nanocore | 65603c7a88beb93205d2012ca8d63dba310fc0f7f91fc81300734ee3b2eb3f10

General

Target

Update on Stamp Duty Charges on Paga.pdf.scr
Size

474KB
MD5

931d6095b12f270ab926dd037d3b8430
SHA1

ae8832bcefff293fd6d4c29d00362e3ed5a2202c
SHA256

65603c7a88beb93205d2012ca8d63dba310fc0f7f91fc81300734ee3b2eb3f10
SHA512

c69971083b4fbbb7b3c8098f1fdc7edc8b66642d04ac0f2fe795eae4f1a5cd0dac08658e2814ee2a31e3b3472f4def59056c1142d4d63eece3ad7368e8aa67d2

Score

10^/10

evasion trojan keylogger stealer spyware nanocore persistence

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

C2

grace532.sytes.net:1919

Mutex

02171e57-d8c6-4512-9969-2622471b4b14

Attributes

activate_away_mode
true
backup_connection_host
grace532.sytes.net
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2020-04-10T08:21:11.593844436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
1919
default_group
New House New Grace
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
02171e57-d8c6-4512-9969-2622471b4b14
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
grace532.sytes.net
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

Suspicious behavior: MapViewOfSection 37 IoCs

Processes:

Update on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scr

pid	process
652	Update on Stamp Duty Charges on Paga.pdf.scr
2088	Update on Stamp Duty Charges on Paga.pdf.scr
1700	Update on Stamp Duty Charges on Paga.pdf.scr
424	Update on Stamp Duty Charges on Paga.pdf.scr
2092	Update on Stamp Duty Charges on Paga.pdf.scr
2092	Update on Stamp Duty Charges on Paga.pdf.scr
3680	Update on Stamp Duty Charges on Paga.pdf.scr
3680	Update on Stamp Duty Charges on Paga.pdf.scr
1516	Update on Stamp Duty Charges on Paga.pdf.scr
808	Update on Stamp Duty Charges on Paga.pdf.scr
4016	Update on Stamp Duty Charges on Paga.pdf.scr
2624	Update on Stamp Duty Charges on Paga.pdf.scr
1260	Update on Stamp Duty Charges on Paga.pdf.scr
1008	Update on Stamp Duty Charges on Paga.pdf.scr
1008	Update on Stamp Duty Charges on Paga.pdf.scr
3064	Update on Stamp Duty Charges on Paga.pdf.scr
1648	Update on Stamp Duty Charges on Paga.pdf.scr
1648	Update on Stamp Duty Charges on Paga.pdf.scr
2756	Update on Stamp Duty Charges on Paga.pdf.scr
2756	Update on Stamp Duty Charges on Paga.pdf.scr
3032	Update on Stamp Duty Charges on Paga.pdf.scr
3032	Update on Stamp Duty Charges on Paga.pdf.scr
3032	Update on Stamp Duty Charges on Paga.pdf.scr
3760	Update on Stamp Duty Charges on Paga.pdf.scr
1820	Update on Stamp Duty Charges on Paga.pdf.scr
1260	Update on Stamp Duty Charges on Paga.pdf.scr
1120	Update on Stamp Duty Charges on Paga.pdf.scr
1120	Update on Stamp Duty Charges on Paga.pdf.scr
2276	Update on Stamp Duty Charges on Paga.pdf.scr
2276	Update on Stamp Duty Charges on Paga.pdf.scr
1700	Update on Stamp Duty Charges on Paga.pdf.scr
2944	Update on Stamp Duty Charges on Paga.pdf.scr
1920	Update on Stamp Duty Charges on Paga.pdf.scr
3188	Update on Stamp Duty Charges on Paga.pdf.scr
2500	Update on Stamp Duty Charges on Paga.pdf.scr
2500	Update on Stamp Duty Charges on Paga.pdf.scr
2500	Update on Stamp Duty Charges on Paga.pdf.scr

Suspicious behavior: EnumeratesProcesses 14520 IoCs

Processes:

Update on Stamp Duty Charges on Paga.pdf.scr

pid	process
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr
652	Update on Stamp Duty Charges on Paga.pdf.scr

Drops startup file 2 IoCs

Processes:

Update on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scr

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Update on Stamp Duty Charges on Paga.pdf.scr
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe	Update on Stamp Duty Charges on Paga.pdf.scr

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Drops file in Program Files directory 2 IoCs

Processes:

RegAsm.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Manager\scsimgr.exe	RegAsm.exe
File opened for modification	C:\Program Files (x86)\SCSI Manager\scsimgr.exe	RegAsm.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3788 schtasks.exe
2504 schtasks.exe

pid	process
3788	schtasks.exe
2504	schtasks.exe

Suspicious use of WriteProcessMemory 218 IoCs

Processes:

