File name:

MeshAgent.exe

Full analysis: https://app.any.run/tasks/dad0d755-d0ef-4ca5-8c65-1a61ae31012c
Verdict: Malicious activity
Analysis date: March 20, 2025, 16:43:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
meshagent
rmm-tool
websocket
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:

5C716FD89B27969847A91D7048AC9D31

SHA1:

081586960B6B6093FA0473413B4C8584E081E0B9

SHA256:

36A98D2A6AA142CC7CE539AD022BD0022EF096933ABF39A38270603F13CCF01C

SSDEEP:

98304:kdrmW4EM6E1vuMR9YQ2TNqG8VA4YriuoGCNSGPOAZVo+5:QMHD5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • MeshAgent.exe (PID: 7392)
      • MeshAgent.exe (PID: 7924)
      • MeshAgent.exe (PID: 7792)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • MeshAgent.exe (PID: 7392)

    • Reads the date of Windows installation

      • MeshAgent.exe (PID: 7392)

    • Creates a software uninstall entry

      • MeshAgent.exe (PID: 7792)

    • Executable content was dropped or overwritten

      • MeshAgent.exe (PID: 7792)

    • Executes as Windows Service

      • MeshAgent.exe (PID: 7924)

    • MeshAgent potential remote access (YARA)

      • MeshAgent.exe (PID: 7924)
      • MeshAgent.exe (PID: 7392)

    • There is functionality for taking screenshot (YARA)

      • MeshAgent.exe (PID: 7924)
      • MeshAgent.exe (PID: 7392)

    • Creates or modifies Windows services

      • MeshAgent.exe (PID: 7792)

    • Application launched itself

      • MeshAgent.exe (PID: 7392)

  • INFO

    • The sample compiled with english language support

      • MeshAgent.exe (PID: 7392)
      • MeshAgent.exe (PID: 7792)

    • Checks supported languages

      • MeshAgent.exe (PID: 7392)
      • MeshAgent.exe (PID: 7792)
      • MeshAgent.exe (PID: 7924)

    • Reads the machine GUID from the registry

      • MeshAgent.exe (PID: 7392)
      • MeshAgent.exe (PID: 7924)

    • Process checks computer location settings

      • MeshAgent.exe (PID: 7392)

    • Reads the computer name

      • MeshAgent.exe (PID: 7392)
      • MeshAgent.exe (PID: 7792)
      • MeshAgent.exe (PID: 7924)

    • MESHAGENT has been detected

      • MeshAgent.exe (PID: 7792)
      • MeshAgent.exe (PID: 7924)
      • MeshAgent.exe (PID: 7924)

    • Creates files in the program directory

      • MeshAgent.exe (PID: 7792)
      • MeshAgent.exe (PID: 7924)

    • Reads the software policy settings

      • slui.exe (PID: 8080)

    • Checks proxy server information

      • slui.exe (PID: 8080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:03:07 02:57:17+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 2122752
InitializedDataSize: 1482240
UninitializedDataSize: -
EntryPoint: 0x1da03c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: MeshCentral Background Service Agent
FileVersion: 2025-Mar-6 21:44:07+0000
LegalCopyright: Apache 2.0 License
ProductName: MeshCentral Agent
ProductVersion: Commit: 2025-Mar-6 21:44:07+0000
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #MESHAGENT meshagent.exe no specs conhost.exe no specs meshagent.exe conhost.exe no specs #MESHAGENT meshagent.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7392"C:\Users\admin\Desktop\MeshAgent.exe" C:\Users\admin\Desktop\MeshAgent.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
MeshCentral Background Service Agent
Exit code:
0
Version:
2025-Mar-6 21:44:07+0000
Modules
Images
c:\users\admin\desktop\meshagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\winsxs\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_60b6a03d71f818d5\comctl32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
7400\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMeshAgent.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7792"C:\Users\admin\Desktop\MeshAgent.exe" -fullinstall C:\Users\admin\Desktop\MeshAgent.exe
MeshAgent.exe
User:
admin
Integrity Level:
HIGH
Description:
MeshCentral Background Service Agent
Exit code:
0
Version:
2025-Mar-6 21:44:07+0000
Modules
Images
c:\users\admin\desktop\meshagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeMeshAgent.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7924"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"C:\Program Files\Mesh Agent\MeshAgent.exe
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
MeshCentral Background Service Agent
Version:
2025-Mar-6 21:44:07+0000
Modules
Images
c:\program files\mesh agent\meshagent.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\dbghelp.dll
8080C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 534
Read events
4 514
Write events
20
Delete events
0

Modification events

(PID) Process:(7792) MeshAgent.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent
Operation:writeName:ImagePath
Value:
"C:\Program Files\Mesh Agent\MeshAgent.exe" --installedByUser="S-1-5-21-1693682860-607145093-2874071422-1001"
(PID) Process:(7792) MeshAgent.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent
Operation:writeName:_InstalledBy
Value:
S-1-5-21-1693682860-607145093-2874071422-1001
(PID) Process:(7792) MeshAgent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayName
Value:
Mesh Agent
(PID) Process:(7792) MeshAgent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:DisplayIcon
Value:
C:\Program Files\Mesh Agent\MeshAgent.exe
(PID) Process:(7792) MeshAgent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:InstallDate
Value:
20250320
(PID) Process:(7792) MeshAgent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:InstallLocation
Value:
C:\Program Files\Mesh Agent\
(PID) Process:(7792) MeshAgent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:EstimatedSize
Value:
3399
(PID) Process:(7792) MeshAgent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:NoModify
Value:
1
(PID) Process:(7792) MeshAgent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:NoRepair
Value:
1
(PID) Process:(7792) MeshAgent.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mesh Agent
Operation:writeName:UninstallString
Value:
C:\Program Files\Mesh Agent\MeshAgent.exe -funinstall --meshServiceName="Mesh Agent"
Executable files
1
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7792MeshAgent.exeC:\Program Files\Mesh Agent\MeshAgent.exeexecutable
MD5:5C716FD89B27969847A91D7048AC9D31
SHA256:36A98D2A6AA142CC7CE539AD022BD0022EF096933ABF39A38270603F13CCF01C
7924MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\A2FA93F1EF42323A81946A0A509E637A217CE534binary
MD5:40382C96F4B0505BF2546ABCA5FDEC6B
SHA256:70FFD8C0490399224A8ED4EEA11EF519111FF1EC80E60FC50FAA8D2B1D368C67
7924MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\AC0ABC158C783A1C294E13B1DBDB375FF376DB77binary
MD5:656E472DA56D0BCD215DB90EE110EDF1
SHA256:914059C2517A69B086E1CF022C6D0F8356F234A526896D3DAD76BF2C14703B4B
7924MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\9496B7F06E9004E6C0960AF3AD6561F88577A7BAbinary
MD5:5A7190E0C1B8B3DAA05F07CC98C5AF98
SHA256:0C9B7E4CA893E508DD55F92180410249CDE002A3564AD5E91EC8E4871118A44A
7924MeshAgent.exeC:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\CC016094FDD174E0890DA30C2ABFD83218A49412binary
MD5:1C29E5E9B9DD3E0156BEBF44B4FA0F6D
SHA256:D4F87A47FAC6990535BBBD15B55575526FB6A3EEA6671EB2CACBBC8CAE89F7D1
7924MeshAgent.exeC:\Program Files\Mesh Agent\MeshAgent.mshtext
MD5:B1D100BC865AA06074622842E62B11EF
SHA256:1A1BDC4DB62CB9FAEB5F5B935193770D2F6E13287B7E5D54746AE204CA80C0B4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
4
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
101
81.199.130.130:443
https://81.199.130.130/agent.ashx
unknown
GET
101
81.199.130.130:443
https://81.199.130.130/agent.ashx
unknown
GET
101
81.199.130.130:443
https://81.199.130.130/agent.ashx
unknown
GET
101
81.199.130.130:443
https://81.199.130.130/agent.ashx
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7924
MeshAgent.exe
81.199.130.130:443
Gilat Telecom Ltd.
IL
unknown
6036
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8080
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MeshAgent.exe