Malware Analysis Report

2024-09-22 16:45

Sample ID 230630-ve5bfafa2x
Target SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
SHA256 f4d6fa18bba78d69e878956143665a8f6b489ad5fb5b292507debdc5d3db7008
Tags
darkvnc rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f4d6fa18bba78d69e878956143665a8f6b489ad5fb5b292507debdc5d3db7008

Threat Level: Known bad

The file SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe was found to be: Known bad.

Malicious Activity Summary

darkvnc rat

DarkVNC

DarkVNC payload

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-06-30 16:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 16:55

Reported

2023-06-30 16:57

Platform

win7-20230621-en

Max time kernel

70s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 872 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 872 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

Network

N/A

Files

memory/872-54-0x0000000000020000-0x0000000000D16000-memory.dmp

memory/872-55-0x0000000002BF0000-0x0000000002CE2000-memory.dmp

memory/872-56-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-59-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-57-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-61-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-63-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-65-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-67-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-71-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-69-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-73-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-75-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-78-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-77-0x0000000005550000-0x0000000005590000-memory.dmp

memory/872-82-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-80-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-84-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-86-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-88-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-90-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-92-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-94-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-98-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-100-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-96-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-106-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-104-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-102-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-108-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-110-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-112-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-116-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-118-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-114-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-120-0x0000000002BF0000-0x0000000002CDC000-memory.dmp

memory/872-1101-0x0000000002D40000-0x0000000002DAA000-memory.dmp

memory/872-1102-0x00000000054B0000-0x00000000054FC000-memory.dmp

memory/872-1103-0x00000000012C0000-0x00000000012C1000-memory.dmp

memory/872-1104-0x0000000005550000-0x0000000005590000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-30 16:55

Reported

2023-06-30 16:57

Platform

win10v2004-20230621-en

Max time kernel

87s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe"

Signatures

DarkVNC

rat darkvnc

DarkVNC payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 4532 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 4532 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 4532 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 4532 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 4532 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 4532 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 4532 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 4532 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe
PID 1860 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Windows\system32\svchost.exe
PID 1860 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Windows\system32\svchost.exe
PID 1860 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Windows\system32\svchost.exe
PID 1860 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Windows\system32\svchost.exe
PID 1860 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe C:\Windows\system32\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.MSIL_Agent.FSF.gen.Eldorado.16679.16830.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 52.182.141.63:443 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 96.16.53.204:443 www.bing.com tcp
NL 96.16.53.204:443 www.bing.com tcp
NL 96.16.53.204:443 www.bing.com tcp
NL 96.16.53.204:443 www.bing.com tcp
NL 96.16.53.204:443 www.bing.com tcp
US 8.8.8.8:53 204.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 108.177.235.182:443 tcp
US 108.177.235.182:443 tcp
US 8.8.8.8:53 182.235.177.108.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp

Files

memory/4532-133-0x0000000000520000-0x0000000001216000-memory.dmp

memory/4532-134-0x0000000005D50000-0x0000000005D60000-memory.dmp

memory/4532-135-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-136-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-138-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-140-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-142-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-144-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-146-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-148-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-150-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-152-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-154-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-156-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-158-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-160-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-162-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-164-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-166-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-168-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-170-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-172-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-174-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-176-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-180-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-178-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-182-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-184-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-186-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-188-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-190-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-192-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-196-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-194-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-198-0x0000000005C40000-0x0000000005D2C000-memory.dmp

memory/4532-1130-0x0000000005D50000-0x0000000005D60000-memory.dmp

memory/4532-1180-0x0000000005D80000-0x0000000005D81000-memory.dmp

memory/4532-1181-0x0000000006870000-0x0000000006E14000-memory.dmp

memory/4852-1197-0x0000000000A70000-0x0000000000B39000-memory.dmp

memory/1860-1198-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4852-1196-0x0000000000B40000-0x0000000000B41000-memory.dmp