Update on Stamp Duty Charges on Paga.pdf.scrRegAsm.exeUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scr

description	pid	process	target process
PID 652 wrote to memory of 1904	652	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 652 wrote to memory of 1904	652	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 652 wrote to memory of 1904	652	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 652 wrote to memory of 1904	652	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 652 wrote to memory of 2088	652	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 652 wrote to memory of 2088	652	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 652 wrote to memory of 2088	652	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1904 wrote to memory of 3788	1904	RegAsm.exe	schtasks.exe
PID 1904 wrote to memory of 3788	1904	RegAsm.exe	schtasks.exe
PID 1904 wrote to memory of 3788	1904	RegAsm.exe	schtasks.exe
PID 1904 wrote to memory of 2504	1904	RegAsm.exe	schtasks.exe
PID 1904 wrote to memory of 2504	1904	RegAsm.exe	schtasks.exe
PID 1904 wrote to memory of 2504	1904	RegAsm.exe	schtasks.exe
PID 2088 wrote to memory of 3832	2088	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2088 wrote to memory of 3832	2088	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2088 wrote to memory of 3832	2088	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2088 wrote to memory of 3832	2088	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2088 wrote to memory of 1700	2088	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 2088 wrote to memory of 1700	2088	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 2088 wrote to memory of 1700	2088	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1700 wrote to memory of 3168	1700	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1700 wrote to memory of 3168	1700	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1700 wrote to memory of 3168	1700	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1700 wrote to memory of 3168	1700	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1700 wrote to memory of 424	1700	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1700 wrote to memory of 424	1700	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1700 wrote to memory of 424	1700	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 424 wrote to memory of 4028	424	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 424 wrote to memory of 4028	424	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 424 wrote to memory of 4028	424	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 424 wrote to memory of 4028	424	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 424 wrote to memory of 2092	424	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 424 wrote to memory of 2092	424	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 424 wrote to memory of 2092	424	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 2092 wrote to memory of 4032	2092	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2092 wrote to memory of 4032	2092	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2092 wrote to memory of 4032	2092	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2092 wrote to memory of 2652	2092	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2092 wrote to memory of 2652	2092	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2092 wrote to memory of 2652	2092	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2092 wrote to memory of 2652	2092	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2092 wrote to memory of 3680	2092	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 2092 wrote to memory of 3680	2092	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 2092 wrote to memory of 3680	2092	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 3680 wrote to memory of 3956	3680	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 3680 wrote to memory of 3956	3680	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 3680 wrote to memory of 3956	3680	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 3680 wrote to memory of 1276	3680	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 3680 wrote to memory of 1276	3680	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 3680 wrote to memory of 1276	3680	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 3680 wrote to memory of 1276	3680	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 3680 wrote to memory of 1516	3680	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 3680 wrote to memory of 1516	3680	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 3680 wrote to memory of 1516	3680	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1516 wrote to memory of 1620	1516	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1516 wrote to memory of 1620	1516	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1516 wrote to memory of 1620	1516	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1516 wrote to memory of 1620	1516	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1516 wrote to memory of 808	1516	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1516 wrote to memory of 808	1516	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 1516 wrote to memory of 808	1516	Update on Stamp Duty Charges on Paga.pdf.scr	Update on Stamp Duty Charges on Paga.pdf.scr
PID 808 wrote to memory of 2232	808	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 808 wrote to memory of 2232	808	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 808 wrote to memory of 2232	808	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe

Suspicious use of SetThreadContext 26 IoCs

Processes:

Update on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scr

description	pid	process	target process
PID 652 set thread context of 1904	652	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2088 set thread context of 3832	2088	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1700 set thread context of 3168	1700	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 424 set thread context of 4028	424	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2092 set thread context of 2652	2092	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 3680 set thread context of 1276	3680	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1516 set thread context of 1620	1516	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 808 set thread context of 2232	808	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 4016 set thread context of 2256	4016	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2624 set thread context of 1960	2624	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1260 set thread context of 1820	1260	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1008 set thread context of 3736	1008	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 3064 set thread context of 900	3064	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1648 set thread context of 3096	1648	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2756 set thread context of 2096	2756	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 3032 set thread context of 3764	3032	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 3760 set thread context of 3208	3760	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1820 set thread context of 1176	1820	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1260 set thread context of 3736	1260	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1120 set thread context of 900	1120	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2276 set thread context of 816	2276	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1700 set thread context of 2424	1700	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2944 set thread context of 2756	2944	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 1920 set thread context of 3788	1920	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 3188 set thread context of 996	3188	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe
PID 2500 set thread context of 1336	2500	Update on Stamp Duty Charges on Paga.pdf.scr	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

Update on Stamp Duty Charges on Paga.pdf.scrRegAsm.exeUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scrUpdate on Stamp Duty Charges on Paga.pdf.scr

description	pid	process
Token: SeDebugPrivilege	652	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1904	RegAsm.exe
Token: SeDebugPrivilege	2088	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1700	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	424	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	2092	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	3680	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1516	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	808	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	4016	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	2624	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1260	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1008	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	3064	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1648	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	2756	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	3032	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	3760	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1820	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1260	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1120	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	2276	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1700	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	2944	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	1920	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	3188	Update on Stamp Duty Charges on Paga.pdf.scr
Token: SeDebugPrivilege	2500	Update on Stamp Duty Charges on Paga.pdf.scr

