Edit tour
Windows
Analysis Report
smphost.dll
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Uses known network protocols on non-standard ports
Sigma detected: Regsvr32 Network Activity
Sigma detected: Suspicious Call by Ordinal
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Drops PE files to the application program directory (C:\ProgramData)
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Checks if the current process is being debugged
Registers a DLL
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
- loaddll32.exe (PID: 4536 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\smp host.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938) - cmd.exe (PID: 4540 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\smp host.dll", #1 MD5: F3BDBE3BB6F734E357235F4D5898582D) - rundll32.exe (PID: 4612 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\smph ost.dll",# 1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - regsvr32.exe (PID: 6260 cmdline:
regsvr32.e xe /i /s C :\Users\us er\Desktop \smphost.d ll MD5: 426E7499F6A7346F0410DEAD0805586B) - schtasks.exe (PID: 5552 cmdline:
C:\Windows \system32\ schtasks.e xe" /Creat e /SC MINU TE /MO 3 / TN 5507 /T R "%windir %\system32 \regsvr32. exe -e C:\ ProgramDat a\6\5507.o cx MD5: 15FF7D8324231381BAD48A052F85DF04) - WerFault.exe (PID: 4424 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 6 260 -s 207 6 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - rundll32.exe (PID: 4348 cmdline:
rundll32.e xe C:\User s\user\Des ktop\smpho st.dll,Dll Install MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - rundll32.exe (PID: 5100 cmdline:
rundll32.e xe C:\User s\user\Des ktop\smpho st.dll,Dll RegisterSe rver MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) - rundll32.exe (PID: 3940 cmdline:
rundll32.e xe C:\User s\user\Des ktop\smpho st.dll,Dll Unregister Server MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
- regsvr32.exe (PID: 4360 cmdline:
C:\Windows \system32\ regsvr32.e xe -e C:\P rogramData \6\5507.oc x MD5: D78B75FC68247E8A63ACBA846182740E) - regsvr32.exe (PID: 5264 cmdline:
-e C:\Pro gramData\6 \5507.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |
---|
Source: | Author: Dmitriy Lifanov, oscd.community: |
Source: | Author: Florian Roth: |
Persistence and Installation Behavior |
---|
Source: | Author: Joe Security: |
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Virustotal: | Perma Link |
Source: | Avira URL Cloud: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Code function: | ||
Source: | Code function: |
Networking |
---|
Source: | Domain query: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Domain query: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | ASN Name: |
Source: | JA3 fingerprint: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: |
Source: | TCP traffic: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary |
---|
Source: | Static PE information: |
Source: | Process created: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Dropped File: |
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | Code function: |
Source: | Process created: |
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Process created: |
Persistence and Installation Behavior |
---|
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | Process created: |
Hooking and other Techniques for Hiding and Protection |
---|
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | API coverage: | ||
Source: | API coverage: |
Source: | Process information queried: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process queried: | ||
Source: | Process queried: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Domain query: | ||
Source: | Network Connect: | ||
Source: | Network Connect: | ||
Source: | Domain query: |
Source: | Process created: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Scheduled Task/Job | 1 Scheduled Task/Job | 111 Process Injection | 21 Virtualization/Sandbox Evasion | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 Scheduled Task/Job | 111 Process Injection | LSASS Memory | 31 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 11 Non-Standard Port | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | 1 DLL Side-Loading | 1 Deobfuscate/Decode Files or Information | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 1 Ingress Tool Transfer | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 1 Obfuscated Files or Information | NTDS | 21 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Scheduled Transfer | 3 Non-Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 1 Regsvr32 | LSA Secrets | 1 Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | 4 Application Layer Protocol | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 1 Rundll32 | Cached Domain Credentials | 1 File and Directory Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | 13 System Information Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
9% | Virustotal | Browse | ||
7% | ReversingLabs | Win32.Dropper.Generic |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
7% | ReversingLabs | Win32.Dropper.Generic |
⊘No Antivirus matches
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
4% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
manageintel.com | 185.14.31.158 | true | true |
| unknown |
the.earth.li | 93.93.131.124 | true | false | high |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown | |
true |
| unknown | |
false | high | ||
false | high | ||
true |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.14.31.158 | manageintel.com | Ukraine | 21100 | ITLDC-NLUA | true | |
93.93.131.124 | the.earth.li | United Kingdom | 44684 | MYTHICMythicBeastsLtdGB | false |
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 562835 |
Start date: | 30.01.2022 |
Start time: | 13:40:54 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 42s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | smphost.dll |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Run with higher sleep bypass |
Number of analysed new started processes analysed: | 31 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal88.troj.evad.winDLL@19/7@5/2 |
EGA Information: |
|
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
- TCP Packets have been reduced to 100
- Excluded IPs from analysis (whitelisted): 2.20.157.220, 20.42.73.29
- Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com
- Not all processes where analyzed, report is missing behavior information
- Report size exceeded maximum capacity and may have missing behavior information.
