Source: |
Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\10\HTTPMalware\Persist\x64\Release\DLL.pdb source: Qe73sKzGgb.dll |
Source: |
Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\10\HTTPMalware\HTTPMalw\HTTPMalw\obj\Release\HTTPMalw.pdb source: sihost.exe, 00000004.00000002.3330089530.0000024EB5ED0000.00000004.10000000.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.2092725357.0000024EB5E50000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB64E6000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB6421000.00000004.00000001.00020000.00000000.sdmp |
Source: unknown |
Network traffic detected: HTTP traffic on port 49704 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49711 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49712 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49714 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49716 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49717 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49718 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49719 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49720 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49721 -> 81 |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.246Host: 192.168.1.140:81Content-Length: 133Expect: 100-continueConnection: Keep-Alive |
Source: sihost.exe, 00000004.00000002.3331065779.0000024EB6421000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB657A000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://192.168.1.140:81 |
Source: sihost.exe, 00000004.00000002.3331065779.0000024EB657A000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3330504947.0000024EB62C3000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://192.168.1.140:81/ |
Source: sihost.exe, 00000004.00000002.3330504947.0000024EB62C3000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://192.168.1.140:81/- |
Source: sihost.exe, 00000004.00000002.3330504947.0000024EB62C3000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://192.168.1.140:81/: |
Source: sihost.exe, 00000004.00000002.3331065779.0000024EB65D0000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB65B5000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB64C7000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB659C000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://192.168.1.140:81/X |
Source: sihost.exe, 00000004.00000002.3331065779.0000024EB65D0000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB65B5000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB65EC000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB659C000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://192.168.1.140:81pV |
Source: sihost.exe, 00000004.00000002.3331065779.0000024EB64C7000.00000004.00000001.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Qe73sKzGgb.dll, type: SAMPLE |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: Qe73sKzGgb.dll, type: SAMPLE |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000003.00000002.2139912895.000001BDF7DF0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000003.00000002.2139912895.000001BDF7DF0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000004.00000000.2092567006.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000004.00000000.2092567006.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000004.00000002.3329850570.0000024EB5E10000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000004.00000002.3329850570.0000024EB5E10000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000004.00000002.3329877059.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000004.00000002.3329877059.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: 00000000.00000002.2098220710.000001FA21A10000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown |
Source: 00000000.00000002.2098220710.000001FA21A10000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d Author: unknown |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_0000024EB5E13777 |
4_2_0000024EB5E13777 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_0000024EB5E13B97 |
4_2_0000024EB5E13B97 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_0000024EB5E12B4F |
4_2_0000024EB5E12B4F |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_0000024EB5E13FCF |
4_2_0000024EB5E13FCF |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_0000024EB5E14457 |
4_2_0000024EB5E14457 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_0000024EB5E23777 |
4_2_0000024EB5E23777 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_0000024EB5E23B97 |
4_2_0000024EB5E23B97 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_0000024EB5E22B4F |
4_2_0000024EB5E22B4F |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_0000024EB5E23FCF |
4_2_0000024EB5E23FCF |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_0000024EB5E24457 |
4_2_0000024EB5E24457 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FFC205 |
4_2_00007FF848FFC205 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FFCA58 |
4_2_00007FF848FFCA58 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FF59AF |
4_2_00007FF848FF59AF |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FF2B4A |
4_2_00007FF848FF2B4A |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FFCB88 |
4_2_00007FF848FFCB88 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FFCBD8 |
4_2_00007FF848FFCBD8 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849006DFB |
4_2_00007FF849006DFB |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FFF6A3 |
4_2_00007FF848FFF6A3 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849043070 |
4_2_00007FF849043070 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849007790 |
4_2_00007FF849007790 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849001A7F |
4_2_00007FF849001A7F |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849001AB0 |
4_2_00007FF849001AB0 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF8490012D8 |
4_2_00007FF8490012D8 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849001AF3 |
4_2_00007FF849001AF3 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849002AF3 |
4_2_00007FF849002AF3 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849002AF0 |
4_2_00007FF849002AF0 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FF10FA |
4_2_00007FF848FF10FA |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FFC939 |
4_2_00007FF848FFC939 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FFE9E0 |
4_2_00007FF848FFE9E0 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FFA3FA |
4_2_00007FF848FFA3FA |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FF8322 |
4_2_00007FF848FF8322 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FF8330 |
4_2_00007FF848FF8330 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FF1328 |
4_2_00007FF848FF1328 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849009B60 |
4_2_00007FF849009B60 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FFCB80 |
