Analysis Overview
SHA256
36a98d2a6aa142cc7ce539ad022bd0022ef096933abf39a38270603f13ccf01c
Threat Level: Known bad
The file MeshAgent.exe was found to be: Known bad.
Malicious Activity Summary
Detects MeshAgent payload
MeshAgent
Meshagent family
Sets service image path in registry
Executes dropped EXE
Checks installed software on the system
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-20 16:26
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Meshagent family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-20 16:26
Reported
2025-03-20 16:28
Platform
win11-20250314-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Detects MeshAgent payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
MeshAgent
Meshagent family
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files\\Mesh Agent\\MeshAgent.exe\" " | C:\Users\Admin\AppData\Local\Temp\MeshAgent.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\iphlpapi.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\user32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\shcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\dbghelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ncrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\bcryptprimitives.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\A5B6D200C3D039ACF47E9D754458AAD40223A1DF | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\5543C23EF20C5549731ED3DA4AD438A74CA554A6 | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdi32full.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\iphlpapi.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ncrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\bcrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\bcryptprimitives.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\msvcp_win.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\advapi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\88D4E329437B3F7E5143987C36AF4935050C7375 | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\kernel32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ucrtbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\gdiplus.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\DLL\kernel32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ws2_32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\gdi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\Kernel.Appcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\ntdll.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\kernelbase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\apphelp.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\rpcrt4.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ole32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\combase.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\DLL\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\bcrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\crypt32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\advapi32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\shell32.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\ncrypt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dbgcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\ntasn1.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\symbols\dll\Kernel.Appcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\shcore.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\win32u.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Windows\System32\dll\msvcrt.pdb | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Mesh Agent\MeshAgent.msh | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.exe | C:\Users\Admin\AppData\Local\Temp\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.db | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File opened for modification | C:\Program Files\Mesh Agent\MeshAgent.db.tmp | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
| File created | C:\Program Files\Mesh Agent\MeshAgent.db.tmp | C:\Program Files\Mesh Agent\MeshAgent.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\MeshAgent.exe
"C:\Users\Admin\AppData\Local\Temp\MeshAgent.exe"
C:\Users\Admin\AppData\Local\Temp\MeshAgent.exe
"C:\Users\Admin\AppData\Local\Temp\MeshAgent.exe" -fullinstall
C:\Program Files\Mesh Agent\MeshAgent.exe
"C:\Program Files\Mesh Agent\MeshAgent.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get F: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get F: -Type recoverypassword
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get F: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get F: -Type recoverypassword
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -noprofile -nologo -command -
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get C: -Type recoverypassword
C:\Windows\system32\cmd.exe
/c manage-bde -protectors -get F: -Type recoverypassword
C:\Windows\system32\manage-bde.exe
manage-bde -protectors -get F: -Type recoverypassword
Network
| Country | Destination | Domain | Proto |
| IL | 81.199.130.130:443 | tcp | |
| IL | 81.199.130.130:443 | tcp | |
| IL | 81.199.130.130:443 | tcp | |
| IE | 52.111.236.22:443 | tcp | |
| IL | 81.199.130.130:443 | tcp |
Files
C:\Program Files\Mesh Agent\MeshAgent.exe
| MD5 | 5c716fd89b27969847a91d7048ac9d31 |
| SHA1 | 081586960b6b6093fa0473413b4c8584e081e0b9 |
