Analysis Overview
SHA256
9902d605b851b3bb44d6d0fa6f1b9d46839a2e05836a661f7747d4ca27a6e000
Threat Level: Known bad
The file meshagent64-test (8).exe was found to be: Known bad.
Malicious Activity Summary
Detects MeshAgent payload
Meshagent family
MeshAgent
Sets service image path in registry
Executes dropped EXE
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-20 08:16
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Meshagent family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-20 08:15
Reported
2025-03-20 08:18
Platform
win11-20250313-en
Max time kernel
129s
Max time network
139s
Command Line
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MeshAgent
Meshagent family
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" " | C:\Users\Admin\AppData\Local\Temp\meshagent64-test (8).exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\symbols\dll\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\MeshService64.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\bcrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\iphlpapi.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\win32u.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdi32full.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\msvcp_win.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ncrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\msvcp_win.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\sechost.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\apphelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ntasn1.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\bcrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\shcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\shcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\exe\MeshService64.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\Kernel.Appcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\advapi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\kernelbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\iphlpapi.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\bcryptprimitives.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\win32u.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\advapi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\kernelbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\advapi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\imm32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\MeshService64.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\bcryptprimitives.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ncrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\bcryptprimitives.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\shcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\sechost.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Mesh Agent\MeshAgent.exe | C:\Users\Admin\AppData\Local\Temp\meshagent64-test (8).exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db.tmp | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.db.tmp | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.msh | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Notepad\fWindowsOnlyEOL = "0" | C:\Windows\system32\notepad.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\meshagent64-test (8).exe
"C:\Users\Admin\AppData\Local\Temp\meshagent64-test (8).exe"
C:\Users\Admin\AppData\Local\Temp\meshagent64-test (8).exe
"C:\Users\Admin\AppData\Local\Temp\meshagent64-test (8).exe" -fullinstall
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get F: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get F: -Type recoverypassword
C:\Program Files\Mesh Agent\MeshAgent.exe
-kvm1
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" -b64exec cmVxdWlyZSgnd2luLWNvbnNvbGUnKS5oaWRlKCk7cmVxdWlyZSgnd2luLWRpc3BhdGNoZXInKS5jb25uZWN0KCczMzA5Jyk7
