Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
taskhostw.exe

Overview

General Information

Sample Name:taskhostw.exe
Analysis ID:563751
MD5:252dce576f9fbb9aaa7114dd7150f320
SHA1:c07f0a02c284b697dff119839f455836be39d10e
SHA256:b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad
Tags:exeNetsupportsigned
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
PE file contains strange resources
Tries to load missing DLLs
Program does not show much activity (idle)
Yara detected NetSupport remote tool

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • taskhostw.exe (PID: 4388 cmdline: "C:\Users\user\Desktop\taskhostw.exe" MD5: 252DCE576F9FBB9AAA7114DD7150F320)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
taskhostw.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.349361508.00000000010F2000.00000004.00000001.01000000.00000003.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      00000000.00000002.349372344.00000000010F3000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        00000000.00000000.338422128.00000000010F2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          Process Memory Space: taskhostw.exe PID: 4388JoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.taskhostw.exe.10f0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              0.0.taskhostw.exe.10f0000.0.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                • AV Detection
                • Compliance
                • Networking
                • Key, Mouse, Clipboard, Microphone and Screen Capturing
                • System Summary
                • Malware Analysis System Evasion
                • Anti Debugging
                • Remote Access Functionality

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: taskhostw.exeVirustotal: Detection: 7%Perma Link
                Source: taskhostw.exeReversingLabs: Detection: 25%
                Source: taskhostw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: taskhostw.exeStatic PE information: certificate valid
                Source: taskhostw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: Binary string: E:\nsmsrc\nsm\1280\1280\client32\release_unicode\client32.pdb source: taskhostw.exe
                Source: taskhostw.exeString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
                Source: taskhostw.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                Source: taskhostw.exeString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
                Source: taskhostw.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                Source: taskhostw.exeString found in binary or memory: http://ocsp.sectigo.com0
                Source: taskhostw.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                Source: taskhostw.exeString found in binary or memory: http://s2.symcb.com0
                Source: taskhostw.exeString found in binary or memory: http://sv.symcb.com/sv.crl0a
                Source: taskhostw.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
                Source: taskhostw.exeString found in binary or memory: http://sv.symcd.com0&
                Source: taskhostw.exeString found in binary or memory: http://www.symauth.com/cps0(
                Source: taskhostw.exeString found in binary or memory: http://www.symauth.com/rpa00
                Source: taskhostw.exeString found in binary or memory: https://d.symcb.com/cps0%
                Source: taskhostw.exeString found in binary or memory: https://d.symcb.com/rpa0
                Source: taskhostw.exeString found in binary or memory: https://sectigo.com/CPS0B
                Source: taskhostw.exeString found in binary or memory: https://sectigo.com/CPS0D
                Source: taskhostw.exe, 00000000.00000002.349326302.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: taskhostw.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: taskhostw.exe, 00000000.00000002.349372344.00000000010F3000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameclient32.exe0 vs taskhostw.exe
                Source: taskhostw.exe, 00000000.00000000.338422128.00000000010F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameclient32.exe0 vs taskhostw.exe
                Source: taskhostw.exeBinary or memory string: OriginalFilenameclient32.exe0 vs taskhostw.exe
                Source: taskhostw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: taskhostw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: C:\Users\user\Desktop\taskhostw.exeSection loaded: pcicl32.dllJump to behavior
                Source: taskhostw.exeVirustotal: Detection: 7%
                Source: taskhostw.exeReversingLabs: Detection: 25%
                Source: taskhostw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\taskhostw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: taskhostw.exeString found in binary or memory: 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
                Source: classification engineClassification label: mal48.winEXE@1/0@0/0
                Source: taskhostw.exeStatic PE information: certificate valid
                Source: taskhostw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: taskhostw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: E:\nsmsrc\nsm\1280\1280\client32\release_unicode\client32.pdb source: taskhostw.exe
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: Yara matchFile source: taskhostw.exe, type: SAMPLE
                Source: Yara matchFile source: 0.2.taskhostw.exe.10f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.0.taskhostw.exe.10f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.349361508.00000000010F2000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.349372344.00000000010F3000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000000.338422128.00000000010F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: taskhostw.exe PID: 4388, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Input Capture                		1
                System Information Discovery                		Remote Services1
                Input Capture                		Exfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 563751 Sample: taskhostw.exe Startdate: 31/01/2022 Architecture: WINDOWS Score: 48 7 Multi AV Scanner detection for submitted file 2->7 5 taskhostw.exe 2->5         started        process3

