Edit tour

Windows Analysis Report
smphost.exe

Overview

General Information

Sample name:	smphost.exe
Analysis ID:	1457829
MD5:	e45d667483ba3bb5aa44892dfb48d544
SHA1:	413143564579a24e58606287b5e2a9f25c787197
SHA256:	8d3e747289e59d3cbf1e01d616609f02e79d5d3c6da373de60cd664fb078f539
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	40%

Signatures

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Found large amount of non-executed APIs

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

smphost.exe (PID: 6308 cmdline: "C:\Users\user\Desktop\smphost.exe" -install MD5: E45D667483BA3BB5AA44892DFB48D544)

conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

smphost.exe (PID: 1596 cmdline: "C:\Users\user\Desktop\smphost.exe" /install MD5: E45D667483BA3BB5AA44892DFB48D544)

conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

smphost.exe (PID: 5312 cmdline: "C:\Users\user\Desktop\smphost.exe" /load MD5: E45D667483BA3BB5AA44892DFB48D544)

conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Data Obfuscation
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: smphost.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\Work\2. My work\HTB challenge\Sherlock\testdot\MyProject\obj\Release\net8.0\win-x64\MyProject.pdbSHA256y3AL source: smphost.exe, 00000000.00000002.1714991161.000001F391FC0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739794160.000001A06EA30000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763792490.0000024380CF0000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA256{) source: smphost.exe, 00000000.00000002.1715583575.000001F3939F0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742271842.000001E105520000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764264627.00000243826E0000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: smphost.exe, 00000000.00000002.1715632159.000001F393A03000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742290115.000001E105533000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: System.ComponentModel.ni.pdb source: smphost.exe, 00000000.00000002.1715503280.000001F393980000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742118778.000001E105490000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764131819.0000024382670000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: System.Runtime.InteropServices.ni.pdb source: smphost.exe, 00000000.00000002.1715736841.000001F393A31000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715632159.000001F393A03000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742290115.000001E105533000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742349500.000001E105561000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764383091.0000024382771000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: smphost.exe, 00000000.00000002.1715067433.000001F391FE1000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742209820.000001E105501000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763881416.0000024380D61000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256 source: smphost.exe, 00000000.00000002.1715632159.000001F393A03000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742290115.000001E105533000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: smphost.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: smphost.exe, 00000000.00000002.1715367778.000001F3938F0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715418035.000001F393941000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739896230.000001A06EAB1000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739845347.000001A06EA60000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763828539.0000024380D10000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764051477.0000024382631000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel\Release\net8.0\System.ComponentModel.pdb source: smphost.exe, 00000000.00000002.1715503280.000001F393980000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742118778.000001E105490000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764131819.0000024382670000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: smphost.exe, 00000000.00000002.1715007675.000001F391FD0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739811229.000001A06EA40000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763810613.0000024380D00000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdb source: smphost.exe, 00000000.00000002.1715503280.000001F393987000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742118778.000001E105497000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764131819.0000024382677000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA256{) source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: smphost.exe, smphost.exe, 00000004.00000002.1764131819.0000024382677000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764192887.00000243826B1000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: smphost.exe, smphost.exe, 00000000.00000000.1711977986.00007FF648CE5000.00000002.00000001.01000000.00000003.sdmp, smphost.exe, 00000002.00000000.1736354417.00007FF648CE5000.00000002.00000001.01000000.00000003.sdmp, smphost.exe, 00000004.00000002.1769623643.00007FF648CE5000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: System.Console.ni.pdb source: smphost.exe, smphost.exe, 00000004.00000002.1764131819.0000024382677000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764192887.00000243826B1000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: System.Threading.ni.pdb source: smphost.exe, 00000000.00000002.1715067433.000001F391FE1000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742209820.000001E105501000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763881416.0000024380D61000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: smphost.exe, 00000000.00000002.1715007675.000001F391FD0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739811229.000001A06EA40000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763810613.0000024380D00000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdbSHA256> source: smphost.exe, 00000000.00000002.1715503280.000001F393987000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742118778.000001E105497000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764131819.0000024382677000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: smphost.exe, 00000000.00000002.1715736841.000001F393A31000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715632159.000001F393A03000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742290115.000001E105533000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742349500.000001E105561000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764383091.0000024382771000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: System.Collections.ni.pdb source: smphost.exe, 00000000.00000002.1715367778.000001F3938F0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715418035.000001F393941000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739896230.000001A06EAB1000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739845347.000001A06EA60000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763828539.0000024380D10000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764051477.0000024382631000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: smphost.exe, 00000000.00000002.1715583575.000001F3939F0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742271842.000001E105520000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764264627.00000243826E0000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: System.Private.CoreLib.ni.pdb source: smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\Work\2. My work\HTB challenge\Sherlock\testdot\MyProject\obj\Release\net8.0\win-x64\MyProject.pdb source: smphost.exe, 00000000.00000002.1714991161.000001F391FC0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739794160.000001A06EA30000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763792490.0000024380CF0000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdbSHA256 source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp

Source: smphost.exe	String found in binary or memory: http://.css
Source: smphost.exe	String found in binary or memory: http://.jpg
Source: smphost.exe	String found in binary or memory: http://html4/loose.dtd
Source: smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715888577.0000023428D12000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.00000234299A5000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103EE2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104B75000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417BB2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.0000028418845000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	String found in binary or memory: https://aka.ms/binaryformatter
Source: smphost.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715888577.0000023428D12000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.00000234299A5000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103EE2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104B75000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417BB2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.0000028418845000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	String found in binary or memory: https://aka.ms/dotnet-illink/com
Source: smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715888577.0000023428D12000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.00000234299A5000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103EE2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104B75000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417BB2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.0000028418845000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	String found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: smphost.exe, 00000000.00000002.1715888577.0000023428D12000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.00000234299A5000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103EE2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104B75000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417BB2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.0000028418845000.00000020.00000001.00040000.00000003.sdmp	String found in binary or memory: https://aka.ms/dotnet-illink/nativehostt
Source: smphost.exe, 00000004.00000002.1765424900.0000028418845000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1766755844.0000028418D60000.00000004.00001000.00020000.00000000.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764383091.0000024382771000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763881416.0000024380D61000.00000020.00000001.00040000.00000003.sdmp	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: smphost.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: smphost.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failedRequired:
Source: smphost.exe	String found in binary or memory: https://aka.ms/dotnet/download
Source: smphost.exe	String found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
Source: smphost.exe	String found in binary or memory: https://aka.ms/dotnet/info
Source: smphost.exe	String found in binary or memory: https://aka.ms/dotnet/sdk-not-found
Source: smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: smphost.exe, smphost.exe, 00000004.00000002.1763810613.0000024380D00000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763828539.0000024380D10000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764051477.0000024382631000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417BB2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382740000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.0000028418845000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764131819.0000024382677000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764192887.00000243826B1000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764383091.0000024382771000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763881416.0000024380D61000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764264627.00000243826E0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764131819.0000024382670000.00000002.00000001.00040000.00000003.sdmp	String found in binary or memory: https://github.com/dotnet/runtime
Source: smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	String found in binary or memory: https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/
Source: smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	String found in binary or memory: https://github.com/dotnet/runtime/issues/71847
Source: smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	String found in binary or memory: https://github.com/mono/linker/issues/378
Source: smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	String found in binary or memory: https://github.com/mono/linker/pull/649

Source: smphost.exe

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows

Source: smphost.exe	Binary or memory string: OriginalFilename vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715275035.000001F3938B1000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Console.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715367778.000001F3938F0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715067433.000001F391FE1000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715503280.000001F393987000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715503280.000001F393987000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Console.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715583575.000001F3939F0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Encoding.Extensions.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Timer.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715418035.000001F393941000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000000.1711977986.00007FF648CE5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemscordaccore.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000000.1711977986.00007FF648CE5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMyProject.dll4 vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715736841.000001F393A31000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715632159.000001F393A03000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.RuntimeInformation.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715632159.000001F393A03000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715007675.000001F391FD0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1715503280.000001F393980000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.dll@ vs smphost.exe
Source: smphost.exe, 00000000.00000002.1714991161.000001F391FC0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameMyProject.dll4 vs smphost.exe
Source: smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs smphost.exe
Source: smphost.exe	Binary or memory string: OriginalFilename vs smphost.exe
Source: smphost.exe, 00000002.00000002.1739794160.000001A06EA30000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameMyProject.dll4 vs smphost.exe
Source: smphost.exe, 00000002.00000002.1742290115.000001E105533000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.RuntimeInformation.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1742290115.000001E105533000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1742349500.000001E105561000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000000.1736354417.00007FF648CE5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemscordaccore.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000000.1736354417.00007FF648CE5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMyProject.dll4 vs smphost.exe
Source: smphost.exe, 00000002.00000002.1742118778.000001E105497000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1742118778.000001E105497000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Console.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1739990269.000001A06EAF1000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Console.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1739896230.000001A06EAB1000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Timer.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1739811229.000001A06EA40000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1742209820.000001E105501000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1742118778.000001E105490000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1742271842.000001E105520000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Encoding.Extensions.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1739845347.000001A06EA60000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs smphost.exe
Source: smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs smphost.exe
Source: smphost.exe	Binary or memory string: OriginalFilename vs smphost.exe
Source: smphost.exe, 00000004.00000002.1763810613.0000024380D00000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1763828539.0000024380D10000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764051477.0000024382631000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Collections.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1769623643.00007FF648CE5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemscordaccore.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1769623643.00007FF648CE5000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMyProject.dll4 vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764131819.0000024382677000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Configuration.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764131819.0000024382677000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Console.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764192887.00000243826B1000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Console.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1763792490.0000024380CF0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameMyProject.dll4 vs smphost.exe
Source: smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Thread.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.ThreadPool.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.Timer.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.RuntimeInformation.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764383091.0000024382771000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Runtime.InteropServices.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1763881416.0000024380D61000.00000020.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Threading.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764264627.00000243826E0000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Text.Encoding.Extensions.dll@ vs smphost.exe
Source: smphost.exe, 00000004.00000002.1764131819.0000024382670000.00000002.00000001.00040000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.ComponentModel.dll@ vs smphost.exe

Source: classification engine

Classification label: clean5.winEXE@6/3@0/0

Source: C:\Users\user\Desktop\smphost.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03

Source: smphost.exe

Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 46.24%

Source: C:\Users\user\Desktop\smphost.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: smphost.exe	String found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: smphost.exe	String found in binary or memory: Morph - Structs/AddrExp
Source: smphost.exe	String found in binary or memory: prejitIndirect call transformExpand patchpointsPre-importImportationProfile instrumentationProfile incorporationPost-importProfile instrumentation prepMorph - Add internal blocksAllocate ObjectsMorph - InitMorph - InliningMerge callfinally chainsClone finallyRemove empty tryRemove empty finallyMorph - Structs/AddrExpEarly livenessUpdate finally target flagsUpdate flow graph early passIdentify candidates for implicit byref copy omissionMorph - ByRefsPhysical promotionForward SubstitutionMorph - FinishGS CookieMorph - Promote StructsMorph - GlobalTail mergeMerge throw blocksCompute edge weights (1, false)Create EH funcletsOptimize control flowOptimize layoutInvert loopsPost-morph tail mergeRedundant zero InitsFind loopsCompute blocks reachabilitySet block weightsClear loop infoMorph array opsClone loopsUnroll loopsOptimize boolsFind oper orderHoist loop codeMark local varsSSA: topological sortSSA: Doms1Set block orderBuild SSA representationSSA: insert phisSSA: renameSSA: livenessSSA: DFOptimize index checksOptimize Valnum CSEsEarly Value PropagationDo value numberingRedundant branch optsAssertion propVN based copy propVN based intrinsic expansionUpdate flow graph opt passCompute edge weights (2, false)If conversionVN-based dead store removalExpand static initExpand TLS accessStress gtSplitTreeExpand runtime lookupsRationalize IRDo 'simple' loweringInsert GC PollsDetermine first cold blockPer block local var livenessGlobal local var livenessLocal var livenessLocal var liveness initCalculate stack level slotsLinear scan register allocLowering decompositionLowering nodeinfoLSRA resolvePlace 'align' instructionsLSRA build intervalsLSRA allocateEmit GC+EH tablesPost-EmitGenerate codeEmit code Compiled %d methods.
Source: smphost.exe	String found in binary or memory: GC initialization failed with error 0x%08XVirtualAlloc2kernelbase.dllMapViewOfFile3string too longbad array new lengthApplication root path is empty. This shouldn't happenUsing internal fxrUsing internal hostpolicyPath containing probing policy and assemblies to probe for.<path>--additionalprobingpathPath to <application>.runtimeconfig.json file.--runtimeconfigPath to <application>.deps.json file.--depsfile--roll-forwardVersion of the installed Shared Framework to use to run the application.<version>--fx-versionPath to additional deps.json file.--additional-depsRoll forward to framework version (LatestPatch, Minor, LatestMinor, Major, LatestMajor, Disable)<value>sdk<obsolete><n>--roll-forward-on-no-candidate-fxUsing the provided arguments to determine the application to execute. %s %-*s %sFailed to parse supported options or their values:Parsed known arg %s = %sThe application to execute does not exist: '%s'dotnet exec needs a managed .dll or .exe extension. The application specified was '%s'Application '%s' does not exist.Application '%s' is not a managed executable.exec--- Executing in muxer mode...--- Executing in a native executable mode...--- Executing in split/FX mode...
Source: smphost.exe	String found in binary or memory: %sNot foundhost-options: The path to an application .dll file to execute.path-to-application:Usage: dotnet [host-options] [path-to-application] -h\|--help Displays this help.Common Options: --list-sdks Display the installed SDKs --list-runtimes Display the installed runtimesunordered_map/set too longinvalid string positionvector too long --info Display .NET information.invalid hash bucket count--- Invoked %s [version: %s]hostfxr_main_startupinfoInvalid startup info: host_path, dotnet_root, and app_path should not be null.A fatal error occurred while processing application bundlehostfxr_main_bundle_startupinfoget-native-search-directories.dev.json.jsonHosting components are already initialized. Re-initialization to execute an app is not allowed.Ignoring host interpreted additional probing path %s as it does not exist.\|arch\|/\|tfm\|\|arch\|\\|tfm\|Runtime config is cfg=%s dev=%sSpecified runtimeconfig.json from [%s]App runtimeconfig.json from [%s]The specified runtimeconfig.json [%s] does not existIgnoring additional probing path %s as it does not exist..runtimeconfig.jsonDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].deps.jsonInvalid runtimeconfig.json [%s] [%s]DOTNET_ADDITIONAL_DEPSIt's invalid to use both '%s' and '%s' command line options.Invalid value for command line argument '%s'The specified deps.json [%s] does not existExecuting as a %s app as per config file [%s]self-containedframework-dependentHOSTFXR_PATH--list-runtimes--list-sdksUsing dotnet root path [%s]/?-?--help-hdotnet.dll The command could not be loaded, possibly because:
Source: smphost.exe	String found in binary or memory: %sNot foundhost-options: The path to an application .dll file to execute.path-to-application:Usage: dotnet [host-options] [path-to-application] -h\|--help Displays this help.Common Options: --list-sdks Display the installed SDKs --list-runtimes Display the installed runtimesunordered_map/set too longinvalid string positionvector too long --info Display .NET information.invalid hash bucket count--- Invoked %s [version: %s]hostfxr_main_startupinfoInvalid startup info: host_path, dotnet_root, and app_path should not be null.A fatal error occurred while processing application bundlehostfxr_main_bundle_startupinfoget-native-search-directories.dev.json.jsonHosting components are already initialized. Re-initialization to execute an app is not allowed.Ignoring host interpreted additional probing path %s as it does not exist.\|arch\|/\|tfm\|\|arch\|\\|tfm\|Runtime config is cfg=%s dev=%sSpecified runtimeconfig.json from [%s]App runtimeconfig.json from [%s]The specified runtimeconfig.json [%s] does not existIgnoring additional probing path %s as it does not exist..runtimeconfig.jsonDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].deps.jsonInvalid runtimeconfig.json [%s] [%s]DOTNET_ADDITIONAL_DEPSIt's invalid to use both '%s' and '%s' command line options.Invalid value for command line argument '%s'The specified deps.json [%s] does not existExecuting as a %s app as per config file [%s]self-containedframework-dependentHOSTFXR_PATH--list-runtimes--list-sdksUsing dotnet root path [%s]/?-?--help-hdotnet.dll The command could not be loaded, possibly because:
Source: smphost.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: smphost.exe	String found in binary or memory: https://aka.ms/dotnet/app-launch-failedRequired:

Source: unknown	Process created: C:\Users\user\Desktop\smphost.exe "C:\Users\user\Desktop\smphost.exe" -install
Source: C:\Users\user\Desktop\smphost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\smphost.exe "C:\Users\user\Desktop\smphost.exe" /install
Source: C:\Users\user\Desktop\smphost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\smphost.exe "C:\Users\user\Desktop\smphost.exe" /load
Source: C:\Users\user\Desktop\smphost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\smphost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\smphost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\smphost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\smphost.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: smphost.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: smphost.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: smphost.exe

Static file information: File size 67515744 > 1048576

Source: smphost.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x617000
Source: smphost.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17d400
Source: smphost.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x147000

