meshagent | 36a98d2a6aa142cc7ce539ad022bd0022ef096933abf39a38270603f13ccf01c

Analysis

max time kernel
51s
max time network
56s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
19/03/2025, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meshagent64-test (7).exe
Size

3.3MB
MD5

5c716fd89b27969847a91d7048ac9d31
SHA1

081586960b6b6093fa0473413b4c8584e081e0b9
SHA256

36a98d2a6aa142cc7ce539ad022bd0022ef096933abf39a38270603f13ccf01c
SHA512

76bcb99cddb92c1fd8966f3499eb514e3e3e34f4771791cc4497a3eebcac5ef4b6786084f272ad6a717e5f4bc53a9159985d2dec752dda8c147b63926edbe72d
SSDEEP

49152:ldZEy2B6vflQf6X8uZQoy3vR6QVQy5Z+bm4M/HMFvfGW0/7Z7Ib3jxw5bg:XHvfGfZvZj1/N/z/owJg

Score

10^/10

meshagent test backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

test

http://81.199.130.130:443/agent.ashx

Attributes

mesh_id
0x47DDDC52FC2F31C47AD1DB7EB4B7C5D38C64AAD2FC943360B44270FE0EA5E8B1A96E47D75411E0868F92FE77C2BFBAD0
server_id
C3CEF30878AE341001284FF387E3BB7A7922403931F7265230ABB853B779EF5C3E73D0B368F566EC7B73BFB88E64D995
wss
wss://81.199.130.130:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b1b7-2.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent64-test (7).exe

Executes dropped EXE 3 IoCs

pid	Process
4968	MeshAgent.exe
1544	MeshAgent.exe
1952	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\combase.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\2C79F00F385CF2931FE791494CA8DC655692995A	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\812E610902DBD00B6415B0CCE81A79CE0F4EBF7A	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\kernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent64-test (7).exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1896	powershell.exe
1048	powershell.exe
2812	powershell.exe
4136	powershell.exe
2608	powershell.exe
1440	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1048	powershell.exe
1048	powershell.exe
2812	powershell.exe
2812	powershell.exe
4136	powershell.exe
4136	powershell.exe
2608	powershell.exe
2608	powershell.exe
1440	powershell.exe
1440	powershell.exe
1896	powershell.exe
1896	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1952	MeshAgent.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 2760	4596	meshagent64-test (7).exe	85
PID 4596 wrote to memory of 2760	4596	meshagent64-test (7).exe	85
PID 4968 wrote to memory of 1048	4968	MeshAgent.exe	90
PID 4968 wrote to memory of 1048	4968	MeshAgent.exe	90
PID 4968 wrote to memory of 2812	4968	MeshAgent.exe	92
PID 4968 wrote to memory of 2812	4968	MeshAgent.exe	92
PID 1544 wrote to memory of 4136	1544	MeshAgent.exe	95
PID 1544 wrote to memory of 4136	1544	MeshAgent.exe	95
PID 1544 wrote to memory of 2608	1544	MeshAgent.exe	97
PID 1544 wrote to memory of 2608	1544	MeshAgent.exe	97
PID 1544 wrote to memory of 1440	1544	MeshAgent.exe	99
PID 1544 wrote to memory of 1440	1544	MeshAgent.exe	99
PID 1544 wrote to memory of 1896	1544	MeshAgent.exe	101
PID 1544 wrote to memory of 1896	1544	MeshAgent.exe	101
PID 1544 wrote to memory of 5540	1544	MeshAgent.exe	103
PID 1544 wrote to memory of 5540	1544	MeshAgent.exe	103
PID 5540 wrote to memory of 4024	5540	cmd.exe	105
PID 5540 wrote to memory of 4024	5540	cmd.exe	105
PID 1544 wrote to memory of 2228	1544	MeshAgent.exe	106
PID 1544 wrote to memory of 2228	1544	MeshAgent.exe	106
PID 2228 wrote to memory of 756	2228	cmd.exe	108
PID 2228 wrote to memory of 756	2228	cmd.exe	108
PID 1544 wrote to memory of 1952	1544	MeshAgent.exe	109
PID 1544 wrote to memory of 1952	1544	MeshAgent.exe	109

C:\Users\Admin\AppData\Local\Temp\meshagent64-test (7).exe
"C:\Users\Admin\AppData\Local\Temp\meshagent64-test (7).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\meshagent64-test (7).exe
  "C:\Users\Admin\AppData\Local\Temp\meshagent64-test (7).exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  PID:2760

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5540
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:4024
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:756
- C:\Program Files\Mesh Agent\MeshAgent.exe
  -kvm1
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
154KB

MD5
774751df736b57c32d09e74045799baa

SHA1
39ec6d3182a2ed1824a562a82337afd8144a412a

SHA256
6b8c9404053434e28bf138b58b6be18395ae031cd0539e05af2b7dcc832aff39

SHA512
69d34bb47b809df295412476a53548c9fcc0fa55159366031574510c278de02426839fc6d173e979fc06819afeac3adb03c13b6cd414857518ef4d96c25f0f8a

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
3.3MB

MD5
5c716fd89b27969847a91d7048ac9d31

SHA1
081586960b6b6093fa0473413b4c8584e081e0b9

SHA256
36a98d2a6aa142cc7ce539ad022bd0022ef096933abf39a38270603f13ccf01c

SHA512
76bcb99cddb92c1fd8966f3499eb514e3e3e34f4771791cc4497a3eebcac5ef4b6786084f272ad6a717e5f4bc53a9159985d2dec752dda8c147b63926edbe72d

