Analysis Overview
SHA256
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
Threat Level: Known bad
The file 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23 was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Deletes itself
Executes dropped EXE
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-09 12:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-09 12:36
Reported
2024-04-09 12:56
Platform
win7-20240221-en
Max time kernel
1200s
Max time network
838s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jerjtgh | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jerjtgh | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jerjtgh | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jerjtgh | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jerjtgh | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jerjtgh | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jerjtgh | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jerjtgh | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jerjtgh | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jerjtgh | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2140 wrote to memory of 320 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\jerjtgh |
| PID 2140 wrote to memory of 320 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\jerjtgh |
| PID 2140 wrote to memory of 320 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\jerjtgh |
| PID 2140 wrote to memory of 320 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\jerjtgh |
| PID 2224 wrote to memory of 3008 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\jerjtgh |
| PID 2224 wrote to memory of 3008 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\jerjtgh |
| PID 2224 wrote to memory of 3008 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\jerjtgh |
| PID 2224 wrote to memory of 3008 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Roaming\jerjtgh |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
"C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {CD8F87B2-6F74-404F-85D1-41E939DA1ECE} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\jerjtgh
C:\Users\Admin\AppData\Roaming\jerjtgh
C:\Windows\system32\taskeng.exe
taskeng.exe {A79E10C1-586F-41E0-9A10-03A7DA09373D} S-1-5-21-1658372521-4246568289-2509113762-1000:PIRBKNPS\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\jerjtgh
C:\Users\Admin\AppData\Roaming\jerjtgh
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
Files
memory/2152-1-0x0000000000250000-0x0000000000350000-memory.dmp
memory/2152-2-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/2152-3-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1256-4-0x0000000002A90000-0x0000000002AA6000-memory.dmp
memory/2152-5-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\jerjtgh
| MD5 | 5cddaacf9782c030db128e3ebfd8f301 |
| SHA1 | 71bae291b66ecfad6ee79ab150c9b4bdc676f06c |
| SHA256 | 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23 |
| SHA512 | bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797 |
memory/320-14-0x0000000002740000-0x0000000002840000-memory.dmp
memory/320-15-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1256-16-0x0000000002930000-0x0000000002946000-memory.dmp
memory/320-17-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3008-23-0x0000000002370000-0x0000000002470000-memory.dmp
memory/3008-24-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1256-25-0x0000000002960000-0x0000000002976000-memory.dmp
memory/3008-28-0x0000000000400000-0x00000000022D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-09 12:36
Reported
2024-04-09 12:58
Platform
win10-20240404-en
Max time kernel
1192s
Max time network
868s
Command Line
Signatures
SmokeLoader
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
"C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 492
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 26.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/944-1-0x00000000024E0000-0x00000000025E0000-memory.dmp
memory/944-2-0x0000000002340000-0x000000000234B000-memory.dmp
memory/944-3-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/944-6-0x00000000024E0000-0x00000000025E0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-09 12:36
Reported
2024-04-09 12:59
Platform
win10v2004-20240226-en
Max time kernel
1200s
Max time network
1160s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\buefffb | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\buefffb | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\buefffb | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\buefffb | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\buefffb | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
"C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe"
C:\Users\Admin\AppData\Roaming\buefffb
C:\Users\Admin\AppData\Roaming\buefffb
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.249.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
Files
memory/1944-1-0x0000000002570000-0x0000000002670000-memory.dmp
memory/1944-2-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1944-3-0x0000000004030000-0x000000000403B000-memory.dmp
memory/3204-5-0x00000000024F0000-0x0000000002506000-memory.dmp
memory/1944-4-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1944-8-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\buefffb
| MD5 | 5cddaacf9782c030db128e3ebfd8f301 |
| SHA1 | 71bae291b66ecfad6ee79ab150c9b4bdc676f06c |
| SHA256 | 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23 |
| SHA512 | bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797 |
memory/2040-15-0x0000000002300000-0x0000000002400000-memory.dmp
memory/2040-16-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3204-17-0x0000000000760000-0x0000000000776000-memory.dmp
memory/2040-18-0x0000000000400000-0x00000000022D1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-09 12:36
Reported
2024-04-09 12:59
Platform
win11-20240221-en
Max time kernel
1200s
Max time network
1174s
Command Line
Signatures
SmokeLoader
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rdgvfej | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rdgvfej | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rdgvfej | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rdgvfej | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rdgvfej | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe
"C:\Users\Admin\AppData\Local\Temp\6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23.exe"
C:\Users\Admin\AppData\Roaming\rdgvfej
C:\Users\Admin\AppData\Roaming\rdgvfej
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
Files
memory/1436-1-0x0000000002380000-0x0000000002480000-memory.dmp
memory/1436-2-0x0000000004120000-0x000000000412B000-memory.dmp
memory/1436-3-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3184-4-0x0000000001330000-0x0000000001346000-memory.dmp
memory/1436-5-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Roaming\rdgvfej
| MD5 | 5cddaacf9782c030db128e3ebfd8f301 |
| SHA1 | 71bae291b66ecfad6ee79ab150c9b4bdc676f06c |
| SHA256 | 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23 |
| SHA512 | bee3cbdeac5a317f58ebb2d621740f8b7e81e47db236327cb0e908bc49886e320e30a95191470953177740f702adfe704a626325ddd2a33f10c8ec3060059797 |
memory/3500-14-0x0000000002530000-0x0000000002630000-memory.dmp
memory/3500-15-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3184-16-0x00000000011E0000-0x00000000011F6000-memory.dmp
memory/3500-19-0x0000000000400000-0x00000000022D1000-memory.dmp