Edit tour
Windows
Analysis Report
smphost.dll
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Uses known network protocols on non-standard ports
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to check if a connection to the internet is available
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Registers a DLL
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- loaddll32.exe (PID: 6120 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\smp host.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938) - cmd.exe (PID: 4764 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\smp host.dll", #1 MD5: F3BDBE3BB6F734E357235F4D5898582D) - rundll32.exe (PID: 6212 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\smph ost.dll",# 1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - regsvr32.exe (PID: 3576 cmdline:
regsvr32.e xe /i /s C :\Users\us er\Desktop \smphost.d ll MD5: 426E7499F6A7346F0410DEAD0805586B) - schtasks.exe (PID: 4532 cmdline:
C:\Windows \system32\ schtasks.e xe" /Creat e /SC MINU TE /MO 3 / TN 5507 /T R "%windir %\system32 \regsvr32. exe -e C:\ ProgramDat a\6\5507.o cx MD5: 15FF7D8324231381BAD48A052F85DF04) - WerFault.exe (PID: 6348 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 576 -s 206 4 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - rundll32.exe (PID: 6256 cmdline:
rundll32.e xe C:\User s\user\Des ktop\smpho st.dll,Dll Install MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - rundll32.exe (PID: 6760 cmdline:
rundll32.e xe C:\User s\user\Des ktop\smpho st.dll,Dll RegisterSe rver MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - rundll32.exe (PID: 5388 cmdline:
rundll32.e xe C:\User s\user\Des ktop\smpho st.dll,Dll Unregister Server MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
- regsvr32.exe (PID: 5808 cmdline:
C:\Windows \system32\ regsvr32.e xe -e C:\P rogramData \6\5507.oc x MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 6460 cmdline:
-e C:\Pro gramData\6 \5507.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
- regsvr32.exe (PID: 1264 cmdline:
C:\Windows \system32\ regsvr32.e xe -e C:\P rogramData \6\5507.oc x MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 2016 cmdline:
-e C:\Pro gramData\6 \5507.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Dmitriy Lifanov, oscd.community: |
Source: | Author: Florian Roth: |
Persistence and Installation Behavior |
---|
Source: | Author: Joe Security: |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Avira URL Cloud: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: |
Networking |
---|
Source: | Network Connect: | ||
Source: | Domain query: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | Code function: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | Code function: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | Process created: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process created: |
Persistence and Installation Behavior |
---|
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | Process created: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | Process information queried: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Network Connect: | ||
Source: | Domain query: |
Source: | Process created: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Scheduled Task/Job | 1 Scheduled Task/Job | 111 Process Injection | 21 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 Scheduled Task/Job | 111 Process Injection | LSASS Memory | 31 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 11 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 2 Ingress Tool Transfer | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Obfuscated Files or Information | NTDS | 21 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Scheduled Transfer | 3 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Regsvr32 | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | 4 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Rundll32 | Cached Domain Credentials | 1 System Network Connections Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | 1 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 23 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
9% | Virustotal | Browse | ||
7% | ReversingLabs | Win32.Dropper.Generic |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
7% | ReversingLabs | Win32.Dropper.Generic |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
manageintel.com | 185.14.31.158 | true | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
true |
| unknown | |
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.14.31.158 | manageintel.com | Ukraine | 21100 | ITLDC-NLUA | true |
IP |
---|
192.168.2.1 |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 562835 |
Start date: | 30.01.2022 |
Start time: | 13:29:09 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 10m 25s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | smphost.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 39 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal88.troj.evad.winDLL@22/7@16/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
- TCP Packets have been reduced to 100