- Report size getting too big, too many NtAllocateVirtualMemory calls found.
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtProtectVirtualMemory calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
13:43:18 | Task Scheduler |
Process: | C:\Windows\SysWOW64\regsvr32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 147656 |
Entropy (8bit): | 6.319927202557722 |
Encrypted: | false |
SSDEEP: | 3072:biKjfYjd3b9fSCNq01bKrF5HiLCK08WA46tvTj:+QfYjBMCNcC+KlWuB3 |
MD5: | FC484855692F2A7D1EAE090086A1EB72 |
SHA1: | 2E9103747750B40835F58D9E57C2AB75EEAF25F6 |
SHA-256: | E58B9BBB7BCDF3E901453B7B9C9E514FED1E53565E3280353DCCC77CDE26A98E |
SHA-512: | 2F6B6E8AA82DC4AA61A540BAE1D98682EC79E73CCFEAF9C273B053C2162F35207842F7AB2F1BC06E927D706EC88ECF209D2C57E86323C38FB43E9D694E624311 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_regsvr32.exe_6a6ca821ebbab05224d67cc3f7b1b60df6be9b5_7a325c51_102a2f91\Report.wer
Download File
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 65536 |
Entropy (8bit): | 1.1014905013135325 |
Encrypted: | false |
SSDEEP: | 192:RdzcVb6VCJHBUZMXYje9+X9yww/u7sIS274ItU:XcR6V0BUZMXYjeYG/u7sIX4ItU |
MD5: | 4E69ED442264DFCFC8A976327CCCDB90 |
SHA1: | 40A769A14E0A00CD4C360D2295D2240E04F12439 |
SHA-256: | FA68E07EC0EFF4B1100FA2157DEEB5DEB7F6B9FE7CA5634730CF90C73F7CF8A2 |
SHA-512: | 4C5D6D30A16B15A769B4E38F13E6032E41FD00DAC7901B08DFEFCA3FDABFF4C4A9CED2956521A490E5A9F3F8DD3F81F0CBF4C30E08BFBD6190513E8205D4E18B |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 8348 |
Entropy (8bit): | 3.699704629357335 |
Encrypted: | false |
SSDEEP: | 192:Rrl7r3GLNiNV6r/6YmP6GgmfJkSuCprE89bgnsfOgm:RrlsNiv6D6Ye6GgmfJkSXgsfw |
MD5: | E96D4D5B95A58E1D9479774C469491FF |
SHA1: | 559B525E7E8D954FD42066CCC472E34CA3E8CB8B |
SHA-256: | 2759879D390CFED62D7AE335715B83B86338CE8A76F75EF4E3838DCA790D55B3 |
SHA-512: | 466D0E1EDA3DE238CCD4727374DD47CFAA5C37D27959D72713F8F21085B47CF744F1F5513B57E3DC30AFF7ED0D855F9DE2909EBD3CC3FBADCFE662866793C818 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 4670 |
Entropy (8bit): | 4.495863358154354 |
Encrypted: | false |
SSDEEP: | 48:cvIwSD8zs9JgtWI91QCR1WSC8Bv8fm8M4JkfZFTq8N+q8Vv9KJYZgd:uITfX0QCRESNuJONNc9qYZgd |
MD5: | F462CCD4FC842482C025AD2DEFDD8B84 |
SHA1: | B8C2826A92BA13ED39C25F8B5329C069B518F71D |
SHA-256: | FE5C9762D8018324451025AAFE54ABC64513D9B98F1ED7D7590AEF2322EE8469 |
SHA-512: | 118204611273585C81D8E8E66AE15378A32F76F513CE5DC613A2513F4546BBCD629E90EDDE0117B2503C1D6942C3CA0BA5C2F0247FF13E198604FA0B62D1F4F3 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 126704 |
Entropy (8bit): | 2.116314663382975 |
Encrypted: | false |
SSDEEP: | 384:d0XmgKl23tP5Lb3ol8XAG/W1z4x3FqDZlRHgTdS9wr4kc:dNMPVbo8XAG1l+Z/2S9wEL |
MD5: | 7E44EF0D1F00994D03F0D1FCAC053260 |
SHA1: | 6204423E1FA898C99B8BA1977A07729C098951FB |
SHA-256: | 0E2A562AF7240D2F9825F169FDC460AA993F8A556EAF0BC642CDA60847D7DA2C |
SHA-512: | C80CE35F2A13D50BB7823C6A32F4BF82776524647E46455F5AEC8FE0985C28992656E0D10A64DCF3662705636077A37ADB9B01086DF64D376CAC46A21429C1AB |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 1572864 |
Entropy (8bit): | 4.272035649297127 |
Encrypted: | false |
SSDEEP: | 12288:J6UcbZ/kyWQ+az8/CNccMYx1SSnYIh0EO0qhtaGkbvhtkc2/UNLusV:wUcbZ/kyWQ+az8eY |
MD5: | 9FC5B772E8FD54476EAAFE05A8F2948F |
SHA1: | 4F087C7392CC2676356F5BD673AAB2F96C9E17E6 |
SHA-256: | AB2252D7CD408FC90D4F0274677CA89E152A5EED46731F6382C8AF9C7ACEAE0A |
SHA-512: | 355C5171038D1F4D8055FC942156562EBBA73DA951039D6AA95AE6EA371ECB1CE01F59DC2C582115503953851BF486CA73A4C4276CCE3651D2E6F2FA12E9C3A7 |
Malicious: | false |
Preview: |
Process: | C:\Windows\SysWOW64\WerFault.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 24576 |
Entropy (8bit): | 4.027005777839474 |
Encrypted: | false |
SSDEEP: | 384:wjie5Rftx1SPJ4X9sF8nk7kZPBqXCSeq5QMVyi6+/rl4Lk4+Zd1DoXznULsbwvi:aiwRftx1IJ4XaF8k7mBqXheq5QMVyi6Q |
MD5: | AE96E48BB239AB3639D949B90C8376DD |
SHA1: | C5660A1E7A23EE15129361A18B966CBAEF839387 |
SHA-256: | 8D7B697697A17AF4AA18F07891B667CA0BEFACB1B79422A0E94C77992DD9B21E |