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.msh

Filesize
31KB

MD5
b1d100bc865aa06074622842e62b11ef

SHA1
0a3605262c81216339d9fcc2d39db2969b71ad28

SHA256
1a1bdc4db62cb9faeb5f5b935193770d2f6e13287b7e5d54746ae204ca80c0b4

SHA512
629530b26c90d08760673f9a3921e0f391ec364e774d7509f87e561dc29d228cd65dc0e62522e6767d03b20dbfaa97a3769ee9beec42f0aeb562f3ba0e3b6b8a

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_y0vxco5f.tbi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
2d83734c72d71baaccbb62283732230c

SHA1
044ec913a2f01ef4f742a8f4e6c72eb0b7a7e791

SHA256
eee2626e0fac98697432311487bf09b202f0c0464e79cefdfe26dcbacf267e73

SHA512
dc5763e18f50a62d68841bf9a8aafeba16284bf39baaac64b1ed11050869667124ca580fbe5435a6e0e8ffde81f77bac8d7c5a742fe5afcb598732cb49236d6c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
117d4db8fa6bcd11ebe4e1f8d06e789a

SHA1
f7b05020aa8356f6834def6f0a273835fac6cc3d

SHA256
c5952fd2b2cf0c7273fa32e94ce2ae0e76c8777787d61445cd32d22ea505c783

SHA512
95ec5bf23ce41bfeebdfbe2db6f027a75069d821734af3d84326d987ca8eb2bf4f4db2f77be32551244efa69f482b37e6f024dda5226ca250e10deb3909e81ac

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
e1e8dbf5b01e5f84a19b71d3df5c3c13

SHA1
14fe4d1237a004be9a83058157bf9e0c16cf039f

SHA256
1213df495a3a1e55fb5d4fe50f1edfb529e9c66b266c733eacc502f77940cfb9

SHA512
8ee65fbd15a68f667750ccf74274183b1696797c16f23f3a1d6eab72c4c025312f686fb2db157e47ede8a857317fa10f685847517d49a39004e6bc3706cdedd9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
3e3f823881d694d2a86e48feea55eb23

SHA1
e924f90e680d64c42124d1457d400028384fca95

SHA256
077d36e58ca6d26dc750615bf2d9912fffcc75ef6db8f120e7cffc5bdd85aeea

SHA512
607933f547c8b633ffa642b556b88009cb27b87a53021d758144290d623ae6a7b51cd150925b38d920611edd6fec365d5995c7da6296871125e97d809f2ba0fd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
fad3e11bf3dd3a57af3b6c957baab1b3

SHA1
c9a46bd3a5658fe8e5f02afda0ca4ebe7e5b30a9

SHA256
81ff2a47dfd8a589a4bac2d2dc620e18e4ffeffacb67275873fb997ea27b0f24

SHA512
95cef4a2e72ad55ad374808d63baea4d1370b53d9ffab9cdc105053d0a9b902e9e50cb8038a660477b0ad10843050298559ffc58bb274f7095f2322956147490

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
fcd279fd2c8ec96d78d05fe279dbacf9

SHA1
4f08f3cec06aa30bc1981fb9f429c4f81b5504ae

SHA256
97a61c703c8a648c3f9a30460b6ed0247680dab189bc310bf9dfa52060541308

SHA512
8870547fa9e9bb5f69e350a9e0d02f5fa8d35e29a5d2870f38e7168faf09304952be5dae89315572cd31e642ebc9417fa14a0a860817cd41ef74348928832acf

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\116FA8D234DA8A44088C9E74EB9F0BC16F3D6EA3

Filesize
1KB

MD5
69283770463026806a46a836ac8bf78f

SHA1
3197c560b625365fbb621598f932416b7906d39a

SHA256
04cd999087911cba42eaa8eef65a2d4c112e82403f5c09a1f9b94458be0f5e5b

SHA512
94ead1f5c6c4fd2aa496d076e0526cd76f330db933d1ea729eade68ff30cdd980d84691790fd8bdf3aaa275bce8fad456cc702958b490a1860b6ec131ec2c1a1

Download Submit
memory/1048-27-0x000002ABC0100000-0x000002ABC0146000-memory.dmp

Filesize
280KB

Download
memory/1048-26-0x000002ABBFD30000-0x000002ABBFD52000-memory.dmp

Filesize
136KB

Download
memory/1896-102-0x0000019143DF0000-0x0000019143EA3000-memory.dmp

Filesize
716KB

Download
memory/1896-101-0x0000019143820000-0x000001914383C000-memory.dmp

Filesize
112KB

Download
memory/1896-103-0x0000019143810000-0x000001914381A000-memory.dmp

Filesize
40KB

Download
memory/1896-104-0x0000019143ED0000-0x0000019143EEC000-memory.dmp

Filesize
112KB

Download
memory/1896-105-0x0000019143EB0000-0x0000019143EBA000-memory.dmp

Filesize
40KB

Download
memory/1896-106-0x0000019143F10000-0x0000019143F2A000-memory.dmp

Filesize
104KB

Download
memory/1896-107-0x0000019143EC0000-0x0000019143EC8000-memory.dmp

Filesize
32KB

Download
memory/1896-108-0x0000019143EF0000-0x0000019143EF6000-memory.dmp

Filesize
24KB

Download
memory/1896-109-0x0000019143F00000-0x0000019143F0A000-memory.dmp

Filesize
40KB

Download