D95077ABF98F588C3C1572552566

Filesize
1KB

MD5
7baf224250757171a45ae6205842b993

SHA1
b28046bde81a419485bcf65a3da261bf060041a6

SHA256
33c1c3c9361a884a412c7b2a15189b17aea708b52c9aa098039b89fe2668429e

SHA512
36202e1e9f6616de57f9fb39add416280c5f9714ee1d9f2fa1b422ba5c6893695df500870a0209855e8851e40556fb1acc2820b8adac7aba65f94622221c22a1

Download Submit
C:\Users\Admin\Downloads\meshagent64-testforme.exe

Filesize
3.3MB

MD5
5f061173fe5d9ddfd479a2d51b0f9a6d

SHA1
62d5c663ae810c6a5440486ff2eaeb4f71bc53d1

SHA256
92d76ea72244c634ec82220fd7cbcad699b83ec6ffbafd0f063900388fff3a36

SHA512
48b580e60669a7bba20ace3a4c4cd374e369789d64aad36d2bb58ef4ca8e503071c7b3041f1ffb6763e9351c50465603552223a877811e5037203bdd7ae526c9

Download Submit
C:\Users\Admin\Downloads\meshagent64-testforme.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\CDC2A6CE2A618C9B4B3FC097BFA87A52438877EC

Filesize
1KB

MD5
cdb5cd9f48c6a4501ed212a4789bdd22

SHA1
ffbf523e22b48c92888fb88eeb637d3c8adec792

SHA256
9eb9266b3aba83c217c20b491a4a5f912ad2efe3df689cba1433876c0f206edc

SHA512
51b45c72708b684bcc01325215e4ec96cd3672be7ced6058205491be439497181e3624c5f690f913c22a7c741073185aee07c9f1952b826970b226a666a42c7b

Download Submit