- Excluded IPs from analysis (whitelisted): 184.87.212.60, 2.20.157.220, 52.168.117.173
- Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
13:29:59 | API Interceptor | |
13:30:03 | API Interceptor | |
13:30:09 | API Interceptor | |
13:30:37 | Task Scheduler | |
13:31:13 | API Interceptor |
Process: | C:\Windows\SysWOW64\regsvr32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 147656 |
Entropy (8bit): | 6.319927202557722 |
Encrypted: | false |
SSDEEP: | 3072:biKjfYjd3b9fSCNq01bKrF5HiLCK08WA46tvTj:+QfYjBMCNcC+KlWuB3 |
MD5: | FC484855692F2A7D1EAE090086A1EB72 |
SHA1: | 2E9103747750B40835F58D9E57C2AB75EEAF25F6 |
SHA-256: | E58B9BBB7BCDF3E901453B7B9C9E514FED1E53565E3280353DCCC77CDE26A98E |
SHA-512: | 2F6B6E8AA82DC4AA61A540BAE1D98682EC79E73CCFEAF9C273B053C2162F35207842F7AB2F1BC06E927D706EC88ECF209D2C57E86323C38FB43E9D694E624311 |
Malicious: | true |
Antivirus: |
|
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_e8da9d9d47a999f039c77c46f5a596d8854d75e_7a325c51_195cb6b3\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.0976160892483657 |
Encrypted: | false |
SSDEEP: | 192:1Ezc5b6Vt0H+G0cXlje9+X9yww/u7sNS274ItU:oc16VW+G0ajeYG/u7sNX4ItU |
MD5: | 4B1B0E8495D23C9A6B6258ED7D331BE7 |
SHA1: | 2F28B18E4031D078CAB6D972990A1868461365DE |
SHA-256: | 68949226D86CAF86FCD5EC23EBE339B579AD08EA394855F127BB05FE3B3FC66A |
SHA-512: | 3F668FB88564EDAD1B536DF7C0FEE41273FBE6AA7F840FB362D6528BD1D2AC2C1536114E33D266FB65171565E462DCD51D8AFADC84AE17FC7390B286D24FAEB2 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8272 |
Entropy (8bit): | 3.6935513744694903 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiAr6enG6Y306ugmfJTSZX4NCprb89bV8sf0XHm:RrlsNiU6enG6Yk6ugmfJTS6VPfT |
MD5: | 9AC519D1F30DFC7823590054A1628202 |
SHA1: | 534BD1C26250B8D3DE0A52A0092E456659C3BD9E |
SHA-256: | FEA4B47B5080CC0BFA1E8F8F9721C678BBFD751BE1B37509DC6A63BE7801FE0D |
SHA-512: | 84F933BEC412D14514E2B0042138851A8B564C93696ABA37442DE1A6B12BD207587C16CBE62E705EE14F7E3D7D72C537C697815FB1B0EFBFD647B1C1FDF06734 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4630 |
Entropy (8bit): | 4.453126548922244 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zs/JgtWI9s84WWSC8Bs8fm8M4JkCFMff+q8p3oKJYhgd:uITfhQuSNDJMfgoqYhgd |
MD5: | 8B06714A9AEBAE2BA184D11D1BC0C1C0 |
SHA1: | F0FC84A0A1D6E1C61A6F71D007F0B6B68F454DC4 |
SHA-256: | B94EFBD2A0C34AC646708D6CB1004ABB13E7E8975639E00905B2881EF17555C2 |
SHA-512: | 2D35D224905ACDB0BC899780A943EE4DDF3F396227998E4F8A0EA7DF895006CDD08F6366C41A832E3B3994FC162A8B529A3184CB1DEF8933A74E680DFAC928DA |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 122464 |
Entropy (8bit): | 2.1643437147123894 |
Encrypted: | false |
SSDEEP: | 768:cBgVbyEqeA2b/V2a8gtuVfHeFNFf5UKXv:Pxr41eF3f5UKX |
MD5: | 5FA42D0F77CA7CD672BA664CA5219DFE |
SHA1: | 93A963564FCF186267C675C7E66244CB14587984 |
SHA-256: | BC158DDC546EA1A1F718D15776E4AA9A39A13E9BF2AB64191E7AAA13DCF46A9A |
SHA-512: | 6F8F9CD35F5543F9CF5E15918FC7463CD8545A1E42B4F8F8ED94A204CCC8FBA2359ACEA2062F45D6105E771A6F9AB2C92692DB50B2EFFCDB7AF92093D4483AD5 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.273231081638743 |
Encrypted: | false |
SSDEEP: | 12288:Lv496ASvyWbVus7uYbNPUB6U4Yal9N63JjvSaH9PKku6X/9c9sMRSO:7496ASvyWbVus7f1 |
MD5: | 065CCF68DC5FE8D5AC14F5B30BDEEF5B |
SHA1: | 4E531CCF4A0987BE26C8BF5657395BBA28FB8E43 |
SHA-256: | F556D5B952BF5686C3D77229CAAB6AAF9DF46B91620126D50F12444A967A0150 |
SHA-512: | 980D2A4527591F094E7156471B1D88499FD45B3A1035F94CB3CBC8F11F1CE64F1594E2D8B1451ADB239F6FC3798F70F666B4BA5F66F3ADE374A9F531249F2F63 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 24576 |
Entropy (8bit): | 4.028041512447004 |
Encrypted: | false |
SSDEEP: | 384:VRwp5Rftx1+PJ4XpsF8nk7kdPBqXpSeq5QMVyi6+/2l4Lk41Zd1DoXzn0Lsbwvg:3w3Rftx1kJ4X+F8k7eBqXQeq5QMVyi6I |
MD5: | FCA21CEF07EB5F05E1E92D9B1645858E |
SHA1: | 35797A6914C2B07CA97855B865CD27AA98573AE8 |
SHA-256: | EF536B299AE7BF8A7A389CB6A2B7CAA22EBEB1886028E85F5209BE8963C2F0A3 |
SHA-512: | 93FBB08DAEED81EC8AECD169CD84D94AA5A7AF81C2333BF426DFFBACEAA9FDD328FAFBAE3EA535D9FE0AA2B4537E44E2E80F9A795BAD6EA734096F8644E4781B |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.319927202557722 |
TrID: |
|
File name: | smphost.dll |
File size: | 147656 |
MD5: | fc484855692f2a7d1eae090086a1eb72 |
SHA1: | 2e9103747750b40835f58d9e57c2ab75eeaf25f6 |
SHA256: | e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e |
SHA512: | 2f6b6e8aa82dc4aa61a540bae1d98682ec79e73ccfeaf9c273b053c2162f35207842f7ab2f1bc06e927d706ec88ecf209d2c57e86323c38fb43e9d694e624311 |
SSDEEP: | 3072:biKjfYjd3b9fSCNq01bKrF5HiLCK08WA46tvTj:+QfYjBMCNcC+KlWuB3 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1.x.b.x.b.x.b...c.x.b...c`x.b...c.x.b...c.x.b...c.x.b...c.x.b...c.x.b.x.b.x.b...c.x.b...c.x.b...c.x.bRich.x.b............... |
Icon Hash: | 74f0e4ecccdce0e4 |
Entrypoint: | 0x100095e3 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x10000000 |
Subsystem: | windows cui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
DLL Characteristics: | DYNAMIC_BASE |
Time Stamp: | 0x61C2D9AE [Wed Dec 22 07:54:22 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 793636b04c2e2f8cfe97a0d2fa1b60e1 |
Signature Valid: | true |
Signature Issuer: | CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 87CFAD0A22E828FF235A83CA03E90993 |
Thumbprint SHA-1: | 430DBEFF2F6DF708B03354D5D07E78400CFED8E9 |
Thumbprint SHA-256: | 44DAF53D607937F410C3D300100399514D0EE5B03487E7EAD16DFE324D2C5563 |
Serial: | 205483936F360924E8D2A4EB6D3A9F31 |
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007FAAF49D1C27h |
call 00007FAAF49D2029h |
push dword ptr [ebp+10h] |
push dword ptr [ebp+0Ch] |
push dword ptr [ebp+08h] |
call 00007FAAF49D1AD3h |
add esp, 0Ch |
pop ebp |
retn 000Ch |
and dword ptr [ecx+04h], 00000000h |
mov eax, ecx |
and dword ptr [ecx+08h], 00000000h |
mov dword ptr [ecx+04h], 100153A0h |
mov dword ptr [ecx], 10015398h |
ret |
push ebp |
mov ebp, esp |
sub esp, 0Ch |
lea ecx, dword ptr [ebp-0Ch] |
call 00007FAAF49D1BFFh |
push 1001A634h |
lea eax, dword ptr [ebp-0Ch] |
push eax |
call 00007FAAF49D2AF7h |
int3 |
push ebp |
mov ebp, esp |
sub esp, 0Ch |
lea ecx, dword ptr [ebp-0Ch] |
call 00007FAAF49CB6ECh |
push 1001A538h |
lea eax, dword ptr [ebp-0Ch] |
push eax |
call 00007FAAF49D2ADAh |
int3 |
push ebp |
mov ebp, esp |
and dword ptr [1001CFF0h], 00000000h |
sub esp, 24h |
or dword ptr [1001C010h], 01h |
push 0000000Ah |
call dword ptr [100150C4h] |
test eax, eax |
je 00007FAAF49D1DCFh |
and dword ptr [ebp-10h], 00000000h |
xor eax, eax |
push ebx |
push esi |
push edi |
xor ecx, ecx |
lea edi, dword ptr [ebp-24h] |
push ebx |
cpuid |
mov esi, ebx |
pop ebx |
mov dword ptr [edi], eax |
mov dword ptr [edi+04h], esi |
mov dword ptr [edi+08h], ecx |
xor ecx, ecx |
mov dword ptr [edi+0Ch], edx |
mov eax, dword ptr [ebp-24h] |
mov edi, dword ptr [ebp-1Ch] |
mov dword ptr [ebp-0Ch], eax |
xor edi, 0065746Eh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x1ab30 | 0x80 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1abb0 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x20000 | 0x5694 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x21a00 | 0x26c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1e000 | 0x132c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x19f0c | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x19f28 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x15000 | 0x1b8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x13939 | 0x13a00 | False | 0.54204816879 | data | 6.52399222454 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x15000 | 0x65be | 0x6600 | False | 0.417662377451 | data | 4.95436624069 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1c000 | 0x1a20 | 0xa00 | False | 0.171484375 | DOS executable (block device driver) | 2.41006083543 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.reloc | 0x1e000 | 0x132c | 0x1400 | False | 0.748828125 | data | 6.45202754591 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.rsrc | 0x20000 | 0x5694 | 0x5800 | False | 0.205344460227 | data | 3.76919834084 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
MUI | 0x2010c | 0xf0 | data | English | United States |
WEVT_TEMPLATE | 0x201fc | 0x50ca | data | English | United States |
RT_VERSION | 0x252c8 | 0x3cc | data | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | DeleteCriticalSection, CreateMutexExW, GetPriorityClass, GetProcessId, GetVersion, GetProductInfo, InitializeCriticalSectionEx, FormatMessageA, FormatMessageW, GetConsoleCP, CreateFileW, CloseHandle, GetStringTypeW, SetFilePointerEx, GetProcessHeap, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetLastError, RaiseException, DecodePointer, DisableThreadLibraryCalls, SetFileAttributesW, SetStdHandle, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetCurrentProcess, TerminateProcess, OutputDebugStringW, EnterCriticalSection, LeaveCriticalSection, RtlUnwind, InterlockedFlushSList, SetLastError, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, LCMapStringW, GetStdHandle, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, WriteConsoleW |
USER32.dll | CharNextW, CreatePopupMenu, GetMessageTime |
GDI32.dll | TextOutA, FlattenPath, TextOutW |
ADVAPI32.dll | RevertToSelf, IsValidSid, IsValidAcl, IsTokenRestricted, GetSidIdentifierAuthority, CveEventWrite |
SHELL32.dll | DuplicateIcon |
ole32.dll | CoGetCallerTID, CoCreateInstance, CoInitialize, CoTaskMemAlloc, OleInitialize, CoCancelCall |
SHLWAPI.dll | SHStrDupA, SHStrDupW, SHGetThreadRef |
RPCRT4.dll | UuidCreate, DceErrorInqTextA, RpcExceptionFilter |
Name | Ordinal | Address |
---|---|---|
DllInstall | 1 | 0x10008630 |
DllRegisterServer | 2 | 0x10008a90 |
DllUnregisterServer | 3 | 0x10008be0 |
Description | Data |
---|---|
LegalCopyright | Microsoft Corporation. All rights reserved. |
InternalName | smphost.dll |
FileVersion | 10.0.21286.1000 (WinBuild.160101.0800) |
CompanyName | Microsoft Corporation |
ProductName | Microsoft Windows Operating System |
ProductVersion | 10.0.21286.1000 |
FileDescription | Storage Management Provider (SMP) host service |
OriginalFilename | smphost.dll |