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                taskhostw.exe8%VirustotalBrowse
                taskhostw.exe0%MetadefenderBrowse
                taskhostw.exe25%ReversingLabsWin32.Trojan.NetSupportManager

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%URL Reputationsafe
                http://ocsp.sectigo.com00%URL Reputationsafe
                https://sectigo.com/CPS0B0%URL Reputationsafe
                http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%URL Reputationsafe
                https://sectigo.com/CPS0D0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info
                NameSourceMaliciousAntivirus DetectionReputation
                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0ttaskhostw.exefalse
                • URL Reputation: safe
                		unknown
                http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0rtaskhostw.exefalse
                • URL Reputation: safe
                		unknown
                http://ocsp.sectigo.com0taskhostw.exefalse
                • URL Reputation: safe
                		unknown
                http://www.symauth.com/cps0(taskhostw.exefalse
                  		high
                  http://www.symauth.com/rpa00taskhostw.exefalse
                    		high
                    https://sectigo.com/CPS0Btaskhostw.exefalse
                    • URL Reputation: safe
                    		unknown
                    http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#taskhostw.exefalse
                    • URL Reputation: safe
                    		unknown
                    http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#taskhostw.exefalse
                    • URL Reputation: safe
                    		unknown
                    https://sectigo.com/CPS0Dtaskhostw.exefalse
                    • URL Reputation: safe
                    		unknown

                    World Map of Contacted IPs

                    No contacted IP infos

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:563751
                    Start date:31.01.2022
                    Start time:23:07:38
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 2m 30s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:taskhostw.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:5
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal48.winEXE@1/0@0/0
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 100% (good quality ratio 100%)
                    • Quality average: 75%
                    • Quality standard deviation: 25%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 1
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    • Stop behavior analysis, all processes terminated
                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 23.211.6.115
                    • Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, store-images.s-microsoft.com-c.edgekey.net
                    • Execution Graph export aborted for target taskhostw.exe, PID 4388 because there are no executed function

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    No created / dropped files found

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):4.950187105195601
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:taskhostw.exe
                    File size:112176
                    MD5:252dce576f9fbb9aaa7114dd7150f320
                    SHA1:c07f0a02c284b697dff119839f455836be39d10e
                    SHA256:b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad
                    SHA512:17255a8255b152edf896b4eb1719a2c52dbfed38887aa79b02fe54fcefca45c5089ed6340b8251fea1cf031b7c016328bd88741a066fa138ca7b722cf970b06b
                    SSDEEP:768:c5VZl6FhWr80/0fyXt/cfdtVJvriXiRzi:c90hG8f8dcFPVWXiI
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.g.W.g.W.g.^...U.g.8...T.g.W.f.R.g.8...V.g.8...V.g.8...V.g.RichW.g.........PE..L......^.....................r...... ......

                    File Icon

                    Icon Hash:050d124130a1c151

                    Static PE Info

                    General

                    Entrypoint:0x401020
                    Entrypoint Section:.text
                    Digitally signed:true
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x5E2EEEBC [Mon Jan 27 14:07:56 2020 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:5
                    OS Version Minor:1
                    File Version Major:5
                    File Version Minor:1
                    Subsystem Version Major:5
                    Subsystem Version Minor:1
                    Import Hash:a9d50692e95b79723f3e76fcf70d023e