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RegAsm.exe

pid process

1904 RegAsm.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RegAsm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegAsm.exe

pid	process
1904	RegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegAsm.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Manager = "C:\\Program Files (x86)\\SCSI Manager\\scsimgr.exe"	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: GetForegroundWindowSpam
- Checks whether UAC is enabled
- Adds Run entry to start application
PID:1904

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF279.tmp"
3⤵
- Creates scheduled task(s)
PID:3788

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "SCSI Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF364.tmp"
3⤵
- Creates scheduled task(s)
PID:2504

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
2⤵
- Suspicious behavior: MapViewOfSection
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
4⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
5⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
5⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:4032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
6⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
6⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:3956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
7⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
7⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
8⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
8⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
9⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
9⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
10⤵
PID:2256

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
10⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
11⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
11⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
12⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
12⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:3844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
13⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
13⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
14⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
14⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:3012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
15⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
15⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
16⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
16⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:2088

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:3520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
17⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
17⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
18⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
18⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
19⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
19⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
20⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
20⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:2080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
21⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
21⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:1244

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
22⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
22⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
23⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
23⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
24⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
24⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
25⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
25⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
26⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr
"C:\Users\Admin\AppData\Local\Temp\Update on Stamp Duty Charges on Paga.pdf.scr" /S
26⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:3040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:2092

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
27⤵
PID:1336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF279.tmp

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF364.tmp

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe

Download Submit
memory/424-13-0x0000000000000000-mapping.dmp

Download
memory/808-26-0x0000000000000000-mapping.dmp

Download
memory/816-67-0x000000000041E792-mapping.dmp

Download
memory/900-64-0x000000000041E792-mapping.dmp

Download
memory/900-43-0x000000000041E792-mapping.dmp

Download
memory/996-79-0x000000000041E792-mapping.dmp

Download
memory/1008-38-0x0000000000000000-mapping.dmp

Download
memory/1120-62-0x0000000000000000-mapping.dmp

Download
memory/1176-58-0x000000000041E792-mapping.dmp

Download
memory/1260-59-0x0000000000000000-mapping.dmp

Download
memory/1260-35-0x0000000000000000-mapping.dmp

Download
memory/1276-22-0x000000000041E792-mapping.dmp

Download
memory/1336-82-0x000000000041E792-mapping.dmp

Download
memory/1516-23-0x0000000000000000-mapping.dmp

Download
memory/1620-25-0x000000000041E792-mapping.dmp

Download
memory/1648-44-0x0000000000000000-mapping.dmp

Download
memory/1700-9-0x0000000000000000-mapping.dmp

Download
memory/1700-68-0x0000000000000000-mapping.dmp

Download
memory/1820-37-0x000000000041E792-mapping.dmp

Download
memory/1820-56-0x0000000000000000-mapping.dmp

Download
memory/1904-1-0x000000000041E792-mapping.dmp

Download
memory/1904-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1920-74-0x0000000000000000-mapping.dmp

Download
memory/1960-34-0x000000000041E792-mapping.dmp

Download
memory/2088-2-0x0000000000000000-mapping.dmp

Download
memory/2092-17-0x0000000000000000-mapping.dmp

Download
memory/2096-49-0x000000000041E792-mapping.dmp

Download
memory/2232-28-0x000000000041E792-mapping.dmp

Download
memory/2256-31-0x000000000041E792-mapping.dmp

Download
memory/2276-65-0x0000000000000000-mapping.dmp

Download
memory/2424-70-0x000000000041E792-mapping.dmp

Download
memory/2500-80-0x0000000000000000-mapping.dmp

Download
memory/2504-5-0x0000000000000000-mapping.dmp

Download
memory/2624-32-0x0000000000000000-mapping.dmp

Download
memory/2652-19-0x000000000041E792-mapping.dmp

Download
memory/2756-47-0x0000000000000000-mapping.dmp

Download
memory/2756-73-0x000000000041E792-mapping.dmp

Download
memory/2944-71-0x0000000000000000-mapping.dmp

Download
memory/3032-50-0x0000000000000000-mapping.dmp

Download
memory/3064-41-0x0000000000000000-mapping.dmp

Download
memory/3096-46-0x000000000041E792-mapping.dmp

Download
memory/3168-12-0x000000000041E792-mapping.dmp

Download
memory/3188-77-0x0000000000000000-mapping.dmp

Download
memory/3208-55-0x000000000041E792-mapping.dmp

Download
memory/3680-20-0x0000000000000000-mapping.dmp

Download
memory/3736-61-0x000000000041E792-mapping.dmp

Download
memory/3736-40-0x000000000041E792-mapping.dmp

Download
memory/3760-53-0x0000000000000000-mapping.dmp

Download
memory/3764-52-0x000000000041E792-mapping.dmp

Download
memory/3788-3-0x0000000000000000-mapping.dmp

Download
memory/3788-76-0x000000000041E792-mapping.dmp

Download
memory/3832-8-0x000000000041E792-mapping.dmp

Download
memory/4016-29-0x0000000000000000-mapping.dmp

Download
memory/4028-15-0x000000000041E792-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads