Malware Analysis Report

2024-09-22 16:46

Sample ID 230630-yhlv2sfe8v
Target SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
SHA256 5bf3863bd0b4af59a4cdf9b9080b60c827cc19e368beae60ea3930adf12ddec0
Tags
darkvnc rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bf3863bd0b4af59a4cdf9b9080b60c827cc19e368beae60ea3930adf12ddec0

Threat Level: Known bad

The file SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe was found to be: Known bad.

Malicious Activity Summary

darkvnc rat

DarkVNC

DarkVNC payload

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-06-30 19:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 19:47

Reported

2023-06-30 19:49

Platform

win7-20230621-en

Max time kernel

132s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1392 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 1392 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

Network

Country Destination Domain Proto
RU 5.42.66.3:80 tcp
RU 5.42.66.3:80 tcp
RU 5.42.66.3:80 5.42.66.3 tcp

Files

memory/1392-54-0x00000000000F0000-0x0000000000D0C000-memory.dmp

memory/1392-55-0x0000000001150000-0x0000000001190000-memory.dmp

memory/1392-56-0x0000000001150000-0x0000000001190000-memory.dmp

memory/1392-57-0x0000000006520000-0x0000000006624000-memory.dmp

memory/1392-58-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-59-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-61-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-63-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-67-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-65-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-69-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-71-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-73-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-75-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-77-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-79-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-81-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-83-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-85-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-89-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-87-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-91-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-95-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-93-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-99-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-97-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-103-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-101-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-105-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-107-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-111-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-109-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-113-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-115-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-117-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-119-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-121-0x0000000006520000-0x000000000661E000-memory.dmp

memory/1392-1380-0x0000000004D30000-0x0000000004D9A000-memory.dmp

memory/1392-1381-0x00000000058A0000-0x00000000058EC000-memory.dmp

memory/1392-1382-0x0000000002A80000-0x0000000002A81000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-30 19:47

Reported

2023-06-30 19:49

Platform

win10v2004-20230621-en

Max time kernel

151s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe"

Signatures

DarkVNC

rat darkvnc

DarkVNC payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5016 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 5016 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 5016 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 5016 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 5016 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 5016 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 5016 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 5016 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 5016 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe
PID 4168 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Windows\system32\svchost.exe
PID 4168 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Windows\system32\svchost.exe
PID 4168 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Windows\system32\svchost.exe
PID 4168 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Windows\system32\svchost.exe
PID 4168 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe C:\Windows\system32\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.28420.31272.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
RU 5.42.66.3:80 5.42.66.3 tcp
US 8.8.8.8:53 3.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 20.189.173.15:443 tcp
US 8.8.8.8:53 76.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 108.177.235.182:443 tcp
US 108.177.235.182:443 tcp
US 8.8.8.8:53 182.235.177.108.in-addr.arpa udp
US 8.8.8.8:53 94.143.109.104.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
GB 96.16.110.41:443 tcp

Files

memory/5016-133-0x00000000001C0000-0x0000000000DDC000-memory.dmp

memory/5016-134-0x0000000005770000-0x0000000005780000-memory.dmp

memory/5016-135-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-136-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-138-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-140-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-142-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-144-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-146-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-148-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-150-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-152-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-154-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-156-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-158-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-160-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-162-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-164-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-166-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-168-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-170-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-172-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-176-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-174-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-178-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-180-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-182-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-184-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-186-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-188-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-192-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-190-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-194-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-196-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-198-0x0000000006850000-0x000000000694E000-memory.dmp

memory/5016-1080-0x0000000005770000-0x0000000005780000-memory.dmp

memory/5016-1458-0x0000000006070000-0x0000000006071000-memory.dmp

memory/5016-1459-0x00000000074C0000-0x0000000007A64000-memory.dmp

memory/4168-1474-0x0000000000400000-0x0000000000488000-memory.dmp

memory/4108-1475-0x0000000000240000-0x0000000000241000-memory.dmp

memory/4108-1476-0x0000000000170000-0x0000000000239000-memory.dmp