meshagent | 9902d605b851b3bb44d6d0fa6f1b9d46839a2e05836a661f7747d4ca27a6e000

Analysis

max time kernel
129s
max time network
139s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
20/03/2025, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

meshagent64-test (8).exe
Size

3.3MB
MD5

0375b9bc8048fff72a08872c0992ca2c
SHA1

0b8bf91a63cb2a814c14ff87f86957b7993c1ea8
SHA256

9902d605b851b3bb44d6d0fa6f1b9d46839a2e05836a661f7747d4ca27a6e000
SHA512

84f1443088d74f0983179fb6602644fd75ca8e62dbf29727b07a8d85d4ddbf939a43cd059728273d870237fc954c445686b66d47ff1c7f512aecb979c098b9a1
SSDEEP

49152:VdZEy2B6vflQf6X8uZQoy3vR6QVQy5Z+bm4M/HMFvfGW0/7Z7Ib3jxw5b+:nHvfGfZvZj1/N/z/owJ+

Score

10^/10

meshagent test backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Family

meshagent

Version

Botnet

test

http://81.199.130.130:443/agent.ashx

Attributes

mesh_id
0x47DDDC52FC2F31C47AD1DB7EB4B7C5D38C64AAD2FC943360B44270FE0EA5E8B1A96E47D75411E0868F92FE77C2BFBAD0
server_id
C3CEF30878AE341001284FF387E3BB7A7922403931F7265230ABB853B779EF5C3E73D0B368F566EC7B73BFB88E64D995
wss
wss://81.199.130.130:443/agent.ashx

Signatures

Detects MeshAgent payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002b074-1.dat	family_meshagent

MeshAgent
MeshAgent is an open source remote access trojan written in C++.
rat trojan backdoor meshagent
Meshagent family
meshagent

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" "	meshagent64-test (8).exe

Executes dropped EXE 4 IoCs

pid	Process
5196	MeshAgent.exe
4288	MeshAgent.exe
2128	MeshAgent.exe
4848	MeshAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\symbols\dll\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\gdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdi32.pdb	MeshAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\exe\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\ntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\win32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\kernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\imm32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\MeshService64.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\gdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\System32\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\rpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\user32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\System32\symbols\dll\combase.pdb	MeshAgent.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Mesh Agent\MeshAgent.exe	meshagent64-test (8).exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\Mesh Agent\MeshAgent.msh	MeshAgent.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4196	powershell.exe
428	powershell.exe
1168	powershell.exe
5732	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad\fWindowsOnlyEOL = "0"	notepad.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5732	powershell.exe
5732	powershell.exe
4196	powershell.exe
4196	powershell.exe
428	powershell.exe
428	powershell.exe
1168	powershell.exe
1168	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5732	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	428	powershell.exe
Token: SeDebugPrivilege	1168	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4288	MeshAgent.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 6084 wrote to memory of 4828	6084	meshagent64-test (8).exe	84
PID 6084 wrote to memory of 4828	6084	meshagent64-test (8).exe	84
PID 5196 wrote to memory of 5732	5196	MeshAgent.exe	89
PID 5196 wrote to memory of 5732	5196	MeshAgent.exe	89
PID 5196 wrote to memory of 4196	5196	MeshAgent.exe	91
PID 5196 wrote to memory of 4196	5196	MeshAgent.exe	91
PID 5196 wrote to memory of 428	5196	MeshAgent.exe	93
PID 5196 wrote to memory of 428	5196	MeshAgent.exe	93
PID 5196 wrote to memory of 1168	5196	MeshAgent.exe	95
PID 5196 wrote to memory of 1168	5196	MeshAgent.exe	95
PID 5196 wrote to memory of 5124	5196	MeshAgent.exe	97
PID 5196 wrote to memory of 5124	5196	MeshAgent.exe	97
PID 5124 wrote to memory of 3596	5124	cmd.exe	99
PID 5124 wrote to memory of 3596	5124	cmd.exe	99
PID 5196 wrote to memory of 1744	5196	MeshAgent.exe	100
PID 5196 wrote to memory of 1744	5196	MeshAgent.exe	100
PID 1744 wrote to memory of 3860	1744	cmd.exe	102
PID 1744 wrote to memory of 3860	1744	cmd.exe	102
PID 5196 wrote to memory of 4288	5196	MeshAgent.exe	103
PID 5196 wrote to memory of 4288	5196	MeshAgent.exe	103
PID 4848 wrote to memory of 1628	4848	MeshAgent.exe	109
PID 4848 wrote to memory of 1628	4848	MeshAgent.exe	109
PID 4848 wrote to memory of 1980	4848	MeshAgent.exe	110
PID 4848 wrote to memory of 1980	4848	MeshAgent.exe	110
PID 1980 wrote to memory of 2024	1980	cmd.exe	111
PID 1980 wrote to memory of 2024	1980	cmd.exe	111
PID 1980 wrote to memory of 5244	1980	cmd.exe	112
PID 1980 wrote to memory of 5244	1980	cmd.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\meshagent64-test (8).exe
"C:\Users\Admin\AppData\Local\Temp\meshagent64-test (8).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:6084
- C:\Users\Admin\AppData\Local\Temp\meshagent64-test (8).exe
  "C:\Users\Admin\AppData\Local\Temp\meshagent64-test (8).exe" -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  PID:4828

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Drops file in System32 directory
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get C: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5124
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get C: -Type recoverypassword
    3⤵
    PID:3596
- C:\Windows\system32\cmd.exe
  /c manage-bde -protectors -get F: -Type recoverypassword
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\system32\manage-bde.exe
    manage-bde -protectors -get F: -Type recoverypassword
    3⤵
    PID:3860
- C:\Program Files\Mesh Agent\MeshAgent.exe
  -kvm1
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4288