Source: smphost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: smphost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: smphost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: smphost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: smphost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: smphost.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: smphost.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: smphost.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdb source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\Work\2. My work\HTB challenge\Sherlock\testdot\MyProject\obj\Release\net8.0\win-x64\MyProject.pdbSHA256y3AL source: smphost.exe, 00000000.00000002.1714991161.000001F391FC0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739794160.000001A06EA30000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763792490.0000024380CF0000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdbSHA256{) source: smphost.exe, 00000000.00000002.1715583575.000001F3939F0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742271842.000001E105520000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764264627.00000243826E0000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdb source: smphost.exe, 00000000.00000002.1715632159.000001F393A03000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742290115.000001E105533000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: System.ComponentModel.ni.pdb source: smphost.exe, 00000000.00000002.1715503280.000001F393980000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742118778.000001E105490000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764131819.0000024382670000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: System.Runtime.InteropServices.ni.pdb source: smphost.exe, 00000000.00000002.1715736841.000001F393A31000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715632159.000001F393A03000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742290115.000001E105533000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742349500.000001E105561000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764383091.0000024382771000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading\Release\net8.0\System.Threading.pdb source: smphost.exe, 00000000.00000002.1715067433.000001F391FE1000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742209820.000001E105501000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763881416.0000024380D61000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.Thread\Release\net8.0\System.Threading.Thread.pdbSHA256 source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/System.Runtime.InteropServices.RuntimeInformation/Release/net8.0-windows/System.Runtime.InteropServices.RuntimeInformation.pdbSHA256 source: smphost.exe, 00000000.00000002.1715632159.000001F393A03000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742290115.000001E105533000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: smphost.exe
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\System.Private.CoreLib\x64\Release\System.Private.CoreLib.pdb source: smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Collections\Release\net8.0\System.Collections.pdb source: smphost.exe, 00000000.00000002.1715367778.000001F3938F0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715418035.000001F393941000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739896230.000001A06EAB1000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739845347.000001A06EA60000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763828539.0000024380D10000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764051477.0000024382631000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.ComponentModel\Release\net8.0\System.ComponentModel.pdb source: smphost.exe, 00000000.00000002.1715503280.000001F393980000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742118778.000001E105490000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764131819.0000024382670000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdbSHA256 source: smphost.exe, 00000000.00000002.1715007675.000001F391FD0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739811229.000001A06EA40000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763810613.0000024380D00000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdb source: smphost.exe, 00000000.00000002.1715503280.000001F393987000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742118778.000001E105497000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764131819.0000024382677000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdbSHA256{) source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Console\Release\net8.0-windows\System.Console.pdb source: smphost.exe, smphost.exe, 00000004.00000002.1764131819.0000024382677000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764192887.00000243826B1000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: smphost.exe, smphost.exe, 00000000.00000000.1711977986.00007FF648CE5000.00000002.00000001.01000000.00000003.sdmp, smphost.exe, 00000002.00000000.1736354417.00007FF648CE5000.00000002.00000001.01000000.00000003.sdmp, smphost.exe, 00000004.00000002.1769623643.00007FF648CE5000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: System.Console.ni.pdb source: smphost.exe, smphost.exe, 00000004.00000002.1764131819.0000024382677000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764192887.00000243826B1000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdb source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: System.Threading.ni.pdb source: smphost.exe, 00000000.00000002.1715067433.000001F391FE1000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742209820.000001E105501000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763881416.0000024380D61000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime\Release\net8.0\System.Runtime.pdb source: smphost.exe, 00000000.00000002.1715007675.000001F391FD0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739811229.000001A06EA40000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763810613.0000024380D00000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/System.Configuration/Release/net8.0-windows/System.Configuration.pdbSHA256> source: smphost.exe, 00000000.00000002.1715503280.000001F393987000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742118778.000001E105497000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764131819.0000024382677000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Threading.ThreadPool\Release\net8.0\System.Threading.ThreadPool.pdb source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.InteropServices\Release\net8.0\System.Runtime.InteropServices.pdb source: smphost.exe, 00000000.00000002.1715736841.000001F393A31000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715632159.000001F393A03000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742290115.000001E105533000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742349500.000001E105561000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764383091.0000024382771000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: System.Collections.ni.pdb source: smphost.exe, 00000000.00000002.1715367778.000001F3938F0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715418035.000001F393941000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739896230.000001A06EAB1000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739845347.000001A06EA60000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763828539.0000024380D10000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764051477.0000024382631000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.Encoding.Extensions\Release\net8.0\System.Text.Encoding.Extensions.pdb source: smphost.exe, 00000000.00000002.1715583575.000001F3939F0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742271842.000001E105520000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764264627.00000243826E0000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: System.Private.CoreLib.ni.pdb source: smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp
Source:	Binary string: D:\Work\2. My work\HTB challenge\Sherlock\testdot\MyProject\obj\Release\net8.0\win-x64\MyProject.pdb source: smphost.exe, 00000000.00000002.1714991161.000001F391FC0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1739794160.000001A06EA30000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763792490.0000024380CF0000.00000002.00000001.00040000.00000003.sdmp
Source:	Binary string: /_/artifacts/obj/System.Threading.Timer/Release/net8.0-windows/System.Threading.Timer.pdbSHA256 source: smphost.exe, 00000000.00000002.1715556914.000001F3939C0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1742165250.000001E1054D0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp

Source: smphost.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: smphost.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: smphost.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: smphost.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: smphost.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: smphost.exe	Static PE information: section name: .CLR_UEF
Source: smphost.exe	Static PE information: section name: .didat
Source: smphost.exe	Static PE information: section name: Section
Source: smphost.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\smphost.exe	Code function: 0_2_000001F3938B3630 push rax; iretd	0_2_000001F3938B3631
Source: C:\Users\user\Desktop\smphost.exe	Code function: 0_2_000001F3938B21F8 push rcx; retf	0_2_000001F3938B2223
Source: C:\Users\user\Desktop\smphost.exe	Code function: 2_2_000001A06EAF3630 push rax; iretd	2_2_000001A06EAF3631
Source: C:\Users\user\Desktop\smphost.exe	Code function: 2_2_000001A06EAF21F8 push rcx; retf	2_2_000001A06EAF2223
Source: C:\Users\user\Desktop\smphost.exe	Code function: 4_2_00000243826B3630 push rax; iretd	4_2_00000243826B3631
Source: C:\Users\user\Desktop\smphost.exe	Code function: 4_2_00000243826B21F8 push rcx; retf	4_2_00000243826B2223

Source: C:\Users\user\Desktop\smphost.exe	Memory allocated: 1F391FA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\smphost.exe	Memory allocated: 1A06EA10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\smphost.exe	Memory allocated: 24380CD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\smphost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\smphost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\smphost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\smphost.exe	API coverage: 5.7 %
Source: C:\Users\user\Desktop\smphost.exe	API coverage: 6.1 %
Source: C:\Users\user\Desktop\smphost.exe	API coverage: 6.1 %

Source: C:\Users\user\Desktop\smphost.exe TID: 4416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\smphost.exe TID: 6336	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\smphost.exe TID: 5216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\smphost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\smphost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\smphost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\smphost.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\smphost.exe

Code function: 0_2_00007FF648ABAE0C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF648ABAE0C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	32 Virtualization/Sandbox Evasion	LSASS Memory	32 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
smphost.exe	0%	ReversingLabs
smphost.exe	3%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://html4/loose.dtd	0%	Avira URL Cloud	safe
https://aka.ms/dotnet-warnings/	0%	Avira URL Cloud	safe
https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/	0%	Avira URL Cloud	safe
https://aka.ms/dotnet/info	0%	Avira URL Cloud	safe
https://aka.ms/dotnet/download%s%sInstall	0%	Avira URL Cloud	safe
https://aka.ms/dotnet/info	1%	Virustotal		Browse
https://aka.ms/dotnet-warnings/	0%	Virustotal		Browse
https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/	0%	Virustotal		Browse
https://aka.ms/nativeaot-compatibility	0%	Avira URL Cloud	safe
https://github.com/dotnet/runtime/issues/71847	0%	Avira URL Cloud	safe
https://aka.ms/dotnet-illink/com	0%	Avira URL Cloud	safe
https://aka.ms/dotnet/sdk-not-found	0%	Avira URL Cloud	safe
https://aka.ms/binaryformatter	0%	Avira URL Cloud	safe
https://aka.ms/GlobalizationInvariantMode	0%	Avira URL Cloud	safe
https://aka.ms/dotnet-illink/com	0%	Virustotal		Browse
https://aka.ms/dotnet/sdk-not-found	0%	Virustotal		Browse
https://aka.ms/nativeaot-compatibility	0%	Virustotal		Browse
https://aka.ms/dotnet/download%s%sInstall	0%	Virustotal		Browse
https://github.com/dotnet/runtime/issues/71847	0%	Virustotal		Browse
https://aka.ms/dotnet/app-launch-failed	0%	Avira URL Cloud	safe
https://github.com/mono/linker/pull/649	0%	Avira URL Cloud	safe
http://.css	0%	Avira URL Cloud	safe
https://aka.ms/dotnet/app-launch-failed	0%	Virustotal		Browse
http://.jpg	0%	Avira URL Cloud	safe
https://aka.ms/binaryformatter	0%	Virustotal		Browse
https://aka.ms/dotnet-illink/nativehost	0%	Avira URL Cloud	safe
https://aka.ms/dotnet-illink/nativehostt	0%	Avira URL Cloud	safe
https://github.com/mono/linker/pull/649	0%	Virustotal		Browse
https://aka.ms/dotnet/app-launch-failedRequired:	0%	Avira URL Cloud	safe
https://aka.ms/dotnet-illink/nativehost	0%	Virustotal		Browse
https://aka.ms/dotnet-core-applaunch?	0%	Avira URL Cloud	safe
https://aka.ms/dotnet-illink/nativehostt	0%	Virustotal		Browse
https://aka.ms/GlobalizationInvariantMode	0%	Virustotal		Browse
https://aka.ms/dotnet/download	0%	Avira URL Cloud	safe
https://github.com/dotnet/runtime	0%	Avira URL Cloud	safe
https://github.com/mono/linker/issues/378	0%	Avira URL Cloud	safe
https://aka.ms/dotnet/app-launch-failedRequired:	0%	Virustotal		Browse
https://aka.ms/dotnet-core-applaunch?	0%	Virustotal		Browse
https://aka.ms/dotnet/download	0%	Virustotal		Browse
https://github.com/dotnet/runtime	0%	Virustotal		Browse
https://github.com/mono/linker/issues/378	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://html4/loose.dtd	smphost.exe	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet-warnings/	smphost.exe, 00000004.00000002.1765424900.0000028418845000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1766755844.0000028418D60000.00000004.00001000.00020000.00000000.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764383091.0000024382771000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763881416.0000024380D61000.00000020.00000001.00040000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/info	smphost.exe	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/download%s%sInstall	smphost.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime/blob/bbc898f3e5678135b242faeb6eefd8b24bf04f3c/src/native/corehost/	smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/nativeaot-compatibility	smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime/issues/71847	smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/dotnet-illink/com	smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715888577.0000023428D12000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.00000234299A5000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103EE2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104B75000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417BB2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.0000028418845000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/sdk-not-found	smphost.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/binaryformatter	smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715888577.0000023428D12000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.00000234299A5000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103EE2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104B75000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417BB2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.0000028418845000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/GlobalizationInvariantMode	smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/app-launch-failed	smphost.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/mono/linker/pull/649	smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://.css	smphost.exe	false	Avira URL Cloud: safe	unknown
http://.jpg	smphost.exe	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet-illink/nativehost	smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1715888577.0000023428D12000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.00000234299A5000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103EE2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104B75000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417BB2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.0000028418845000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/dotnet-illink/nativehostt	smphost.exe, 00000000.00000002.1715888577.0000023428D12000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.00000234299A5000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103EE2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104B75000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417BB2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.0000028418845000.00000020.00000001.00040000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/app-launch-failedRequired:	smphost.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/dotnet-core-applaunch?	smphost.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/download	smphost.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime	smphost.exe, smphost.exe, 00000004.00000002.1763810613.0000024380D00000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763828539.0000024380D10000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764051477.0000024382631000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417BB2000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382740000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.0000028418845000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764131819.0000024382677000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764192887.00000243826B1000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764299433.0000024382710000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764322414.0000024382743000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764383091.0000024382771000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1763881416.0000024380D61000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764264627.00000243826E0000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764131819.0000024382670000.00000002.00000001.00040000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/mono/linker/issues/378	smphost.exe, 00000000.00000002.1715888577.0000023428590000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000000.00000002.1716854358.0000023429231000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740160225.000001E103760000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000002.00000002.1740972052.000001E104401000.00000020.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1764531949.0000028417430000.00000002.00000001.00040000.00000003.sdmp, smphost.exe, 00000004.00000002.1765424900.00000284180D1000.00000020.00000001.00040000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1457829
Start date and time:	2024-06-15 17:28:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Cmdline fuzzy
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	smphost.exe
Detection:	CLEAN
Classification:	clean5.winEXE@6/3@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\smphost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	39
Entropy (8bit):	4.272331064905147
Encrypted:	false
SSDEEP:	3:jEDKUhL4U3XzWhZV:Ephb0T
MD5:	FB9811737B94B41D3F4A672DE9F19C6B
SHA1:	F544C656FFB55B927D03CBE0BDBEAE9CA3987758
SHA-256:	D8C51A070B5DC2FE6B650D56904CECE141C57DE1E95D7819E2C5C540E1F741DA
SHA-512:	D86671FC2E82E77D29AE3192D54FBCC4F4157A8DF4B3D6CBA0E3B2CC53DB58C357140D88BE1B5A9C58108B334843C7C1EB9FCBBED947B8F71A58917CABC08250
Malicious:	false
Reputation:	low
Preview:	Usage: program.exe <IPAddress> <Port>..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.722787238497629
TrID:	Win64 Executable Console Net Framework (206006/5) 46.24% Win64 Executable Console (202006/5) 45.34% Win64 Executable (generic) Net Framework (21505/4) 4.83% Win64 Executable (generic) (12005/4) 2.69% Generic Win/DOS Executable (2004/3) 0.45%
File name:	smphost.exe
File size:	67'515'744 bytes
MD5:	e45d667483ba3bb5aa44892dfb48d544
SHA1:	413143564579a24e58606287b5e2a9f25c787197
SHA256:	8d3e747289e59d3cbf1e01d616609f02e79d5d3c6da373de60cd664fb078f539
SHA512:	1a0a4552f02f85cc56a43a8c74bec73f560fd7ee87c1b54b9ae9177794439a8d2d84bb8815b94abb6e1969d849ae43f921b363a83fce23398b108d44536afb4b
SSDEEP:	393216:7QeufzJiVW/FiAuner3UcOECuV59ZEXIYtr2hSudHlav8Qshg9owi0IaAh14a8GD:75utNiLcOjuV6pkH2EQshqXihYauM8a
TLSH:	05E7AE15B3E80A16E63FC27DC2638102E7B1B4535362C6CF0558EE992F53BC1AB77266
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.)Z..zZ..zZ..zSk\|zL..zZ..z[..z...{H..z...{F..z...{...z.k.{R..z.k.{W..zZ..zR..z...{O..z...{...z...{[..z...z[..z...{[..zRichZ..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x1405caa00
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x65F9E99A [Tue Mar 19 19:38:02 2024 UTC]
TLS Callbacks:	0x405c9e90, 0x1, 0x405ca650, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b819c89ac9b569d0bbb77889674017b2