Translation | 0x0000 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 30, 2022 13:30:33.977838039 CET | 49758 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:33.977916002 CET | 443 | 49758 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:33.978091955 CET | 49758 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:33.978382111 CET | 49758 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:33.978481054 CET | 443 | 49758 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:33.978565931 CET | 49758 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.090568066 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.090630054 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.090724945 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.256150961 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.256189108 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.404779911 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.404989958 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.653903961 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.653970957 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.654545069 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.655244112 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.658020973 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.701879025 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.728059053 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.728107929 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.728199005 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.728241920 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.728265047 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.728332043 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.816287994 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.816338062 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.816478014 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.816495895 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.816580057 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.818627119 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.818665028 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.818783998 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.818795919 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.818902016 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.862592936 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.862646103 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.862755060 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.862778902 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.862853050 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.862973928 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.863012075 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.863109112 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.863121033 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.863219976 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.904947996 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.905000925 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.905122042 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.905136108 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.905216932 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.907210112 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.907255888 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.907347918 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.907356024 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.907424927 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.928639889 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.928664923 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.928805113 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.928819895 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.928877115 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.949212074 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.949237108 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.949358940 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.949372053 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.949455023 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.949583054 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.949650049 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:34.949692965 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.949783087 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.949860096 CET | 49759 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:34.949873924 CET | 443 | 49759 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.169367075 CET | 49760 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.169429064 CET | 443 | 49760 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.169559956 CET | 49760 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.170130014 CET | 49760 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.170181990 CET | 443 | 49760 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.170325041 CET | 49760 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.171827078 CET | 49761 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.171885967 CET | 443 | 49761 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.171983004 CET | 49761 