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe" -b64exec cmVxdWlyZSgnd2luLWNvbnNvbGUnKS5oaWRlKCk7cmVxdWlyZSgnd2luLWRpc3BhdGNoZXInKS5jb25uZWN0KCc4NTQyJyk7
C:\Windows\system32\conhost.exe
\\?\C:\Windows\system32\conhost.exe --headless --width 177 --height 38 --signal 0x330 --server 0x32c
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
C:\Windows\system32\notepad.exe
notepad.exe
C:\Windows\system32\notepad.exe
notepad
Network
| Country | Destination | Domain | Proto |
| IL | 81.199.130.130:443 | tcp | |
| IL | 81.199.130.130:443 | tcp | |
| IL | 81.199.130.130:443 | tcp | |
| IL | 81.199.130.130:443 | tcp |
Files
C:\Program Files\Mesh Agent\MeshAgent.exe
| MD5 | 0375b9bc8048fff72a08872c0992ca2c |
| SHA1 | 0b8bf91a63cb2a814c14ff87f86957b7993c1ea8 |
| SHA256 | 9902d605b851b3bb44d6d0fa6f1b9d46839a2e05836a661f7747d4ca27a6e000 |
| SHA512 | 84f1443088d74f0983179fb6602644fd75ca8e62dbf29727b07a8d85d4ddbf939a43cd059728273d870237fc954c445686b66d47ff1c7f512aecb979c098b9a1 |
C:\Windows\Temp\__PSScriptPolicyTest_as1tc43z.kwc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5732-23-0x0000023F6A110000-0x0000023F6A132000-memory.dmp
memory/5732-27-0x0000023F6A530000-0x0000023F6A576000-memory.dmp
C:\Program Files\Mesh Agent\MeshAgent.db
| MD5 | 8970d54a11ee64d20e1a6918b653cef5 |
| SHA1 | 77305256134e565d956df84ac58e2a8114713ed5 |
| SHA256 | 4c61e9fbb9435887cfdf27871d9630a991bf7d6407095003df283af3bc659ad9 |
| SHA512 | d9debee189a60467a9b87595928e8d1a162694cf67be759de64d94f960537bcf87cf9d3b38b412968ddbaa6e2b6e3bbd68b9563705ce6853c88bb5d3775675c5 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 22e796539d05c5390c21787da1fb4c2b |
| SHA1 | 55320ebdedd3069b2aaf1a258462600d9ef53a58 |
| SHA256 | 7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92 |
| SHA512 | d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1c926ffdde8e1ccc983154a6509a2cb6 |
| SHA1 | 04b1ec96a06d9a960044daea144bb970bd3349be |
| SHA256 | 0b41e22e20a1527a992d34df2825c0bad75fda572630159f11068447f1ba32e5 |
| SHA512 | f6b97ee93789e901a17039d61c191dfaf1f72cfbb47f0da1dbecd2f2fafe637e552da6172d85c4c5044376591d17b3f19177cb8dc24a25519b5c9785c59f93bc |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 095de31f74549962d22f059ae7483573 |
| SHA1 | 97edc434d5258715765626dc6d0d8f268ba4dc0e |
| SHA256 | fe6624b7df3fa67dca3db378955e327d2f4371cf4380da5ab5ea6eff0d00e613 |
| SHA512 | f12ec0e6e9c151e45b08ced48bc928194c458eb343b318a6139aba7c0a6e5c394deb4725505f3134d5907d8a4b277daf50f688a177acf831afd078c28f49498d |
C:\Program Files\Mesh Agent\MeshAgent.db.tmp
| MD5 | 19f90c41324b2a2f5c859b58a4736794 |
| SHA1 | 45c8388fee79798612b246ff8e54f2a15deb7ad7 |
| SHA256 | ec6a2a37efa962bd4ced3d8447481b14bef76b8794d403187bbf7b229ce0b4d8 |
| SHA512 | 5a67da6075823a1eac3b6a985a664d399b300cfb1238451d7e1bf95e881b457130747f19a7c6bf7f1a4d08fb230c0929c31d63aebd4801f87659cc55c6c6fdce |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f1293102cecdb53cdc4a389b43d66672 |
| SHA1 | 2235ba03d983f0a6920863f535558b7c1725d40b |
| SHA256 | 9900fda6e7909939aa4538e47144d670297edcc3a09fcaf5d3b939a46b52d4ef |
| SHA512 | ec12370ff79a5d9ad2628fc7147132d4a38600116e4d3ea93c96462fa6f9882b6e2b52abda439e369f2c7773e4001acd2115d2a62adc31fa2ccf6b3bfaeeea8c |
memory/1168-81-0x000001C3BCC90000-0x000001C3BCCAC000-memory.dmp
memory/1168-82-0x000001C3BCCB0000-0x000001C3BCD63000-memory.dmp
memory/1168-83-0x000001C3BCC70000-0x000001C3BCC7A000-memory.dmp
memory/1168-84-0x000001C3BCE90000-0x000001C3BCEAC000-memory.dmp
memory/1168-85-0x000001C3BCC80000-0x000001C3BCC8A000-memory.dmp
memory/1168-86-0x000001C3BCEB0000-0x000001C3BCECA000-memory.dmp
memory/1168-87-0x000001C3BCE70000-0x000001C3BCE78000-memory.dmp
memory/1168-88-0x000001C3BCE80000-0x000001C3BCE86000-memory.dmp
memory/1168-89-0x000001C3BCED0000-0x000001C3BCEDA000-memory.dmp