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" -b64exec cmVxdWlyZSgnd2luLWNvbnNvbGUnKS5oaWRlKCk7cmVxdWlyZSgnd2luLWRpc3BhdGNoZXInKS5jb25uZWN0KCczMzA5Jyk7
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2128

C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" -b64exec cmVxdWlyZSgnd2luLWNvbnNvbGUnKS5oaWRlKCk7cmVxdWlyZSgnd2luLWRpc3BhdGNoZXInKS5jb25uZWN0KCc4NTQyJyk7
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\system32\conhost.exe
  \\?\C:\Windows\system32\conhost.exe --headless --width 177 --height 38 --signal 0x330 --server 0x32c
  2⤵
  PID:1628
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    - Modifies data under HKEY_USERS
    PID:2024
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Mesh Agent\MeshAgent.db

Filesize
154KB

MD5
8970d54a11ee64d20e1a6918b653cef5

SHA1
77305256134e565d956df84ac58e2a8114713ed5

SHA256
4c61e9fbb9435887cfdf27871d9630a991bf7d6407095003df283af3bc659ad9

SHA512
d9debee189a60467a9b87595928e8d1a162694cf67be759de64d94f960537bcf87cf9d3b38b412968ddbaa6e2b6e3bbd68b9563705ce6853c88bb5d3775675c5

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.db.tmp

Filesize
154KB

MD5
19f90c41324b2a2f5c859b58a4736794

SHA1
45c8388fee79798612b246ff8e54f2a15deb7ad7

SHA256
ec6a2a37efa962bd4ced3d8447481b14bef76b8794d403187bbf7b229ce0b4d8

SHA512
5a67da6075823a1eac3b6a985a664d399b300cfb1238451d7e1bf95e881b457130747f19a7c6bf7f1a4d08fb230c0929c31d63aebd4801f87659cc55c6c6fdce

Download Submit
C:\Program Files\Mesh Agent\MeshAgent.exe

Filesize
3.3MB

MD5
0375b9bc8048fff72a08872c0992ca2c

SHA1
0b8bf91a63cb2a814c14ff87f86957b7993c1ea8

SHA256
9902d605b851b3bb44d6d0fa6f1b9d46839a2e05836a661f7747d4ca27a6e000

SHA512
84f1443088d74f0983179fb6602644fd75ca8e62dbf29727b07a8d85d4ddbf939a43cd059728273d870237fc954c445686b66d47ff1c7f512aecb979c098b9a1

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_as1tc43z.kwc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
22e796539d05c5390c21787da1fb4c2b

SHA1
55320ebdedd3069b2aaf1a258462600d9ef53a58

SHA256
7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92

SHA512
d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
1c926ffdde8e1ccc983154a6509a2cb6

SHA1
04b1ec96a06d9a960044daea144bb970bd3349be

SHA256
0b41e22e20a1527a992d34df2825c0bad75fda572630159f11068447f1ba32e5

SHA512
f6b97ee93789e901a17039d61c191dfaf1f72cfbb47f0da1dbecd2f2fafe637e552da6172d85c4c5044376591d17b3f19177cb8dc24a25519b5c9785c59f93bc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
095de31f74549962d22f059ae7483573

SHA1
97edc434d5258715765626dc6d0d8f268ba4dc0e

SHA256
fe6624b7df3fa67dca3db378955e327d2f4371cf4380da5ab5ea6eff0d00e613

SHA512
f12ec0e6e9c151e45b08ced48bc928194c458eb343b318a6139aba7c0a6e5c394deb4725505f3134d5907d8a4b277daf50f688a177acf831afd078c28f49498d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
1KB

MD5
f1293102cecdb53cdc4a389b43d66672

SHA1
2235ba03d983f0a6920863f535558b7c1725d40b

SHA256
9900fda6e7909939aa4538e47144d670297edcc3a09fcaf5d3b939a46b52d4ef

SHA512
ec12370ff79a5d9ad2628fc7147132d4a38600116e4d3ea93c96462fa6f9882b6e2b52abda439e369f2c7773e4001acd2115d2a62adc31fa2ccf6b3bfaeeea8c

Download Submit
memory/1168-82-0x000001C3BCCB0000-0x000001C3BCD63000-memory.dmp

Filesize
716KB

Download
memory/1168-81-0x000001C3BCC90000-0x000001C3BCCAC000-memory.dmp

Filesize
112KB

Download
memory/1168-83-0x000001C3BCC70000-0x000001C3BCC7A000-memory.dmp

Filesize
40KB

Download
memory/1168-84-0x000001C3BCE90000-0x000001C3BCEAC000-memory.dmp

Filesize
112KB

Download
memory/1168-85-0x000001C3BCC80000-0x000001C3BCC8A000-memory.dmp

Filesize
40KB

Download
memory/1168-86-0x000001C3BCEB0000-0x000001C3BCECA000-memory.dmp

Filesize
104KB

Download
memory/1168-87-0x000001C3BCE70000-0x000001C3BCE78000-memory.dmp

Filesize
32KB

Download
memory/1168-88-0x000001C3BCE80000-0x000001C3BCE86000-memory.dmp

Filesize
24KB

Download
memory/1168-89-0x000001C3BCED0000-0x000001C3BCEDA000-memory.dmp

Filesize
40KB

Download
memory/5732-23-0x0000023F6A110000-0x0000023F6A132000-memory.dmp

Filesize
136KB

Download
memory/5732-27-0x0000023F6A530000-0x0000023F6A576000-memory.dmp

Filesize
280KB

Download