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F4CCC867398h
dec eax
add esp, 28h
jmp 00007F4CCC866DFFh
int3
int3
dec eax
sub esp, 28h
call 00007F4CCC557D68h
jmp 00007F4CCC866F94h
xor eax, eax
dec eax
add esp, 28h
ret
int3
int3
jmp 00007F4CCC866F7Ch
int3
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc ebp
xor ebx, ebx
inc esp
mov edx, edx
inc ecx
xor eax, 6C65746Eh
inc ecx
xor edx, 49656E69h
inc esp
mov ecx, ebx
mov esi, eax
xor ecx, ecx
inc ecx
lea eax, dword ptr [ebx+01h]
inc ebp
or edx, eax
cpuid
inc ecx
xor ecx, 756E6547h
mov dword ptr [esp], eax
inc ebp
or edx, ecx
mov dword ptr [esp+04h], ebx
mov edi, ecx
mov dword ptr [esp+08h], ecx
mov dword ptr [esp+0Ch], edx
jne 00007F4CCC866FEDh
dec eax
or dword ptr [001CC607h], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [001CC5EFh], 00008000h
cmp eax, 000106C0h
je 00007F4CCC866FBAh
cmp eax, 00020660h
je 00007F4CCC866FB3h
cmp eax, 00020670h
je 00007F4CCC866FACh
add eax, FFFCF9B0h
cmp eax, 20h
jnbe 00007F4CCC866FB6h
dec eax
mov ecx, 00010001h
add dword ptr [eax], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x793320	0xc4	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7933e4	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x804000	0x146ef4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x7b7000	0x3606c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94b000	0x7e40	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x706570	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x706780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x6205c0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x619000	0xec8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x7930dc	0x60	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x616e8c	0x617000	93ba23585b4c50dc30464f8c2e89a235	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.CLR_UEF	0x618000	0xdd	0x200	0f029650c707355fdeca72d623b2f059	False	0.4140625	zlib compressed data	3.101176305399617	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x619000	0x17d212	0x17d400	4b5bff4c697d826c3d518f335b849539	False	0.41810258709016396	data	5.673676593462084	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x797000	0x1ff34	0x9800	32458c4af1cb7f5dedc72b8a4039362d	False	0.19700863486842105	DIY-Thermocam raw data (Lepton 2.x), scale -32619-31040, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 512.000000, slope 60934707261039714500608.000000	3.3113409826855906	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x7b7000	0x3606c	0x36200	729e39f881ef69204e11a19a8aef23c8	False	0.5050068562355658	data	6.479757411344553	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x7ee000	0x38	0x200	fe9ee59259a2bf6e81918437d96b083f	False	0.068359375	data	0.42693031941489346	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Section	0x7ef000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x7f0000	0x13408	0x13600	5b0a1a761734007585458397271ec848	False	0.1876008064516129	data	5.489522104557175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x804000	0x146ef4	0x147000	11070a5084e5933a3609d379a46f96e7	False	0.43213562571674313	data	6.358508485624431	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x94b000	0x7e40	0x8000	4c1648f746054940bd1c6e8ed64e2f91	False	0.1563720703125	data	5.443061218573424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_RCDATA	0x804190	0x24	data	1.2222222222222223
RT_RCDATA	0x8041b4	0x24	data	1.2222222222222223
RT_RCDATA	0x8041d8	0x146820	PE32+ executable (DLL) (GUI) x86-64, for MS Windows	0.43875598907470703
RT_VERSION	0x94a9f8	0x2c0	data	0.4303977272727273
RT_MANIFEST	0x94acb8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
KERNEL32.dll	RaiseException, FreeLibrary, SetErrorMode, RaiseFailFastException, GetExitCodeProcess, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, AddVectoredExceptionHandler, MultiByteToWideChar, GetTickCount, FlushInstructionCache, QueryPerformanceFrequency, QueryPerformanceCounter, RtlLookupFunctionEntry, LocateXStateFeature, RtlDeleteFunctionTable, InterlockedPushEntrySList, InterlockedFlushSList, InitializeSListHead, GetTickCount64, DuplicateHandle, QueueUserAPC, WaitForSingleObjectEx, SetThreadPriority, GetThreadPriority, GetCurrentThreadId, TlsAlloc, GetCurrentThread, GetCurrentProcessId, CreateThread, GetModuleHandleW, WaitForMultipleObjectsEx, SignalObjectAndWait, RtlCaptureContext, SetThreadStackGuarantee, VirtualQuery, WriteFile, GetStdHandle, GetConsoleOutputCP, MapViewOfFileEx, UnmapViewOfFile, GetStringTypeExW, InterlockedPopEntrySList, ExitProcess, Sleep, CreateMemoryResourceNotification, VirtualAlloc, VirtualFree, VirtualProtect, SleepEx, SwitchToThread, SuspendThread, ResumeThread, InitializeContext, SetXStateFeaturesMask, RtlRestoreContext, CloseThreadpoolTimer, CreateThreadpoolTimer, SetThreadpoolTimer, ReadFile, GetFileSize, GetEnvironmentVariableW, SetEnvironmentVariableW, CreateEventW, SetEvent, ResetEvent, GetThreadContext, SetThreadContext, GetEnabledXStateFeatures, CopyContext, WerRegisterRuntimeExceptionModule, RtlInstallFunctionTableCallback, GetSystemDefaultLCID, GetUserDefaultLCID, RtlUnwind, HeapAlloc, HeapFree, GetProcessHeap, HeapCreate, HeapDestroy, GetEnvironmentStringsW, FreeEnvironmentStringsW, FormatMessageW, CreateSemaphoreExW, ReleaseSemaphore, GetACP, LCMapStringEx, LocalFree, VerSetConditionMask, VerifyVersionInfoW, QueryThreadCycleTime, GetLogicalProcessorInformationEx, SetThreadGroupAffinity, GetThreadGroupAffinity, GetProcessGroupAffinity, GetCurrentProcessorNumberEx, GetProcessAffinityMask, QueryInformationJobObject, CloseHandle, GetSystemTimeAsFileTime, GetModuleFileNameW, CreateProcessW, GetCPInfo, GetTempPathW, LoadLibraryExW, CreateFileW, GetFileAttributesExW, GetFullPathNameW, LoadLibraryExA, OutputDebugStringA, OpenEventW, ReleaseMutex, ExitThread, CreateMutexW, HeapReAlloc, CreateNamedPipeA, WaitForMultipleObjects, DisconnectNamedPipe, CreateFileA, CancelIoEx, GetOverlappedResult, ConnectNamedPipe, FlushFileBuffers, SetFilePointer, MapViewOfFile, GetActiveProcessorGroupCount, GetSystemTime, SetConsoleCtrlHandler, GetLocaleInfoEx, GetUserDefaultLocaleName, RtlAddFunctionTable, LoadLibraryW, CreateDirectoryW, RemoveDirectoryW, CreateActCtxW, ActivateActCtx, FindResourceW, GetWindowsDirectoryW, GetFileSizeEx, FindFirstFileExW, FindNextFileW, FindClose, LoadLibraryA, GetCurrentDirectoryW, IsWow64Process, EncodePointer, DecodePointer, CreateFileMappingA, TlsSetValue, TlsGetValue, GetSystemInfo, GetCurrentProcess, OutputDebugStringW, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, WideCharToMultiByte, GetCommandLineW, GetProcAddress, GetModuleHandleExW, SetThreadErrorMode, FlushProcessWriteBuffers, SetLastError, DebugBreak, WaitForSingleObject, GetNumaHighestNodeNumber, SetThreadAffinityMask, SetThreadIdealProcessorEx, GetThreadIdealProcessorEx, VirtualAllocExNuma, GetNumaProcessorNodeEx, VirtualUnlock, GetLargePageMinimum, IsProcessInJob, K32GetProcessMemoryInfo, GetLogicalProcessorInformation, GlobalMemoryStatusEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, RtlVirtualUnwind, IsProcessorFeaturePresent, RtlUnwindEx, InitializeCriticalSectionAndSpinCount, TlsFree, RtlPcToFileHeader, TryAcquireSRWLockExclusive, GetExitCodeThread, GetStringTypeW, InitializeCriticalSectionEx, GetLastError, CreateFileMappingW
ADVAPI32.dll	ReportEventW, AdjustTokenPrivileges, RegGetValueW, SetKernelObjectSecurity, GetSidSubAuthorityCount, GetSidSubAuthority, GetTokenInformation, OpenProcessToken, DeregisterEventSource, RegisterEventSourceW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, EventRegister, SetThreadToken, RevertToSelf, OpenThreadToken, EventWriteTransfer, EventWrite, LookupPrivilegeValueW
ole32.dll	CreateStreamOnHGlobal, CoRevokeInitializeSpy, CoGetClassObject, CoGetContextToken, CoGetObjectContext, CoUnmarshalInterface, CoMarshalInterface, CoGetMarshalSizeMax, CLSIDFromProgID, CoReleaseMarshalData, CoTaskMemFree, CoTaskMemAlloc, CoCreateGuid, CoInitializeEx, CoRegisterInitializeSpy, CoWaitForMultipleHandles, CoUninitialize, CoCreateFreeThreadedMarshaler
OLEAUT32.dll	CreateErrorInfo, SysFreeString, GetErrorInfo, SetErrorInfo, SysStringLen, SysAllocString, SysAllocStringLen, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayDestroy, QueryPathOfRegTypeLib, LoadTypeLibEx, SafeArrayGetVartype, VariantChangeType, VariantChangeTypeEx, VariantClear, VariantInit, VarCyFromDec, SafeArrayAllocDescriptorEx, GetRecordInfoFromTypeInfo, SafeArraySetRecordInfo, SafeArrayAllocData, SafeArrayGetElemsize, SysStringByteLen, SysAllocStringByteLen, SafeArrayCreateVector, SafeArrayPutElement, LoadRegTypeLib
USER32.dll	LoadStringW, MessageBoxW
SHELL32.dll	ShellExecuteW
api-ms-win-crt-string-l1-1-0.dll	strncat_s, wcsncat_s, strcmp, wcsnlen, wcscat_s, towupper, iswascii, _strdup, strncpy, strnlen, wcstok_s, isdigit, isupper, isalpha, towlower, _wcsdup, iswspace, isspace, islower, strtok_s, _wcsnicmp, strcspn, __strncnt, strlen, wcscpy_s, toupper, wcsncpy_s, strcpy_s, strcat_s, strncpy_s, _strnicmp, tolower, wcsncmp, iswupper, strncmp, _stricmp, _wcsicmp
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsscanf, fflush, __acrt_iob_func, __stdio_common_vfprintf, __stdio_common_vswprintf, __stdio_common_vfwprintf, fputws, fputwc, _get_stream_buffer_pointers, _fseeki64, fread, fsetpos, ungetc, fgetpos, fgets, fgetc, fputc, _wfsopen, _wfopen, __p__commode, _set_fmode, __stdio_common_vsnprintf_s, setvbuf, _setmode, _dup, _fileno, ftell, fseek, fputs, __stdio_common_vsnwprintf_s, __stdio_common_vsprintf_s, fwrite, _flushall, fopen, fclose
api-ms-win-crt-runtime-l1-1-0.dll	_crt_atexit, _cexit, _seh_filter_exe, _set_app_type, _register_onexit_function, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment, _initterm, _initterm_e, _exit, _invalid_parameter_noinfo_noreturn, __p___argc, __p___wargv, _c_exit, _register_thread_local_exe_atexit_callback, _initialize_onexit_table, _beginthreadex, terminate, _controlfp_s, _wcserror_s, _invalid_parameter_noinfo, _errno, exit, abort
api-ms-win-crt-convert-l1-1-0.dll	_atoi64, _ltow_s, _wtoi, strtoul, _wcstoui64, atol, _itow_s, strtoull, wcstoul
api-ms-win-crt-heap-l1-1-0.dll	free, _set_new_mode, calloc, malloc, realloc
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-math-l1-1-0.dll	asinhf, atanhf, cbrtf, acoshf, cosh, cbrt, coshf, exp, expf, acosh, atanh, floor, floorf, fma, fmaf, cosf, _fdopen, cos, ceilf, _copysignf, _isnanf, trunc, truncf, ilogb, ilogbf, tanhf, ceil, fmod, fmodf, atanf, frexp, atan2f, atan2, log, log10, log10f, atan, asinf, log2, log2f, logf, pow, powf, sin, sinf, asin, sinh, sinhf, sqrt, sqrtf, tan, tanf, tanh, acosf, _copysign, asinh, _isnan, _finite, modf, modff, acos, __setusermatherr
api-ms-win-crt-time-l1-1-0.dll	_time64, _gmtime64_s, wcsftime
api-ms-win-crt-environment-l1-1-0.dll	getenv
api-ms-win-crt-locale-l1-1-0.dll	_unlock_locales, setlocale, __pctype_func, ___lc_locale_name_func, _lock_locales, ___lc_codepage_func, ___mb_cur_max_func, _configthreadlocale, localeconv
api-ms-win-crt-filesystem-l1-1-0.dll	_wrename, _unlock_file, _wremove, _lock_file

Exports

Name	Ordinal	Address
CLRJitAttachState	3	0x1407abb38
DotNetRuntimeInfo	4	0x140799590
MetaDataGetDispenser	5	0x14056bef0
g_CLREngineMetrics	2	0x140798d98
g_dacTable	6	0x1406405f0

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

• smphost.exe
• conhost.exe
• smphost.exe
• conhost.exe
• smphost.exe
• conhost.exe

Click to jump to process

Memory Usage

• smphost.exe
• conhost.exe
• smphost.exe
• conhost.exe
• smphost.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

System Behavior

Analysis Process: smphost.exePID: 6308, Parent PID: 2580

Function Logs

General

Target ID:	0
Start time:	11:29:00
Start date:	15/06/2024
Path:	C:\Users\user\Desktop\smphost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\smphost.exe" -install
Imagebase:	0x7ff6484f0000
File size:	67'515'744 bytes
MD5 hash:	E45D667483BA3BB5AA44892DFB48D544
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Created

File Written

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Key Opened

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6292, Parent PID: 6308

Function Logs

General

Target ID:	1
Start time:	11:29:00
Start date:	15/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: smphost.exePID: 1596, Parent PID: 2580

Function Logs

General

Target ID:	2
Start time:	11:29:03
Start date:	15/06/2024
Path:	C:\Users\user\Desktop\smphost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\smphost.exe" /install
Imagebase:	0x7ff7699e0000
File size:	67'515'744 bytes
MD5 hash:	E45D667483BA3BB5AA44892DFB48D544
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Written

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Key Opened

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6984, Parent PID: 1596

Function Logs

General

Target ID:	3
Start time:	11:29:03
Start date:	15/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: smphost.exePID: 5312, Parent PID: 2580

Function Logs

General

Target ID:	4
Start time:	11:29:05
Start date:	15/06/2024
Path:	C:\Users\user\Desktop\smphost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\smphost.exe" /load
Imagebase:	0x7ff6484f0000
File size:	67'515'744 bytes
MD5 hash:	E45D667483BA3BB5AA44892DFB48D544
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