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.173729897 CET | 49761 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.173774004 CET | 443 | 49761 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.320491076 CET | 443 | 49761 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.320641041 CET | 49761 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.321043968 CET | 49761 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.321063042 CET | 443 | 49761 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.326559067 CET | 49761 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.326603889 CET | 443 | 49761 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.412787914 CET | 443 | 49761 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.412842989 CET | 443 | 49761 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.412962914 CET | 49761 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.413005114 CET | 443 | 49761 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.413028955 CET | 49761 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.414619923 CET | 49761 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.456871033 CET | 443 | 49761 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.456922054 CET | 443 | 49761 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.457041979 CET | 49761 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.457082987 CET | 443 | 49761 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:30:36.457108021 CET | 49761 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:30:36.457153082 CET | 49761 | 443 | 192.168.2.3 | 185.14.31.158 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 30, 2022 13:30:33.857294083 CET | 56009 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:30:33.965790987 CET | 53 | 56009 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:30:45.993905067 CET | 59026 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:30:46.100111008 CET | 53 | 59026 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:33:35.122937918 CET | 63456 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:33:35.141964912 CET | 53 | 63456 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:33:57.296422958 CET | 55108 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:33:57.315294981 CET | 53 | 55108 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:33:57.659612894 CET | 58942 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:33:57.678364038 CET | 53 | 58942 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:33:58.082448006 CET | 64432 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:33:58.099420071 CET | 53 | 64432 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:33:58.536200047 CET | 49250 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:33:58.554920912 CET | 53 | 49250 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:33:58.946538925 CET | 63490 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:33:59.262975931 CET | 53 | 63490 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:33:59.672009945 CET | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:33:59.778824091 CET | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:34:00.161225080 CET | 61120 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:34:00.178107023 CET | 53 | 61120 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:34:00.611428022 CET | 53079 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:34:00.630093098 CET | 53 | 53079 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:34:01.050307035 CET | 50824 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:34:01.069185972 CET | 53 | 50824 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:34:01.506730080 CET | 56706 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:34:01.621577024 CET | 53 | 56706 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:34:02.034220934 CET | 53569 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:34:02.052918911 CET | 53 | 53569 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:34:02.486901045 CET | 62855 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:34:02.503182888 CET | 53 | 62855 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:34:02.890970945 CET | 51046 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:34:02.907778978 CET | 53 | 51046 | 8.8.8.8 | 192.168.2.3 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 30, 2022 13:30:33.857294083 CET | 192.168.2.3 | 8.8.8.8 | 0x7cc0 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:30:45.993905067 CET | 192.168.2.3 | 8.8.8.8 | 0x597a | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:33:35.122937918 CET | 192.168.2.3 | 8.8.8.8 | 0x5c78 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:33:57.296422958 CET | 192.168.2.3 | 8.8.8.8 | 0x70a3 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:33:57.659612894 CET | 192.168.2.3 | 8.8.8.8 | 0x655b | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:33:58.082448006 CET | 192.168.2.3 | 8.8.8.8 | 0xd024 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:33:58.536200047 CET | 192.168.2.3 | 8.8.8.8 | 0xbad9 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:33:58.946538925 