4_2_00007FF848FFCB80 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849005BD3 |
4_2_00007FF849005BD3 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FFCDF8 |
4_2_00007FF848FFCDF8 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FFD578 |
4_2_00007FF848FFD578 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF8490025A0 |
4_2_00007FF8490025A0 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF8490025A8 |
4_2_00007FF8490025A8 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF8490025D0 |
4_2_00007FF8490025D0 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF8490055F2 |
4_2_00007FF8490055F2 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FF50D3 |
4_2_00007FF848FF50D3 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FF5960 |
4_2_00007FF848FF5960 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849233A1D |
4_2_00007FF849233A1D |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849231B9D |
4_2_00007FF849231B9D |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849232B7C |
4_2_00007FF849232B7C |
Source: Qe73sKzGgb.dll, type: SAMPLE |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: Qe73sKzGgb.dll, type: SAMPLE |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000003.00000002.2139912895.000001BDF7DF0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000003.00000002.2139912895.000001BDF7DF0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000004.00000000.2092567006.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000004.00000000.2092567006.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000004.00000002.3329850570.0000024EB5E10000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000004.00000002.3329850570.0000024EB5E10000.00000020.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000004.00000002.3329877059.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000004.00000002.3329877059.0000024EB5E20000.00000020.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: 00000000.00000002.2098220710.000001FA21A10000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13 |
Source: 00000000.00000002.2098220710.000001FA21A10000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Donutloader_5c38878d os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 3b55ec6c37891880b53633b936d10f94d2b806db1723875e4ac95f8a34d97150, id = 5c38878d-ca94-4fd9-a36e-1ae5fe713ca2, last_modified = 2021-01-13 |
Source: unknown |
Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\Qe73sKzGgb.dll" |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Qe73sKzGgb.dll",#1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Qe73sKzGgb.dll",#1 |
|
Source: C:\Windows\System32\loaddll64.exe |
Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Qe73sKzGgb.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Qe73sKzGgb.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: vcruntime140.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll64.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: rasapi32.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: rasman.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: rtutils.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Section loaded: version.dll |
Jump to behavior |
Source: Qe73sKzGgb.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: Qe73sKzGgb.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: Qe73sKzGgb.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: Qe73sKzGgb.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: Qe73sKzGgb.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: Qe73sKzGgb.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: |
Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\10\HTTPMalware\Persist\x64\Release\DLL.pdb source: Qe73sKzGgb.dll |
Source: |
Binary string: C:\Users\NEO\Desktop\RavinAcademy\RedTeam-01\10\HTTPMalware\HTTPMalw\HTTPMalw\obj\Release\HTTPMalw.pdb source: sihost.exe, 00000004.00000002.3330089530.0000024EB5ED0000.00000004.10000000.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.2092725357.0000024EB5E50000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB64E6000.00000004.00000001.00020000.00000000.sdmp, sihost.exe, 00000004.00000002.3331065779.0000024EB6421000.00000004.00000001.00020000.00000000.sdmp |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FF72F0 push ebx; retf |
4_2_00007FF848FF73DA |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FF5458 push ebx; retf |
4_2_00007FF848FF73DA |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FF7300 push ebx; retf |
4_2_00007FF848FF73DA |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FF72F8 push ebx; retf |
4_2_00007FF848FF73DA |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF848FF7338 push ebx; retf |
4_2_00007FF848FF73DA |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF8490025A0 push FFFFFFE8h; ret |
4_2_00007FF8490026F9 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF8490025A8 push FFFFFFE8h; ret |
4_2_00007FF8490026F9 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF8490025D0 push FFFFFFE8h; ret |
4_2_00007FF8490026F9 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF84923096A push edx; ret |
4_2_00007FF84923096B |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF84923294D pushad ; ret |
4_2_00007FF849232974 |
Source: C:\Windows\System32\sihost.exe |
Code function: 4_2_00007FF849236F90 pushfd ; iretd |
4_2_00007FF849236F91 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49704 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49705 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49711 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49712 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49713 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49714 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49716 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49717 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49718 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49719 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49720 -> 81 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49721 -> 81 |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\sihost.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: sihost.exe, 00000004.00000002.3329405613.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.2091868600.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: sihost.exe, 00000004.00000002.3329405613.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.2091868600.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: sihost.exe, 00000004.00000002.3329405613.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.2091868600.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progman |
Source: sihost.exe, 00000004.00000002.3329405613.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp, sihost.exe, 00000004.00000000.2091868600.0000024EB3A21000.00000002.00000001.00040000.00000000.sdmp |
Binary or memory string: Progmanlock |