SHA-512: | 3A4DF9E83B5825ADD4EA5E0E3617E1DC876B2A113B54EEF4288E9DA577428CAF136EC99286C3A754E7440EE9D8DC87E83F64BBDD804741D51A890D279336FB1B |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 6.319927202557722 |
TrID: |
|
File name: | smphost.dll |
File size: | 147656 |
MD5: | fc484855692f2a7d1eae090086a1eb72 |
SHA1: | 2e9103747750b40835f58d9e57c2ab75eeaf25f6 |
SHA256: | e58b9bbb7bcdf3e901453b7b9c9e514fed1e53565e3280353dccc77cde26a98e |
SHA512: | 2f6b6e8aa82dc4aa61a540bae1d98682ec79e73ccfeaf9c273b053c2162f35207842f7ab2f1bc06e927d706ec88ecf209d2c57e86323c38fb43e9d694e624311 |
SSDEEP: | 3072:biKjfYjd3b9fSCNq01bKrF5HiLCK08WA46tvTj:+QfYjBMCNcC+KlWuB3 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........1.x.b.x.b.x.b...c.x.b...c`x.b...c.x.b...c.x.b...c.x.b...c.x.b...c.x.b.x.b.x.b...c.x.b...c.x.b...c.x.bRich.x.b............... |
Icon Hash: | 74f0e4ecccdce0e4 |
Entrypoint: | 0x100095e3 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x10000000 |
Subsystem: | windows cui |
Image File Characteristics: | 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LARGE_ADDRESS_AWARE |
DLL Characteristics: | DYNAMIC_BASE |
Time Stamp: | 0x61C2D9AE [Wed Dec 22 07:54:22 2021 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 0 |
File Version Major: | 6 |
File Version Minor: | 0 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 0 |
Import Hash: | 793636b04c2e2f8cfe97a0d2fa1b60e1 |
Signature Valid: | true |
Signature Issuer: | CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 87CFAD0A22E828FF235A83CA03E90993 |
Thumbprint SHA-1: | 430DBEFF2F6DF708B03354D5D07E78400CFED8E9 |
Thumbprint SHA-256: | 44DAF53D607937F410C3D300100399514D0EE5B03487E7EAD16DFE324D2C5563 |
Serial: | 205483936F360924E8D2A4EB6D3A9F31 |
Instruction |
---|
push ebp |
mov ebp, esp |
cmp dword ptr [ebp+0Ch], 01h |
jne 00007FB8DC464417h |
call 00007FB8DC464819h |
push dword ptr [ebp+10h] |
push dword ptr [ebp+0Ch] |
push dword ptr [ebp+08h] |
call 00007FB8DC4642C3h |
add esp, 0Ch |
pop ebp |
retn 000Ch |
and dword ptr [ecx+04h], 00000000h |
mov eax, ecx |
and dword ptr [ecx+08h], 00000000h |
mov dword ptr [ecx+04h], 100153A0h |
mov dword ptr [ecx], 10015398h |
ret |
push ebp |
mov ebp, esp |
sub esp, 0Ch |
lea ecx, dword ptr [ebp-0Ch] |
call 00007FB8DC4643EFh |
push 1001A634h |
lea eax, dword ptr [ebp-0Ch] |
push eax |
call 00007FB8DC4652E7h |
int3 |
push ebp |
mov ebp, esp |
sub esp, 0Ch |
lea ecx, dword ptr [ebp-0Ch] |
call 00007FB8DC45DEDCh |
push 1001A538h |
lea eax, dword ptr [ebp-0Ch] |
push eax |
call 00007FB8DC4652CAh |
int3 |
push ebp |
mov ebp, esp |
and dword ptr [1001CFF0h], 00000000h |
sub esp, 24h |
or dword ptr [1001C010h], 01h |
push 0000000Ah |
call dword ptr [100150C4h] |
test eax, eax |
je 00007FB8DC4645BFh |
and dword ptr [ebp-10h], 00000000h |
xor eax, eax |
push ebx |
push esi |
push edi |
xor ecx, ecx |
lea edi, dword ptr [ebp-24h] |
push ebx |
cpuid |
mov esi, ebx |
pop ebx |
mov dword ptr [edi], eax |
mov dword ptr [edi+04h], esi |
mov dword ptr [edi+08h], ecx |
xor ecx, ecx |
mov dword ptr [edi+0Ch], edx |
mov eax, dword ptr [ebp-24h] |
mov edi, dword ptr [ebp-1Ch] |
mov dword ptr [ebp-0Ch], eax |
xor edi, 0065746Eh |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x1ab30 | 0x80 | .rdata |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x1abb0 | 0xb4 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x20000 | 0x5694 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x21a00 | 0x26c8 | .rsrc |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x1e000 | 0x132c | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x19f0c | 0x1c | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x19f28 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x15000 | 0x1b8 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x13939 | 0x13a00 | False | 0.54204816879 | data | 6.52399222454 | IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
.rdata | 0x15000 | 0x65be | 0x6600 | False | 0.417662377451 | data | 4.95436624069 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x1c000 | 0x1a20 | 0xa00 | False | 0.171484375 | DOS executable (block device driver) | 2.41006083543 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ |
.reloc | 0x1e000 | 0x132c | 0x1400 | False | 0.748828125 | data | 6.45202754591 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
.rsrc | 0x20000 | 0x5694 | 0x5800 | False | 0.205344460227 | data | 3.76919834084 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
MUI | 0x2010c | 0xf0 | data | English | United States |
WEVT_TEMPLATE | 0x201fc | 0x50ca | data | English | United States |
RT_VERSION | 0x252c8 | 0x3cc | data | English | United States |
DLL | Import |
---|---|
KERNEL32.dll | DeleteCriticalSection, CreateMutexExW, GetPriorityClass, GetProcessId, GetVersion, GetProductInfo, InitializeCriticalSectionEx, FormatMessageA, FormatMessageW, GetConsoleCP, CreateFileW, CloseHandle, GetStringTypeW, SetFilePointerEx, GetProcessHeap, HeapSize, HeapReAlloc, HeapFree, HeapAlloc, GetLastError, RaiseException, DecodePointer, DisableThreadLibraryCalls, SetFileAttributesW, SetStdHandle, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, FreeEnvironmentStringsW, GetEnvironmentStringsW, WideCharToMultiByte, MultiByteToWideChar, GetCommandLineW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetCurrentProcess, TerminateProcess, OutputDebugStringW, EnterCriticalSection, LeaveCriticalSection, RtlUnwind, InterlockedFlushSList, SetLastError, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, LCMapStringW, GetStdHandle, GetFileType, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, WriteConsoleW |
USER32.dll | CharNextW, CreatePopupMenu, GetMessageTime |
GDI32.dll | TextOutA, FlattenPath, TextOutW |
ADVAPI32.dll | RevertToSelf, IsValidSid, IsValidAcl, IsTokenRestricted, GetSidIdentifierAuthority, CveEventWrite |
SHELL32.dll | DuplicateIcon |
ole32.dll | CoGetCallerTID, CoCreateInstance, CoInitialize, CoTaskMemAlloc, OleInitialize, CoCancelCall |
SHLWAPI.dll | SHStrDupA, SHStrDupW, SHGetThreadRef |
RPCRT4.dll | UuidCreate, DceErrorInqTextA, RpcExceptionFilter |
Name | Ordinal | Address |
---|---|---|
DllInstall | 1 | 0x10008630 |
DllRegisterServer | 2 | 0x10008a90 |
DllUnregisterServer | 3 | 0x10008be0 |
Description | Data |
---|---|
LegalCopyright | Microsoft Corporation. All rights reserved. |
InternalName | smphost.dll |
FileVersion | 10.0.21286.1000 (WinBuild.160101.0800) |
CompanyName | Microsoft Corporation |
ProductName | Microsoft Windows Operating System |
ProductVersion | 10.0.21286.1000 |
FileDescription | Storage Management Provider (SMP) host service |
OriginalFilename | smphost.dll |
Translation | 0x0000 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 30, 2022 13:43:15.394882917 CET | 49830 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:15.394932032 CET | 443 | 49830 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:15.395061016 CET | 49830 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:15.395589113 CET | 49830 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:15.395632029 CET | 443 | 49830 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:15.395706892 CET | 49830 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:15.532660007 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:15.532708883 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:15.532799959 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:15.698055983 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:15.698086023 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:15.851042032 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:15.851142883 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.118767023 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.118799925 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.119225025 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.119281054 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.122791052 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.169876099 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.192837000 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.192890882 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.193063974 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.193083048 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.193205118 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.238173008 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.238213062 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.238414049 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.238430977 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.238543987 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.283485889 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.283524990 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.283693075 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.283710003 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.283778906 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.304004908 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.304044962 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.304290056 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.304305077 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.304426908 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.328831911 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.328881025 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.328974009 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.328986883 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.329060078 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.329245090 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.329272032 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.329354048 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.329363108 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.329432011 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.329689026 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.329714060 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.329819918 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.329830885 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.329905033 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.371095896 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.371133089 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.371258974 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.371273041 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.371345043 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.374042988 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.374075890 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.374217987 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.374228954 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.374301910 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.374335051 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.374438047 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.374447107 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.374459982 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:16.374528885 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.374931097 CET | 49831 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:16.374948978 CET | 443 | 49831 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.616753101 CET | 49832 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.616843939 CET | 443 | 49832 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.616949081 CET | 49832 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.617564917 CET | 49832 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.617652893 CET | 443 | 49832 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.618009090 CET | 49832 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.620316029 CET | 49833 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.620383024 CET | 443 | 49833 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.620496988 CET | 49833 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.621151924 CET | 49833 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.621181011 CET | 443 | 49833 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.771239042 CET | 443 | 49833 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.772213936 CET | 49833 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.773065090 CET | 49833 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.773087978 CET | 443 | 49833 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.782651901 CET | 49833 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.782686949 CET | 443 | 49833 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.863405943 CET | 443 | 49833 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.863440037 CET | 443 | 49833 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.863614082 CET | 49833 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.863656044 CET | 443 | 49833 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.863679886 CET | 49833 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.864300013 CET | 49833 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.928632021 CET | 443 | 49833 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.928672075 CET | 443 | 49833 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.928893089 CET | 49833 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.928934097 CET | 443 | 49833 | 185.14.31.158 | 192.168.2.3 |
Jan 30, 2022 13:43:17.930656910 CET | 49833 | 443 | 192.168.2.3 | 185.14.31.158 |
Jan 30, 2022 13:43:17.952539921 CET | 443 | 49833 | 185.14.31.158 | 192.168.2.3 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jan 30, 2022 13:43:15.264192104 CET | 60982 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:43:15.368690014 CET | 53 | 60982 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:43:45.536451101 CET | 64367 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:43:45.643013954 CET | 53 | 64367 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:43:46.010204077 CET | 51539 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:43:46.030085087 CET | 53 | 51539 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:43:47.554577112 CET | 55393 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:43:47.573749065 CET | 53 | 55393 | 8.8.8.8 | 192.168.2.3 |
Jan 30, 2022 13:43:47.865457058 CET | 50585 | 53 | 192.168.2.3 | 8.8.8.8 |
Jan 30, 2022 13:43:47.882119894 CET | 53 | 50585 | 8.8.8.8 | 192.168.2.3 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jan 30, 2022 13:43:15.264192104 CET | 192.168.2.3 | 8.8.8.8 | 0x2c5a | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:43:45.536451101 CET | 192.168.2.3 | 8.8.8.8 | 0xe795 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:43:46.010204077 CET | 192.168.2.3 | 8.8.8.8 | 0x8f92 | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:43:47.554577112 CET | 192.168.2.3 | 8.8.8.8 | 0x336c | Standard query (0) | A (IP address) | IN (0x0001) | |
Jan 30, 2022 13:43:47.865457058 CET | 192.168.2.3 | 8.8.8.8 | 0x8e63 | Standard query (0) | A (IP address) | IN (0x0001) |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jan 30, 2022 13:43:15.368690014 CET | 8.8.8.8 | 192.168.2.3 | 0x2c5a | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:43:45.643013954 CET | 8.8.8.8 | 192.168.2.3 | 0xe795 | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:43:46.030085087 CET | 8.8.8.8 | 192.168.2.3 | 0x8f92 | No error (0) | 93.93.131.124 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:43:47.573749065 CET | 8.8.8.8 | 192.168.2.3 | 0x336c | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) | ||
Jan 30, 2022 13:43:47.882119894 CET | 8.8.8.8 | 192.168.2.3 | 0x8e63 | No error (0) | 185.14.31.158 | A (IP address) | IN (0x0001) |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.3 | 49831 | 185.14.31.158 | 443 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.3 | 49833 | 185.14.31.158 | 443 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.3 | 49837 | 93.93.131.124 | 443 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
3 | 192.168.2.3 | 49838 | 93.93.131.124 | 443 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
4 | 192.168.2.3 | 49846 | 185.14.31.158 | 443 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
5 | 192.168.2.3 | 49835 | 185.14.31.158 | 32710 | C:\Windows\SysWOW64\regsvr32.exe |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Jan 30, 2022 13:43:45.701220989 CET | 11167 | OUT |