CET | 192.168.2.3 | 8.8.8.8 | 0xf53c | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:33:59.672009945 CET | 192.168.2.3 | 8.8.8.8 | 0xc2b5 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:34:00.161225080 CET | 192.168.2.3 | 8.8.8.8 | 0x4948 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:34:00.611428022 CET | 192.168.2.3 | 8.8.8.8 | 0x667e | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:34:01.050307035 CET | 192.168.2.3 | 8.8.8.8 | 0x68a3 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:34:01.506730080 CET | 192.168.2.3 | 8.8.8.8 | 0xebcc | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:34:02.034220934 CET | 192.168.2.3 | 8.8.8.8 | 0xbd6 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:34:02.486901045 CET | 192.168.2.3 | 8.8.8.8 | 0x4708 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:34:02.890970945 CET | 192.168.2.3 | 8.8.8.8 | 0xb9ac | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 30, 2022 13:30:33.965790987 CET | 8.8.8.8 | 192.168.2.3 | 0x7cc0 | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:30:46.100111008 CET | 8.8.8.8 | 192.168.2.3 | 0x597a | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:33:35.141964912 CET | 8.8.8.8 | 192.168.2.3 | 0x5c78 | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:33:57.315294981 CET | 8.8.8.8 | 192.168.2.3 | 0x70a3 | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:33:57.678364038 CET | 8.8.8.8 | 192.168.2.3 | 0x655b | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:33:58.099420071 CET | 8.8.8.8 | 192.168.2.3 | 0xd024 | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:33:58.554920912 CET | 8.8.8.8 | 192.168.2.3 | 0xbad9 | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:33:59.262975931 CET | 8.8.8.8 | 192.168.2.3 | 0xf53c | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:33:59.778824091 CET | 8.8.8.8 | 192.168.2.3 | 0xc2b5 | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:34:00.178107023 CET | 8.8.8.8 | 192.168.2.3 | 0x4948 | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:34:00.630093098 CET | 8.8.8.8 | 192.168.2.3 | 0x667e | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:34:01.069185972 CET | 8.8.8.8 | 192.168.2.3 | 0x68a3 | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:34:01.621577024 CET | 8.8.8.8 | 192.168.2.3 | 0xebcc | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:34:02.052918911 CET | 8.8.8.8 | 192.168.2.3 | 0xbd6 | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:34:02.503182888 CET | 8.8.8.8 | 192.168.2.3 | 0x4708 | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:34:02.907778978 CET | 8.8.8.8 | 192.168.2.3 | 0xb9ac | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49759 | 185.14.31.158 | 443 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49761 | 185.14.31.158 | 443 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
10 | 192.168.2.3 | 49848 | 185.14.31.158 | 32710 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 30, 2022 13:33:59.804485083 CET | 14269 | OUT | |
Jan 30, 2022 13:34:00.021991014 CET | 14270 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
11 | 192.168.2.3 | 49849 | 185.14.31.158 | 32710 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 30, 2022 13:34:00.202415943 CET | 14271 | OUT | |
Jan 30, 2022 13:34:00.459328890 CET | 14271 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
12 | 192.168.2.3 | 49850 | 185.14.31.158 | 32710 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 30, 2022 13:34:00.658077002 CET | 14272 | OUT | |
Jan 30, 2022 13:34:00.914897919 CET | 14273 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
13 | 192.168.2.3 | 49851 | 185.14.31.158 | 32710 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 30, 2022 13:34:01.098141909 CET | 14274 | OUT | |
Jan 30, 2022 13:34:01.365734100 CET | 14274 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
14 | 192.168.2.3 | 49852 | 185.14.31.158 | 32710 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 30, 2022 13:34:01.648149967 CET | 14275 | OUT | |
Jan 30, 2022 13:34:01.879401922 CET | 14275 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
15 | 192.168.2.3 | 49853 | 185.14.31.158 | 32710 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 30, 2022 13:34:02.077996969 CET | 14276 | OUT | |
Jan 30, 2022 13:34:02.345707893 CET | 14277 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
16 | 192.168.2.3 | 49854 | 185.14.31.158 | 32710 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 30, 2022 13:34:02.528935909 CET | 14278 | OUT | |
Jan 30, 2022 13:34:02.774950981 CET | 14278 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
17 | 192.168.2.3 | 49855 | 185.14.31.158 | 32710 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 30, 2022 13:34:02.932660103 CET | 14279 | OUT | |
Jan 30, 2022 13:34:03.160350084 CET | 14280 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.3 | 49764 | 185.14.31.158 | 443 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.3 | 49841 | 185.14.31.158 | 443 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.3 | 49762 | 185.14.31.158 | 32710 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 30, 2022 13:30:46.144690990 CET | 2014 | OUT |