| SHA256 | 36a98d2a6aa142cc7ce539ad022bd0022ef096933abf39a38270603f13ccf01c |
| SHA512 | 76bcb99cddb92c1fd8966f3499eb514e3e3e34f4771791cc4497a3eebcac5ef4b6786084f272ad6a717e5f4bc53a9159985d2dec752dda8c147b63926edbe72d |
memory/2804-18-0x000001CA68CB0000-0x000001CA68CD2000-memory.dmp
C:\Windows\Temp\__PSScriptPolicyTest_gktk0f3t.zw0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2804-27-0x000001CA69110000-0x000001CA69156000-memory.dmp
C:\Program Files\Mesh Agent\MeshAgent.db
| MD5 | bd49ca59799faf7ae4b5d26a5d5e9444 |
| SHA1 | 261c48a6f5e98bf3cea89918aca2184b77557bcb |
| SHA256 | ef6197558cb44d9411d03d3146197cf134c070ab89f358b4772833a33e5deab9 |
| SHA512 | 1ad74079df8295642ee8c3298263ec1bbd6bff1f558ebb293b56f717f905608b46f16499445f1d36dba3fb852e64bf72ca588eba8fa329de293f1bed1521a92d |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 22e796539d05c5390c21787da1fb4c2b |
| SHA1 | 55320ebdedd3069b2aaf1a258462600d9ef53a58 |
| SHA256 | 7c6c09f48f03421430d707d27632810414e5e2bf2eecd5eb675fecf8b45a9a92 |
| SHA512 | d9cc0cb22df56db72a71504bb3ebc36697e0a7a1d2869e0e0ab61349bda603298fe6c667737b79bf2235314fb49b883ba4c5f137d002e273e79391038ecf9c09 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1c926ffdde8e1ccc983154a6509a2cb6 |
| SHA1 | 04b1ec96a06d9a960044daea144bb970bd3349be |
| SHA256 | 0b41e22e20a1527a992d34df2825c0bad75fda572630159f11068447f1ba32e5 |
| SHA512 | f6b97ee93789e901a17039d61c191dfaf1f72cfbb47f0da1dbecd2f2fafe637e552da6172d85c4c5044376591d17b3f19177cb8dc24a25519b5c9785c59f93bc |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ec7033c559f2e16ac40f820c0f4e64eb |
| SHA1 | 8ab9a4cbf292618e77279fe8f88650c17bb01b2b |
| SHA256 | 33d97ae6504aae83a0f0cafe2a9935e7640b83ead52f5f9c302bf1d736827efa |
| SHA512 | a645e2721107d8aa3adc3709f251c07ed6714c6f7c44aee143edd570bb9ff07010a3f549209e03784edcd1bdbdccf681e41b37f0ca33cb46714186db844c167e |
C:\Program Files\Mesh Agent\MeshAgent.db.tmp
| MD5 | 451a6e95576e7fa309cb9d976debe1a6 |
| SHA1 | 56b261b6c37901d3e779af5cb56ac95c74a600b1 |
| SHA256 | c1b37d63965014274965b2ffecde70ee7171e6a2a7acc52d3392b101f6ac8a74 |
| SHA512 | aabba9987fa97c719ede75ef01559410b3585404d811e093e5f31d87276d789c05fc066e294cc40e64116b67650c63f93c773bc0d4347cf2809c10a3bb31203b |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | cb8e0c64f55fed6a58a425f2849e6faf |
| SHA1 | 51778ab5742494e1268657adb16efbcf55585389 |
| SHA256 | 65bffe0f28901ff908f421d833e8af2520164091b1362f365c69b67eff447a8e |
| SHA512 | 279cfe5a4baa3e0826089f392af81b3ab8697306468356d1d26940bd187f6b36ae577e0bd06bce5f7dd694798dd148908e709ce781c02ccba87db08212e11c01 |
memory/5204-81-0x000001BDDA400000-0x000001BDDA41C000-memory.dmp
memory/5204-82-0x000001BDDA420000-0x000001BDDA4D3000-memory.dmp
memory/5204-83-0x000001BDDA3E0000-0x000001BDDA3EA000-memory.dmp
memory/5204-84-0x000001BDDA500000-0x000001BDDA51C000-memory.dmp
memory/5204-85-0x000001BDDA3F0000-0x000001BDDA3FA000-memory.dmp
memory/5204-86-0x000001BDDA520000-0x000001BDDA53A000-memory.dmp
memory/5204-87-0x000001BDDA4E0000-0x000001BDDA4E8000-memory.dmp
memory/5204-88-0x000001BDDA4F0000-0x000001BDDA4F6000-memory.dmp
memory/5204-89-0x000001BDDA540000-0x000001BDDA54A000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 33450c74228338fd1e72e5aabca1371f |
| SHA1 | 698c49898b151c3aae2062a46f4056df4ab4fb13 |
| SHA256 | 37c29e867f619c0df2a044313ca2ce33020765eab0e66d0578094d24c240a108 |
| SHA512 | 7b3b3ffe148585ed82a95a60720e0c3ce3e466bfcfa292d920fb2f370e21f59e68a47ed65d0a9a013ca1f5063c52ca0b3f71073ae05ae11d12732c44ecea005b |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a00a4c6c494f40f21f49f32512d0eb8c |
| SHA1 | 8c5c0d29631e279f9d55978204924918cd109a7c |
| SHA256 | 0f1f497759f3a0867fb375a11314f6a2067bb56fdd828528067944d67cea0477 |
| SHA512 | 188411c1a947d3bc0824b69176bf3aa40d66d97e4d9d15e8a5590f408835b756c59c7c99da3dc87c0b97a864ef83b4028567d43dc881e172e19f97b2e820356b |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e432eecc526099225e7e17e9e656e791 |
| SHA1 | 1f73e3b892605834fd1982c51278e539442b3770 |
| SHA256 | fcc92b14b530f772d7312728f6806bbdbed436a0d27f1ca2cd65895696177c61 |
| SHA512 | 4228d4c4c8aff8e29eb522d8b4a9e1dca22455c9e01c5f957c1aea465766823c31203c4298e6bfd0c6c3fae20311b1c406730f1640b6918762bf55a1d821c753 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6546a95c5308ff8cd9717de3c0c50a68 |
| SHA1 | 3780aee6947c865bb3c65b4b8546c5d61ecf25b5 |
| SHA256 | d3c7bd053fcab1349032e082a73e0222d0dca206d59ffab007473d96a5548e31 |
| SHA512 | ed08ebe0efa96db2a0f716e3648565ce95c2b9f6614b965c496685ae7439239e970f56ea0e0ec4639164e717290eac0681dc39cc204b0f27c2b35b5ce4145fd7 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 54bc0ddbb2e09049f36f8ddacd408c64 |
| SHA1 | 6a7a0509d504fc5f5fb06c92510530b3e153c57b |
| SHA256 | b9eec392df949cc4cfcd02659e44ec7bbb7adef029b489d81fbd54fa1303102d |
| SHA512 | 2cdf7fc62458c0ffb18830f0380ac4f7d6e6be526ebab4d52d1074d5bdf72900cf27747038897e3ece2e53e317c750023d510b30e3650a24b410705b2dffb241 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e3c847fe6e89835f61a6e6fda6b0ba2f |
| SHA1 | da08855d67710512792d67292507c00adeb1c357 |
| SHA256 | aeb76579c9a6b83846656189be378ad90910c11e246041ad9d5649217798750e |
| SHA512 | 03232ad043b13f8d44d050915ed5f6842984378cc65980ca88dfc24b3cb2d9c55d3ebe98817e5775e2ffc87d4f61d47cfe76de753a7e4980a2ba94be9b319c8f |
memory/5132-176-0x000002533B710000-0x000002533B7C3000-memory.dmp