File Activities

File Opened

File Written

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Show Windows behavior

Registry Activities

Key Opened

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Queried

Show Windows behavior

Thread Activities

Thread Created

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6600, Parent PID: 5312

Function Logs

General

Target ID:	5
Start time:	11:29:05
Start date:	15/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

File Activities

Volume Information Queried

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Thread Activities

Thread Created

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: smphost.exePID: 6308, Parent PID: 2580COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.8%
Total number of Nodes:	109
Total number of Limit Nodes:	0

Executed Functions

Function 000001F3938B7AC0 Relevance: 1.9, APIs: 1, Instructions: 404
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE ref: 000001F3938B7D82

Memory Dump Source

Source File: 00000000.00000002.1715275035.000001F3938B1000.00000020.00000001.00040000.00000003.sdmp, Offset: 000001F3938B0000, based on PE: true

Associated: 00000000.00000002.1715258015.000001F3938B0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715301514.000001F3938D4000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715318837.000001F3938D6000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715332428.000001F3938D7000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3938b0000_smphost.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 49f48fa59b2717629d865ea2170825846ff6bc5e78181d8085553fcf3097608d
Instruction ID: 621f1644ea40c2d35c9b2f0f2c153728676299f8d1073bf091a24193622f4953
Opcode Fuzzy Hash: 49f48fa59b2717629d865ea2170825846ff6bc5e78181d8085553fcf3097608d
Instruction Fuzzy Hash: 25D12B77B01A149AE725CB62FC40BAE3374B748B99F544035DE6A53B64DFB8C98AC700

Function 000001F3938B81B0 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleOutputCP.KERNELBASE ref: 000001F3938B8254

Memory Dump Source

Source File: 00000000.00000002.1715275035.000001F3938B1000.00000020.00000001.00040000.00000003.sdmp, Offset: 000001F3938B0000, based on PE: true

Associated: 00000000.00000002.1715258015.000001F3938B0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715301514.000001F3938D4000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715318837.000001F3938D6000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715332428.000001F3938D7000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3938b0000_smphost.jbxd

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 0b3c3f01842f473c41a81062c82626f8eb6e6258c765146833008e0865d7a38c
Instruction ID: 7eed220a2c25bde1f7eee6637b69de6803241e9042e242903b6e6a301cadf627
Opcode Fuzzy Hash: 0b3c3f01842f473c41a81062c82626f8eb6e6258c765146833008e0865d7a38c
Instruction Fuzzy Hash: 83316977A04A5699F720CFA1EC047ED3379B748B5CF545025CE6E17A68CFB48A8AC300

Function 000001F3938B7500 Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 000001F3938B7545

Memory Dump Source

Source File: 00000000.00000002.1715275035.000001F3938B1000.00000020.00000001.00040000.00000003.sdmp, Offset: 000001F3938B0000, based on PE: true

Associated: 00000000.00000002.1715258015.000001F3938B0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715301514.000001F3938D4000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715318837.000001F3938D6000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715332428.000001F3938D7000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3938b0000_smphost.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ebb4d259578cd60c189fde5a0f87fbab5bd4408df9f1ae397a1001f96a96ae71
Instruction ID: af1dc84f1c615a7f8844cde6f20ba97f9f5e61fa367937409859a6554e17cb55
Opcode Fuzzy Hash: ebb4d259578cd60c189fde5a0f87fbab5bd4408df9f1ae397a1001f96a96ae71
Instruction Fuzzy Hash: C6F03C77704A149AEB259B72FC04BFA2234B788B59F804131DD2E43760DEB8C98EC300

Function 00007FF5E8EC1A25 Relevance: .1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1718761407.00007FF5E8EC0000.00000020.00001000.00040000.00000000.sdmp, Offset: 00007FF5E8EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff5e8ec0000_smphost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d345a2c8c2bc33df6ebbf0f985dcef0f3f8099c895947693efbe9f4a171317d
Instruction ID: cf3dde0515b403a8c00f41df2c74a785152f5f27ba981f9a7e143541c721be93
Opcode Fuzzy Hash: 1d345a2c8c2bc33df6ebbf0f985dcef0f3f8099c895947693efbe9f4a171317d
Instruction Fuzzy Hash: F231A930C0898E8FDB84EF68C855ABDBBF1FF58301F140169D05DEB291DA75A951CB46

Function 00007FF5E8EC1A7E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1718761407.00007FF5E8EC0000.00000020.00001000.00040000.00000000.sdmp, Offset: 00007FF5E8EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff5e8ec0000_smphost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de798e3dbf89b46ecb5514c218aaec4f05bb0cc9551f99605798cc1af70c37f0
Instruction ID: 17d3ad85e4ef108eae4917bed613afa7b0b8153138932ece8857494cdf574aa1
Opcode Fuzzy Hash: de798e3dbf89b46ecb5514c218aaec4f05bb0cc9551f99605798cc1af70c37f0
Instruction Fuzzy Hash: 27F0F83090490D8FCF88EF88C494AACBBB1FB58311B60006ED01DD72A0CA369991CB00

Non-executed Functions

Function 00007FF648ABAE0C Relevance: 6.0, APIs: 4, Instructions: 39
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF648ABAE38
GetCurrentThreadId.KERNEL32 ref: 00007FF648ABAE46
GetCurrentProcessId.KERNEL32 ref: 00007FF648ABAE52
QueryPerformanceCounter.KERNEL32 ref: 00007FF648ABAE62

Memory Dump Source

Source File: 00000000.00000002.1719140111.00007FF6484F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6484F0000, based on PE: true

Associated: 00000000.00000002.1719125009.00007FF6484F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719508335.00007FF648B09000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719610256.00007FF648C87000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719626437.00007FF648C8C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719641142.00007FF648C8E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719641142.00007FF648C98000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719641142.00007FF648C9B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719641142.00007FF648CA0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719641142.00007FF648CA5000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719716613.00007FF648CA7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719742228.00007FF648CE0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1719742228.00007FF648CE5000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6484f0000_smphost.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: ba65f6a958aee0d3f0c3a7f6e6efc600877284dab9a37d7090099f024dbf0371
Instruction ID: 09c2bf7bc613e1aee28c9aade95d3ebbc967882e7963847e5c0160fe3d534a40
Opcode Fuzzy Hash: ba65f6a958aee0d3f0c3a7f6e6efc600877284dab9a37d7090099f024dbf0371
Instruction Fuzzy Hash: F4111C26B58F018AEB00EB71E8552A933B4F71A759F441E31DB6D86BA4EF78D1948340

Function 000001F3938BAF10 Relevance: 19.8, APIs: 12, Strings: 1, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001F3938BAF25
GetStdHandle.KERNEL32 ref: 000001F3938BAF51
GetStdHandle.KERNEL32 ref: 000001F3938BAFB7
GetStdHandle.KERNEL32 ref: 000001F3938BAFEC
GetStdHandle.KERNEL32 ref: 000001F3938BB05B
GetStdHandle.KERNEL32 ref: 000001F3938BB0A3
GetStdHandle.KERNEL32 ref: 000001F3938BB105

Strings

d, xrefs: 000001F3938BAF9D

Memory Dump Source

Source File: 00000000.00000002.1715275035.000001F3938B1000.00000020.00000001.00040000.00000003.sdmp, Offset: 000001F3938B0000, based on PE: true

Associated: 00000000.00000002.1715258015.000001F3938B0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715301514.000001F3938D4000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715318837.000001F3938D6000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715332428.000001F3938D7000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3938b0000_smphost.jbxd

Similarity

API ID: Handle
String ID: d
API String ID: 2519475695-2564639436
Opcode ID: 04f09340ac1d4f7a73af076a5bfaecf0aad1991f26a6c068942f7bac34692b0d
Instruction ID: 5f2846b3ef644c7838ff579b45db3414c78f277166f53f83834602ed6c51d8a7
Opcode Fuzzy Hash: 04f09340ac1d4f7a73af076a5bfaecf0aad1991f26a6c068942f7bac34692b0d
Instruction Fuzzy Hash: 7EA144B7209A4382EB155B25E8543BA33B9FB44BA9F446135D97A437A4DFFEC64C8300

Function 000001F3938BC000 Relevance: 6.6, APIs: 5, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001F3938BC0A9
GetStdHandle.KERNEL32 ref: 000001F3938BC290
GetStdHandle.KERNEL32 ref: 000001F3938BC2DB
GetStdHandle.KERNEL32 ref: 000001F3938BC453
GetStdHandle.KERNEL32 ref: 000001F3938BC47C

Memory Dump Source

Source File: 00000000.00000002.1715275035.000001F3938B1000.00000020.00000001.00040000.00000003.sdmp, Offset: 000001F3938B0000, based on PE: true

Associated: 00000000.00000002.1715258015.000001F3938B0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715301514.000001F3938D4000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715318837.000001F3938D6000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715332428.000001F3938D7000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3938b0000_smphost.jbxd

Similarity

API ID: Handle
String ID:
API String ID: 2519475695-0
Opcode ID: 8be3169f8ff43b1310e7f7e9c82ba98c26c69ae8559d4fd44e70a2a5d480b0e4
Instruction ID: 9a1c166e0568467f3cc6c711673844aca31a29d8151a26f5410898cce6cfd720
Opcode Fuzzy Hash: 8be3169f8ff43b1310e7f7e9c82ba98c26c69ae8559d4fd44e70a2a5d480b0e4
Instruction Fuzzy Hash: F4F16DB7605A0386EB049BA5E8443FE237AB748F99F156035CD7A53B64DFF9868D8300

Function 000001F3938BA6D0 Relevance: 6.6, APIs: 5, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001F3938BA7C8

