nanocore | a072e83a9303a4011ae8ec7db630c3523cf1bec5dfa89dffac3c7d035487e879

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	server_Protected.exe

Windows security bypass 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	server_Protected.exe

Executes dropped EXE 57 IoCs

pid	Process
2228	server_Protected.exe
2392	server_Protected.exe
3044	server_Protected.exe
2644	server_Protected.exe
2812	server_Protected.exe
2556	server_Protected.exe
2408	server_Protected.exe
2508	server_Protected.exe
2620	server_Protected.exe
2696	server_Protected.exe
2768	server_Protected.exe
612	server_Protected.exe
336	server_Protected.exe
1912	server_Protected.exe
1968	server_Protected.exe
1204	server_Protected.exe
1708	server_Protected.exe
688	server_Protected.exe
652	server_Protected.exe
1552	server_Protected.exe
1168	server_Protected.exe
2932	server_Protected.exe
1196	server_Protected.exe
2836	server_Protected.exe
2952	server_Protected.exe
2888	server_Protected.exe
1780	server_Protected.exe
912	server_Protected.exe
2216	server_Protected.exe
2344	server_Protected.exe
2576	server_Protected.exe
1580	server_Protected.exe
980	server_Protected.exe
1284	server_Protected.exe
1004	server_Protected.exe
988	server_Protected.exe
884	server_Protected.exe
1036	server_Protected.exe
1156	server_Protected.exe
2184	server_Protected.exe
1648	server_Protected.exe
1644	server_Protected.exe
2044	server_Protected.exe
1432	server_Protected.exe
1916	server_Protected.exe
2032	server_Protected.exe
1496	server_Protected.exe
1840	server_Protected.exe
3068	server_Protected.exe
2492	server_Protected.exe
2660	server_Protected.exe
2996	server_Protected.exe
2860	server_Protected.exe
2724	server_Protected.exe
2672	server_Protected.exe
2224	server_Protected.exe
3044	server_Protected.exe

Loads dropped DLL 60 IoCs

pid	Process
2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
2228	server_Protected.exe
2228	server_Protected.exe
2228	server_Protected.exe
2228	server_Protected.exe
2228	server_Protected.exe
2228	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe

Windows security modification 2 TTPs 1 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	server_Protected.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	server_Protected.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000800000001630b-4.dat	autoit_exe