                    Authenticode Signature

                    Signature Valid:true
                    Signature Issuer:CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
                    Signature Validation Error:The operation completed successfully
                    Error Number:0
                    Not Before, Not After
                    • 9/14/2017 5:00:00 PM 9/22/2020 4:59:59 PM
                    Subject Chain
                    • CN=NetSupport Ltd, O=NetSupport Ltd, L=Peterborough, S=Cambridgeshire, C=GB
                    Version:3
                    Thumbprint MD5:3D34EA0E8E4C65FC7C8599BE3ACDE072
                    Thumbprint SHA-1:F84EC9488BDAC5F90DB3C474B55E31A8F10A2026
                    Thumbprint SHA-256:FCD6A7E626908DC8E5D3CE6FC9350EC099C42FB1AD1231A75208B54754985089
                    Serial:79906FAF4FBD75BAA10B322356A07F6D
                    Instruction
                    push ebp
                    mov ebp, esp
                    sub esp, 44h
                    push esi
                    call dword ptr [00402000h]
                    mov esi, eax
                    cmp word ptr [esi], 0022h
                    jne 00007F4D4CA0385Dh
                    movzx eax, word ptr [esi+02h]
                    add esi, 02h
                    test ax, ax
                    je 00007F4D4CA037F4h
                    cmp ax, 0022h
                    je 00007F4D4CA037F4h
                    movzx eax, word ptr [esi+02h]
                    add esi, 02h
                    test ax, ax
                    jne 00007F4D4CA037D0h
                    cmp word ptr [esi], 0022h
                    jne 00007F4D4CA037E5h
                    add esi, 02h
                    movzx eax, word ptr [esi]
                    test ax, ax
                    je 00007F4D4CA037F4h
                    cmp ax, 0020h
                    jnbe 00007F4D4CA037EEh
                    movzx eax, word ptr [esi+02h]
                    add esi, 02h
                    test ax, ax
                    jne 00007F4D4CA037D0h
                    lea eax, dword ptr [ebp-44h]
                    push eax
                    mov dword ptr [ebp-18h], 00000000h
                    call dword ptr [0040200Ch]
                    test byte ptr [ebp-18h], 00000001h
                    movzx eax, word ptr [ebp-14h]
                    jne 00007F4D4CA037E7h
                    mov eax, 0000000Ah
                    push eax
                    push esi
                    push 00000000h
                    push 00000000h
                    call dword ptr [00402008h]
                    push eax
                    call 00007F4D4CA0373Dh
                    push eax
                    call dword ptr [00402004h]
                    nop
                    cmp word ptr [esi], 0020h
                    jbe 00007F4D4CA03788h
                    add esi, 02h
                    jmp 00007F4D4CA037D7h
                    int3
                    jmp dword ptr [00402014h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    Programming Language:
                    • [C++] VS2010 build 30319
                    • [IMP] VS2010 build 30319
                    • [RES] VS2010 build 30319
                    • [IMP] VS2008 SP1 build 30729
                    • [LNK] VS2010 build 30319
                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x203c0x3c.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x30000x16c08.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x178000x3e30
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000x14.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x20200x1c.rdata
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x1c.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000xc20x200False0.318359375data2.77998506607IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rdata0x20000x15e0x200False0.46484375data3.50726381565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .rsrc0x30000x16c080x16e00False0.106034409153data4.13266450046IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x1a0000x6c0x200False0.060546875data0.221676205458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                    NameRVASizeTypeLanguageCountry
                    RT_ICON0x32c80x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
                    RT_ICON0x3b700x568GLS_BINARY_LSB_FIRST
                    RT_ICON0x40d80x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 4281761986, next used block 4281761986
                    RT_ICON0x149000x25a8data
                    RT_ICON0x16ea80x10a8data
                    RT_ICON0x17f500x988data
                    RT_ICON0x188d80x6b8data
                    RT_ICON0x18f900x468GLS_BINARY_LSB_FIRST
                    RT_STRING0x193f80x62data
                    RT_GROUP_ICON0x1945c0x76data
                    RT_VERSION0x194d40x3acdata
                    RT_MANIFEST0x198800x385XML 1.0 document, ASCII text, with CRLF line terminators
                    DLLImport
                    PCICL32.dll_NSMClient32@8
                    KERNEL32.dllGetCommandLineW, ExitProcess, GetModuleHandleW, GetStartupInfoW
                    DescriptionData
                    LegalCopyrightCopyright (c) 2020, NetSupport Ltd
                    InternalNameclient32
                    FileVersionV12.80
                    CompanyNameNetSupport Ltd
                    PrivateBuildV12.80
                    LegalTrademarks
                    Comments
                    ProductNameNetSupport Remote Control
                    SpecialBuild
                    ProductVersionV12.80
                    FileDescriptionNetSupport Client Application
                    OriginalFilenameclient32.exe
                    Translation0x0809 0x04b0

                    Network Behavior

                    No network behavior found

                    Statistics

                    CPU Usage

                    01020s020406080100

                    Click to jump to process

                    Memory Usage

                    01020s0.0012MB

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:23:08:33
                    Start date:31/01/2022
                    Path:C:\Users\user\Desktop\taskhostw.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\taskhostw.exe"
                    Imagebase:0x10f0000
                    File size:112176 bytes
                    MD5 hash:252DCE576F9FBB9AAA7114DD7150F320
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000002.349361508.00000000010F2000.00000004.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000002.349372344.00000000010F3000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000000.00000000.338422128.00000000010F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    Reputation:low
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    Show Windows behavior

                    Section Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                    Show Windows behavior

                    Memory Activities

                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                    Disassembly

                    Non-executed Functions

                    C-Code - Quality: 100%
                    			_entry_() {
				struct _STARTUPINFOW _v72;
				signed int _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t17;

				_t17 = GetCommandLineW();
				if( *_t17 != 0x22) {
					while( *_t17 > 0x20) {
						_t17 =  &(_t17[1]);
					}
					L6:
					_t11 =  *_t17 & 0x0000ffff;
					if(_t11 == 0) {
						L9:
						_v72.dwFlags = 0;
						GetStartupInfoW( &_v72);
						_t13 = _v72.wShowWindow & 0x0000ffff;
						if((_v72.dwFlags & 0x00000001) == 0) {
							_t13 = 0xa;
						}
						ExitProcess(E010F1000(GetModuleHandleW(0), 0, _t17, _t13));
					}
					while(_t11 <= 0x20) {
						_t11 = _t17[1] & 0x0000ffff;
						_t17 =  &(_t17[1]);
						if(_t11 != 0) {
							continue;
						}
						goto L9;
					}
					goto L9;
				}
				_t16 = _t17[1] & 0x0000ffff;
				_t17 =  &(_t17[1]);
				if(_t16 == 0) {
					L4:
					if( *_t17 != 0x22) {
						goto L6;
					}
					L5:
					_t17 =  &(_t17[1]);
					goto L6;
				}
				while(_t16 != 0x22) {
					_t16 = _t17[1] & 0x0000ffff;
					_t17 =  &(_t17[1]);
					if(_t16 != 0) {
						continue;
					}
					goto L4;
				}
				goto L5;
			}








                    0x010f102d
                    0x010f1033
                    0x010f10b0
                    0x010f10b6
                    0x010f10b6
                    0x010f105c
                    0x010f105c
                    0x010f1062
                    0x010f1076
                    0x010f107a
                    0x010f1081
                    0x010f108b
                    0x010f108f
                    0x010f1091
                    0x010f1091
                    0x010f10a9
                    0x010f10a9
                    0x010f1064
                    0x010f106a
                    0x010f106e
                    0x010f1074
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010f1074
                    0x00000000
                    0x010f1064
                    0x010f1035
                    0x010f1039
                    0x010f103f
                    0x010f1053
                    0x010f1057
                    0x00000000
                    0x00000000
                    0x010f1059
                    0x010f1059
                    0x00000000
                    0x010f1059
                    0x010f1041
                    0x010f1047
                    0x010f104b
                    0x010f1051
                    0x00000000
                    0x00000000
                    0x00000000
                    0x010f1051
                    0x00000000

                    APIs
                    • GetCommandLineW.KERNEL32 ref: 010F1027
                    • GetStartupInfoW.KERNEL32(?), ref: 010F1081
                    • GetModuleHandleW.KERNEL32(00000000,00000000,00000000,?), ref: 010F109C
                    • ExitProcess.KERNEL32 ref: 010F10A9
                    Memory Dump Source
                    • Source File: 00000000.00000002.349357899.00000000010F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 010F0000, based on PE: true
                    • Associated: 00000000.00000002.349338791.00000000010F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.349361508.00000000010F2000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.349372344.00000000010F3000.00000002.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_10f0000_taskhostw.jbxd
                    Yara matches
                    Similarity
                    • API ID: CommandExitHandleInfoLineModuleProcessStartup
                    • String ID:
                    • API String ID: 2164999147-0
                    • Opcode ID: e2e2f9ec50882b0cb5afb8d8230b0091fd31be2460d4b6c498a01d483649c360
                    • Instruction ID: 43df74ef37c9ce48a7c60f816dd3035c29420035f0aeff2090c68b94d56f2342
                    • Opcode Fuzzy Hash: e2e2f9ec50882b0cb5afb8d8230b0091fd31be2460d4b6c498a01d483649c360
                    • Instruction Fuzzy Hash: E301C476D003A1D6EB706B98840737B76F5AF00341F54405DFFC9A3986E7B69881C3A5
                    Uniqueness

                    Uniqueness Score: -1.00%