Memory Dump Source

Source File: 00000000.00000002.1715275035.000001F3938B1000.00000020.00000001.00040000.00000003.sdmp, Offset: 000001F3938B0000, based on PE: true

Associated: 00000000.00000002.1715258015.000001F3938B0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715301514.000001F3938D4000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715318837.000001F3938D6000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000000.00000002.1715332428.000001F3938D7000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f3938b0000_smphost.jbxd

Similarity

API ID: Handle
String ID:
API String ID: 2519475695-0
Opcode ID: c3e879d798494e0862c0c1eb295d9db67cf5b64f46037932294a99ea997a39b5
Instruction ID: 16dc6b8c2e7e8658e75f702c30b19a6790f8d1e9ef538a90c3a8443bfa97cfce
Opcode Fuzzy Hash: c3e879d798494e0862c0c1eb295d9db67cf5b64f46037932294a99ea997a39b5
Instruction Fuzzy Hash: AFD16BB3A18A439AE7149B65E8403FD33B8F744B58F542125DE7A03A94DFFAC689C701

Analysis Process: smphost.exePID: 1596, Parent PID: 2580COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	105
Total number of Limit Nodes:	0

Executed Functions

Function 000001A06EAF7AC0 Relevance: 1.9, APIs: 1, Instructions: 404
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE ref: 000001A06EAF7D82

Memory Dump Source

Source File: 00000002.00000002.1739990269.000001A06EAF1000.00000020.00000001.00040000.00000003.sdmp, Offset: 000001A06EAF0000, based on PE: true

Associated: 00000002.00000002.1739975143.000001A06EAF0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740011948.000001A06EB14000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740027140.000001A06EB16000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740040480.000001A06EB17000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a06eaf0000_smphost.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 49f48fa59b2717629d865ea2170825846ff6bc5e78181d8085553fcf3097608d
Instruction ID: 6bf9a9401bd6d55a9123fe02ff60fa314bd7e479e6e0bf7f9d339f551a70cc08
Opcode Fuzzy Hash: 49f48fa59b2717629d865ea2170825846ff6bc5e78181d8085553fcf3097608d
Instruction Fuzzy Hash: A2D11976B02B149AE725CBA2FC507DE3374BB49BADF544025DE4E52B64DE38889BC700

Function 000001A06EAF81B0 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleOutputCP.KERNELBASE ref: 000001A06EAF8254

Memory Dump Source

Source File: 00000002.00000002.1739990269.000001A06EAF1000.00000020.00000001.00040000.00000003.sdmp, Offset: 000001A06EAF0000, based on PE: true

Associated: 00000002.00000002.1739975143.000001A06EAF0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740011948.000001A06EB14000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740027140.000001A06EB16000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740040480.000001A06EB17000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a06eaf0000_smphost.jbxd

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 0b3c3f01842f473c41a81062c82626f8eb6e6258c765146833008e0865d7a38c
Instruction ID: 8ad3a5d851b30873e89a25e6b6e6d636f08bf28360a8cbc8eb83220e61e8b2d2
Opcode Fuzzy Hash: 0b3c3f01842f473c41a81062c82626f8eb6e6258c765146833008e0865d7a38c
Instruction Fuzzy Hash: BE3149B6B02B1499F722CBA1EC143DD3371BB4AB6CF584125DE0D56A58DF349CAAC301

Function 000001A06EAF7500 Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 000001A06EAF7545

Memory Dump Source

Source File: 00000002.00000002.1739990269.000001A06EAF1000.00000020.00000001.00040000.00000003.sdmp, Offset: 000001A06EAF0000, based on PE: true

Associated: 00000002.00000002.1739975143.000001A06EAF0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740011948.000001A06EB14000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740027140.000001A06EB16000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740040480.000001A06EB17000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a06eaf0000_smphost.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ebb4d259578cd60c189fde5a0f87fbab5bd4408df9f1ae397a1001f96a96ae71
Instruction ID: 968663f6ff006cdde2e21a789b25819d88a7f8a3baab96abe3672aced6a6faa7
Opcode Fuzzy Hash: ebb4d259578cd60c189fde5a0f87fbab5bd4408df9f1ae397a1001f96a96ae71
Instruction Fuzzy Hash: 01F0E176701B1495EB169B71FC147DA6330BB4A7ADF444175DD0E42750DE38889FC301

Function 00007FF5E8EA1A25 Relevance: .1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1743338105.00007FF5E8EA0000.00000020.00001000.00040000.00000000.sdmp, Offset: 00007FF5E8EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff5e8ea0000_smphost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ef08e13fb22e31bac46cf215852ad0c6506c0fa4f0a4c93d46ea3d83bd4854
Instruction ID: 78d9a5f41f69d88648906e602d54c58679fed49de5ea6bad2afa08e853db745c
Opcode Fuzzy Hash: 47ef08e13fb22e31bac46cf215852ad0c6506c0fa4f0a4c93d46ea3d83bd4854
Instruction Fuzzy Hash: BA31BA30C0894D8FDB84EFA8C851ABD7BF1FF58302F1405A9D05EDB291DA74A951CB46

Function 00007FF5E8EA1A7E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1743338105.00007FF5E8EA0000.00000020.00001000.00040000.00000000.sdmp, Offset: 00007FF5E8EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff5e8ea0000_smphost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de798e3dbf89b46ecb5514c218aaec4f05bb0cc9551f99605798cc1af70c37f0
Instruction ID: 28b6d545b825f87e306acd2f1e0a994bec59d116adf163360b54032bdda3535e
Opcode Fuzzy Hash: de798e3dbf89b46ecb5514c218aaec4f05bb0cc9551f99605798cc1af70c37f0
Instruction Fuzzy Hash: 7EF0F83090490D8FCF88EF88C494AACBBB1FB58312B6004AED01ED7290CA359991CB00

Non-executed Functions

Function 000001A06EAFAF10 Relevance: 19.8, APIs: 12, Strings: 1, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001A06EAFAF25
GetStdHandle.KERNEL32 ref: 000001A06EAFAF51
GetStdHandle.KERNEL32 ref: 000001A06EAFAFB7
GetStdHandle.KERNEL32 ref: 000001A06EAFAFEC
GetStdHandle.KERNEL32 ref: 000001A06EAFB05B
GetStdHandle.KERNEL32 ref: 000001A06EAFB0A3
GetStdHandle.KERNEL32 ref: 000001A06EAFB105

Strings

d, xrefs: 000001A06EAFAF9D

Memory Dump Source

Source File: 00000002.00000002.1739990269.000001A06EAF1000.00000020.00000001.00040000.00000003.sdmp, Offset: 000001A06EAF0000, based on PE: true

Associated: 00000002.00000002.1739975143.000001A06EAF0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740011948.000001A06EB14000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740027140.000001A06EB16000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740040480.000001A06EB17000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a06eaf0000_smphost.jbxd

Similarity

API ID: Handle
String ID: d
API String ID: 2519475695-2564639436
Opcode ID: 04f09340ac1d4f7a73af076a5bfaecf0aad1991f26a6c068942f7bac34692b0d
Instruction ID: ac12f8379215e34a1020207ce128cab12f0cca14e87e6946dbd6ad77fa2c66c7
Opcode Fuzzy Hash: 04f09340ac1d4f7a73af076a5bfaecf0aad1991f26a6c068942f7bac34692b0d
Instruction Fuzzy Hash: 09A1F3F5302B4181EA169B65F8643DA33B1FF4EBBDF446225D91E426A4DF28CD66C302

Function 000001A06EAFC000 Relevance: 6.6, APIs: 5, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001A06EAFC0A9
GetStdHandle.KERNEL32 ref: 000001A06EAFC290
GetStdHandle.KERNEL32 ref: 000001A06EAFC2DB
GetStdHandle.KERNEL32 ref: 000001A06EAFC453
GetStdHandle.KERNEL32 ref: 000001A06EAFC47C

Memory Dump Source

Source File: 00000002.00000002.1739990269.000001A06EAF1000.00000020.00000001.00040000.00000003.sdmp, Offset: 000001A06EAF0000, based on PE: true

Associated: 00000002.00000002.1739975143.000001A06EAF0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740011948.000001A06EB14000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740027140.000001A06EB16000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740040480.000001A06EB17000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a06eaf0000_smphost.jbxd

Similarity

API ID: Handle
String ID:
API String ID: 2519475695-0
Opcode ID: 8be3169f8ff43b1310e7f7e9c82ba98c26c69ae8559d4fd44e70a2a5d480b0e4
Instruction ID: 2e254f280ea99e53ef37b87c1174086f2aea66b6602c8bd43383ad0747e7b00c
Opcode Fuzzy Hash: 8be3169f8ff43b1310e7f7e9c82ba98c26c69ae8559d4fd44e70a2a5d480b0e4
Instruction Fuzzy Hash: 12F141B5702B1186EB069FA2E8643EE2372BB4EFADF155125CD0E57764DF388856C302

Function 000001A06EAFA6D0 Relevance: 6.6, APIs: 5, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 000001A06EAFA7C8

Memory Dump Source

Source File: 00000002.00000002.1739990269.000001A06EAF1000.00000020.00000001.00040000.00000003.sdmp, Offset: 000001A06EAF0000, based on PE: true

Associated: 00000002.00000002.1739975143.000001A06EAF0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740011948.000001A06EB14000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740027140.000001A06EB16000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000002.00000002.1740040480.000001A06EB17000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_1a06eaf0000_smphost.jbxd

Similarity

API ID: Handle
String ID:
API String ID: 2519475695-0
Opcode ID: c3e879d798494e0862c0c1eb295d9db67cf5b64f46037932294a99ea997a39b5
Instruction ID: e0d3df0a3bf06145813ce5348db8f13704cbc4e7e4ed47d2e0e4ce4abe748e95
Opcode Fuzzy Hash: c3e879d798494e0862c0c1eb295d9db67cf5b64f46037932294a99ea997a39b5
Instruction Fuzzy Hash: CFD17EB2B16B408AE7169B61E8503ED3371FB4EBADF145115DE4E02A94DF38DCA6C702

Analysis Process: smphost.exePID: 5312, Parent PID: 2580COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	105
Total number of Limit Nodes:	0

Executed Functions

Function 00000243826B7AC0 Relevance: 1.9, APIs: 1, Instructions: 404
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE ref: 00000243826B7D82

Memory Dump Source

Source File: 00000004.00000002.1764192887.00000243826B1000.00000020.00000001.00040000.00000003.sdmp, Offset: 00000243826B0000, based on PE: true

Associated: 00000004.00000002.1764176442.00000243826B0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764214503.00000243826D4000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764230331.00000243826D6000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764245648.00000243826D7000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_243826b0000_smphost.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 49f48fa59b2717629d865ea2170825846ff6bc5e78181d8085553fcf3097608d
Instruction ID: 31b1fe3533c6d5fca3c225f797d21d9a35b6adb0f99d927af9310aedc9299ab0
Opcode Fuzzy Hash: 49f48fa59b2717629d865ea2170825846ff6bc5e78181d8085553fcf3097608d
Instruction Fuzzy Hash: 64D16B26B01A589AF764CF62FC04B9D7374BB48B99F514025EE4A67B64DF38CD8AC700

Function 00000243826B81B0 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleOutputCP.KERNELBASE ref: 00000243826B8254

Memory Dump Source

Source File: 00000004.00000002.1764192887.00000243826B1000.00000020.00000001.00040000.00000003.sdmp, Offset: 00000243826B0000, based on PE: true

Associated: 00000004.00000002.1764176442.00000243826B0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764214503.00000243826D4000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764230331.00000243826D6000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764245648.00000243826D7000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_243826b0000_smphost.jbxd

Similarity

API ID: ConsoleOutput
String ID:
API String ID: 3985236979-0
Opcode ID: 0b3c3f01842f473c41a81062c82626f8eb6e6258c765146833008e0865d7a38c
Instruction ID: d09c188830b900ff902c87869cdd956170274e460d2aee24913a3531ed5019c7
Opcode Fuzzy Hash: 0b3c3f01842f473c41a81062c82626f8eb6e6258c765146833008e0865d7a38c
Instruction Fuzzy Hash: B2313C26B00A549AF761CF61EC4879CB371BB48B58F554125EE4D2BA58DF788E8AC300

Function 00000243826B7500 Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNELBASE ref: 00000243826B7545

Memory Dump Source

Source File: 00000004.00000002.1764192887.00000243826B1000.00000020.00000001.00040000.00000003.sdmp, Offset: 00000243826B0000, based on PE: true

Associated: 00000004.00000002.1764176442.00000243826B0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764214503.00000243826D4000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764230331.00000243826D6000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764245648.00000243826D7000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_243826b0000_smphost.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: ebb4d259578cd60c189fde5a0f87fbab5bd4408df9f1ae397a1001f96a96ae71
Instruction ID: d9e718ba3717b5f7c0d05ac6ee3fcb976565ae7e9c1c986c503135d3fe772224
Opcode Fuzzy Hash: ebb4d259578cd60c189fde5a0f87fbab5bd4408df9f1ae397a1001f96a96ae71
Instruction Fuzzy Hash: 7EF03C26700A589BFB61DB72FC08B996230BB88B55F404131ED0E56760DE78CD8AC300

Function 00007FF5E8ED1A25 Relevance: .1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1768326676.00007FF5E8ED0000.00000020.00001000.00040000.00000000.sdmp, Offset: 00007FF5E8ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff5e8ed0000_smphost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c2323d7513874ee7529f4164d76d84834422e559d7d13f1586b89d0653cd49e
Instruction ID: 4769a95d6900b7f971f6c6e1a2dd44e0cc4f4fbcadd417b950dac957ba49a3b8
Opcode Fuzzy Hash: 2c2323d7513874ee7529f4164d76d84834422e559d7d13f1586b89d0653cd49e
Instruction Fuzzy Hash: CC31B87080894E8FDB84EFA8C851ABDBBF2FF58301F040169D45DEB2D1DA35A965CB02

Function 00007FF5E8ED1A7E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.1768326676.00007FF5E8ED0000.00000020.00001000.00040000.00000000.sdmp, Offset: 00007FF5E8ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff5e8ed0000_smphost.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de798e3dbf89b46ecb5514c218aaec4f05bb0cc9551f99605798cc1af70c37f0
Instruction ID: 6970d97fba6a5caf98bece2f8075d2bc741c7f3982b4ad686151a11385e8c848
Opcode Fuzzy Hash: de798e3dbf89b46ecb5514c218aaec4f05bb0cc9551f99605798cc1af70c37f0
Instruction Fuzzy Hash: E5F0F87090490D8FCF88EF98C494AACBBB1FB58311B60006ED01DD7390CA369991CB00

Non-executed Functions

Function 00000243826BAF10 Relevance: 19.8, APIs: 12, Strings: 1, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00000243826BAF25
GetStdHandle.KERNEL32 ref: 00000243826BAF51
GetStdHandle.KERNEL32 ref: 00000243826BAFB7
GetStdHandle.KERNEL32 ref: 00000243826BAFEC
GetStdHandle.KERNEL32 ref: 00000243826BB05B
GetStdHandle.KERNEL32 ref: 00000243826BB0A3
GetStdHandle.KERNEL32 ref: 00000243826BB105

Strings

d, xrefs: 00000243826BAF9D

Memory Dump Source

Source File: 00000004.00000002.1764192887.00000243826B1000.00000020.00000001.00040000.00000003.sdmp, Offset: 00000243826B0000, based on PE: true

Associated: 00000004.00000002.1764176442.00000243826B0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764214503.00000243826D4000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764230331.00000243826D6000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764245648.00000243826D7000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_243826b0000_smphost.jbxd

Similarity

API ID: Handle
String ID: d
API String ID: 2519475695-2564639436
Opcode ID: 04f09340ac1d4f7a73af076a5bfaecf0aad1991f26a6c068942f7bac34692b0d
Instruction ID: a292dc51eb908e98527d9c8183e1ff06badfe949112818ebf6a1bb5467b9d740
Opcode Fuzzy Hash: 04f09340ac1d4f7a73af076a5bfaecf0aad1991f26a6c068942f7bac34692b0d
Instruction Fuzzy Hash: B5A15265201A4883FB94DB35F85C369B3A1FF48FA2F454215F95A5A7A4DFAECE84C300

Function 00000243826BC000 Relevance: 6.6, APIs: 5, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00000243826BC0A9
GetStdHandle.KERNEL32 ref: 00000243826BC290
GetStdHandle.KERNEL32 ref: 00000243826BC2DB
GetStdHandle.KERNEL32 ref: 00000243826BC453
GetStdHandle.KERNEL32 ref: 00000243826BC47C

Memory Dump Source

Source File: 00000004.00000002.1764192887.00000243826B1000.00000020.00000001.00040000.00000003.sdmp, Offset: 00000243826B0000, based on PE: true

Associated: 00000004.00000002.1764176442.00000243826B0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764214503.00000243826D4000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764230331.00000243826D6000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764245648.00000243826D7000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_243826b0000_smphost.jbxd

Similarity

API ID: Handle
String ID:
API String ID: 2519475695-0
Opcode ID: 8be3169f8ff43b1310e7f7e9c82ba98c26c69ae8559d4fd44e70a2a5d480b0e4
Instruction ID: aa16b5b6ad393185708af797c4965574d6ecb2cbc180f824a90ce7e1b7d62fb2
Opcode Fuzzy Hash: 8be3169f8ff43b1310e7f7e9c82ba98c26c69ae8559d4fd44e70a2a5d480b0e4
Instruction Fuzzy Hash: 62F18135700A488BFB40DFA6E8483ACA371BF48F95F154125ED4A6B764DFB98E85C340

Function 00000243826BA6D0 Relevance: 6.6, APIs: 5, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32 ref: 00000243826BA7C8

Memory Dump Source

Source File: 00000004.00000002.1764192887.00000243826B1000.00000020.00000001.00040000.00000003.sdmp, Offset: 00000243826B0000, based on PE: true

Associated: 00000004.00000002.1764176442.00000243826B0000.00000002.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764214503.00000243826D4000.00000004.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764230331.00000243826D6000.00000008.00000001.00040000.00000003.sdmpDownload File
Associated: 00000004.00000002.1764245648.00000243826D7000.00000002.00001000.00040000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_243826b0000_smphost.jbxd

Similarity

API ID: Handle
String ID:
API String ID: 2519475695-0
Opcode ID: c3e879d798494e0862c0c1eb295d9db67cf5b64f46037932294a99ea997a39b5
Instruction ID: df079da6ba8d6af0d6653c0bdeac14c39125e49209ba55094b1de48deb470fe6
Opcode Fuzzy Hash: c3e879d798494e0862c0c1eb295d9db67cf5b64f46037932294a99ea997a39b5
Instruction Fuzzy Hash: 4DD1AE36A14A488BFB54DB66E8483ACB3B0FB49B54F150115FE4A1AB94DFB9CEC5C700

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report smphost.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: smphost.exePID: 6308, Parent PID: 2580

General

File Activities

File Opened

File Created

File Written

File Attributes Queried

Other File Operations

Windows Analysis Report
smphost.exe