Suspicious use of SetThreadContext 52 IoCs

description	pid	Process	procid_target
PID 2156 set thread context of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	29
PID 2228 set thread context of 2556	2228	server_Protected.exe	35
PID 2556 set thread context of 2508	2556	server_Protected.exe	36
PID 2556 set thread context of 2620	2556	server_Protected.exe	39
PID 2556 set thread context of 2696	2556	server_Protected.exe	40
PID 2556 set thread context of 2768	2556	server_Protected.exe	41
PID 2556 set thread context of 612	2556	server_Protected.exe	42
PID 2556 set thread context of 336	2556	server_Protected.exe	43
PID 2556 set thread context of 1912	2556	server_Protected.exe	44
PID 2556 set thread context of 1968	2556	server_Protected.exe	45
PID 2556 set thread context of 1204	2556	server_Protected.exe	46
PID 2556 set thread context of 1708	2556	server_Protected.exe	47
PID 2556 set thread context of 688	2556	server_Protected.exe	48
PID 2556 set thread context of 652	2556	server_Protected.exe	49
PID 2556 set thread context of 1552	2556	server_Protected.exe	50
PID 2556 set thread context of 1168	2556	server_Protected.exe	52
PID 2556 set thread context of 2932	2556	server_Protected.exe	54
PID 2556 set thread context of 1196	2556	server_Protected.exe	55
PID 2556 set thread context of 2836	2556	server_Protected.exe	56
PID 2556 set thread context of 2952	2556	server_Protected.exe	57
PID 2556 set thread context of 2888	2556	server_Protected.exe	58
PID 2556 set thread context of 1780	2556	server_Protected.exe	59
PID 2556 set thread context of 912	2556	server_Protected.exe	60
PID 2556 set thread context of 2216	2556	server_Protected.exe	61
PID 2556 set thread context of 2344	2556	server_Protected.exe	62
PID 2556 set thread context of 2576	2556	server_Protected.exe	63
PID 2556 set thread context of 1580	2556	server_Protected.exe	64
PID 2556 set thread context of 980	2556	server_Protected.exe	65
PID 2556 set thread context of 1284	2556	server_Protected.exe	66
PID 2556 set thread context of 1004	2556	server_Protected.exe	67
PID 2556 set thread context of 988	2556	server_Protected.exe	68
PID 2556 set thread context of 884	2556	server_Protected.exe	69
PID 2556 set thread context of 1036	2556	server_Protected.exe	70
PID 2556 set thread context of 1156	2556	server_Protected.exe	71
PID 2556 set thread context of 2184	2556	server_Protected.exe	72
PID 2556 set thread context of 1648	2556	server_Protected.exe	73
PID 2556 set thread context of 1644	2556	server_Protected.exe	74
PID 2556 set thread context of 2044	2556	server_Protected.exe	75
PID 2556 set thread context of 1432	2556	server_Protected.exe	76
PID 2556 set thread context of 1916	2556	server_Protected.exe	77
PID 2556 set thread context of 2032	2556	server_Protected.exe	78
PID 2556 set thread context of 1496	2556	server_Protected.exe	79
PID 2556 set thread context of 1840	2556	server_Protected.exe	80
PID 2556 set thread context of 3068	2556	server_Protected.exe	81
PID 2556 set thread context of 2492	2556	server_Protected.exe	82
PID 2556 set thread context of 2660	2556	server_Protected.exe	83
PID 2556 set thread context of 2996	2556	server_Protected.exe	84
PID 2556 set thread context of 2860	2556	server_Protected.exe	85
PID 2556 set thread context of 2724	2556	server_Protected.exe	86
PID 2556 set thread context of 2672	2556	server_Protected.exe	87
PID 2556 set thread context of 2224	2556	server_Protected.exe	88
PID 2556 set thread context of 3044	2556	server_Protected.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
3024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2556	server_Protected.exe
2676	RegAsm.exe
2676	RegAsm.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe
2556	server_Protected.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
2228	server_Protected.exe
2676	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2556	server_Protected.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2228	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2228	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2228	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2228	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2676	2156	698576b6a938a5520eae41be49540f41_JaffaCakes118.exe	29
PID 2228 wrote to memory of 2392	2228	server_Protected.exe	30
PID 2228 wrote to memory of 2392	2228	server_Protected.exe	30
PID 2228 wrote to memory of 2392	2228	server_Protected.exe	30
PID 2228 wrote to memory of 2392	2228	server_Protected.exe	30
PID 2228 wrote to memory of 3044	2228	server_Protected.exe	31
PID 2228 wrote to memory of 3044	2228	server_Protected.exe	31
PID 2228 wrote to memory of 3044	2228	server_Protected.exe	31
PID 2228 wrote to memory of 3044	2228	server_Protected.exe	31
PID 2228 wrote to memory of 2644	2228	server_Protected.exe	32
PID 2228 wrote to memory of 2644	2228	server_Protected.exe	32
PID 2228 wrote to memory of 2644	2228	server_Protected.exe	32
PID 2228 wrote to memory of 2644	2228	server_Protected.exe	32
PID 2228 wrote to memory of 2812	2228	server_Protected.exe	33
PID 2228 wrote to memory of 2812	2228	server_Protected.exe	33
PID 2228 wrote to memory of 2812	2228	server_Protected.exe	33
PID 2228 wrote to memory of 2812	2228	server_Protected.exe	33
PID 2228 wrote to memory of 2408	2228	server_Protected.exe	34
PID 2228 wrote to memory of 2408	2228	server_Protected.exe	34
PID 2228 wrote to memory of 2408	2228	server_Protected.exe	34
PID 2228 wrote to memory of 2408	2228	server_Protected.exe	34
PID 2228 wrote to memory of 2556	2228	server_Protected.exe	35
PID 2228 wrote to memory of 2556	2228	server_Protected.exe	35
PID 2228 wrote to memory of 2556	2228	server_Protected.exe	35
PID 2228 wrote to memory of 2556	2228	server_Protected.exe	35
PID 2228 wrote to memory of 2556	2228	server_Protected.exe	35
PID 2228 wrote to memory of 2556	2228	server_Protected.exe	35
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	36
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	36
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	36
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	36
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	36
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	36
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	36
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	36
PID 2556 wrote to memory of 2508	2556	server_Protected.exe	36
PID 2676 wrote to memory of 3024	2676	RegAsm.exe	37
PID 2676 wrote to memory of 3024	2676	RegAsm.exe	37
PID 2676 wrote to memory of 3024	2676	RegAsm.exe	37
PID 2676 wrote to memory of 3024	2676	RegAsm.exe	37
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	39
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	39
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	39
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	39
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	39
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	39
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	39
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	39
PID 2556 wrote to memory of 2620	2556	server_Protected.exe	39
PID 2556 wrote to memory of 2696	2556	server_Protected.exe	40
PID 2556 wrote to memory of 2696	2556	server_Protected.exe	40
PID 2556 wrote to memory of 2696	2556	server_Protected.exe	40

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	server_Protected.exe

C:\Users\Admin\AppData\Local\Temp\698576b6a938a5520eae41be49540f41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\698576b6a938a5520eae41be49540f41_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
  "C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
    "C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
    3⤵
    - Executes dropped EXE
    PID:2392
- - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
    "C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
    3⤵
    - Executes dropped EXE
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
    "C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
    3⤵
    - Executes dropped EXE
    PID:2644
- - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
    "C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
    3⤵
    - Executes dropped EXE
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
    "C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
    3⤵
    - Executes dropped EXE
    PID:2408
- - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
    "C:\Users\Admin\AppData\Local\Temp\server_Protected.exe"
    3⤵
    - UAC bypass
    - Windows security bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2556
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2508
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2620
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:612
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:336
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1708
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:688
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:652
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2888
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1780
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:912
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2216
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2344
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2576
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:980
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1284
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1004
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:988
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:884
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1156
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1644
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1432
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1496
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:1840
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2724
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      C:\Users\Admin\AppData\Local\Temp\server_Protected.exe
      4⤵
      Executes dropped EXE
      PID:3044
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
  2⤵
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3312.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry