Windows
Analysis Report
QHSgso4hXH.exe
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w10x64
QHSgso4hXH.exe (PID: 2840 cmdline:
C:\Users\u ser\Deskto p\QHSgso4h XH.exe MD5: 2F8DF206BA700503DBEBF59E937AF0EC) ngentask.exe (PID: 3128 cmdline:
C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\ngen task.exe MD5: ED7F195F7121781CC3D380942765B57D) cmd.exe (PID: 2148 cmdline:
C:\Windows \System32\ cmd.exe" / C chcp 650 01 && ping 127.0.0.1 && schtas ks /create /tn "ngen task" /sc MINUTE /tr "C:\Users \user\AppD ata\Local\ ServiceHub \ngentask. exe" /rl H IGHEST /f && DEL /F /S /Q /A " C:\Windows \Microsoft .NET\Frame work\v4.0. 30319\ngen task.exe" &&START "" "C:\Users \user\AppD ata\Local\ ServiceHub \ngentask. exe MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 4484 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) chcp.com (PID: 5432 cmdline:
chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9) PING.EXE (PID: 5416 cmdline:
ping 127.0 .0.1 MD5: 70C24A306F768936563ABDADB9CA9108) schtasks.exe (PID: 5592 cmdline:
schtasks / create /tn "ngentask " /sc MINU TE /tr "C: \Users\use r\AppData\ Local\Serv iceHub\nge ntask.exe" /rl HIGHE ST /f MD5: 15FF7D8324231381BAD48A052F85DF04) ngentask.exe (PID: 5788 cmdline:
"C:\Users\ user\AppDa ta\Local\S erviceHub\ ngentask.e xe" MD5: ED7F195F7121781CC3D380942765B57D) conhost.exe (PID: 5824 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
ngentask.exe (PID: 4512 cmdline:
C:\Users\u ser\AppDat a\Local\Se rviceHub\n gentask.ex e MD5: ED7F195F7121781CC3D380942765B57D) conhost.exe (PID: 6048 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
ngentask.exe (PID: 5420 cmdline:
C:\Users\u ser\AppDat a\Local\Se rviceHub\n gentask.ex e MD5: ED7F195F7121781CC3D380942765B57D) conhost.exe (PID: 4912 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
ngentask.exe (PID: 684 cmdline:
C:\Users\u ser\AppDat a\Local\Se rviceHub\n gentask.ex e MD5: ED7F195F7121781CC3D380942765B57D) conhost.exe (PID: 5608 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_XORed_Mozilla | Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key. | Florian Roth |
| |
SUSP_XORed_MSDOS_Stub_Message | Detects suspicious XORed MSDOS stub message | Florian Roth |
|
Malware Analysis System Evasion |
---|
Source: | Author: Joe Security: |
- • AV Detection
- • Compliance
- • Networking
- • System Summary
- • Data Obfuscation
- • Persistence and Installation Behavior
- • Boot Survival
- • Hooking and other Techniques for Hiding and Protection
- • Malware Analysis System Evasion
- • Anti Debugging
- • HIPS / PFW / Operating System Protection Evasion
- • Language, Device and Operating System Detection
Click to jump to signature section
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Avira URL Cloud: |
Source: | Joe Sandbox ML: |
Source: | Avira: | ||
Source: | Avira: | ||
Source: | Avira: |
Source: | Static PE information: |
Source: | HTTPS traffic detected: |
Source: | Binary string: |
Networking |
---|
Source: | Process created: |
Source: | JA3 fingerprint: |
Source: | IP Address: |
Source: | HTTP traffic detected: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | HTTPS traffic detected: |
Source: | Static PE information: |
Source: | Matched rule: | ||
Source: | Matched rule: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Dropped File: |
Source: | Static PE information: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Static PE information: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Key value queried: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Code function: |
Source: | Task registration methods: | ||
Source: | Task registration methods: | ||
Source: | Task registration methods: | ||
Source: | Task registration methods: |
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: | ||
Source: | Security API names: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | File opened: |
Source: | Static file information: |
Source: | Binary string: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Static PE information: |
Source: | File created: | Jump to dropped file |
Boot Survival |
---|
Source: | Process created: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | Last function: | ||
Source: | Last function: |
Source: | Evasive API call chain: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Process information queried: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: | ||
Source: | File Volume queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Process queried: |
Source: | Memory allocated: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion |
---|
Source: | Memory written: | ||
Source: | Memory written: |
Source: | Memory allocated: |
Source: | Memory written: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: | ||
Source: | Queries volume information: |
Source: | Code function: |
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | 1 Command and Scripting Interpreter | 11 Scheduled Task/Job | 311 Process Injection | 1 Masquerading | OS Credential Dumping | 1 System Time Discovery | Remote Services | 1 Archive Collected Data | Exfiltration Over Other Network Medium | 11 Encrypted Channel | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | 11 Scheduled Task/Job | 1 DLL Side-Loading | 11 Scheduled Task/Job | 1 Disable or Modify Tools | LSASS Memory | 2 Security Software Discovery | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | 3 Ingress Tool Transfer | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | 2 Native API | Logon Script (Windows) | 1 DLL Side-Loading | 31 Virtualization/Sandbox Evasion | Security Account Manager | 1 Process Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | 3 Non-Application Layer Protocol | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | 311 Process Injection | NTDS | 31 Virtualization/Sandbox Evasion | Distributed Component Object Model | Input Capture | Scheduled Transfer | 14 Application Layer Protocol | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | 2 Obfuscated Files or Information | LSA Secrets | 11 Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | 3 Software Packing | Cached Domain Credentials | 1 System Network Configuration Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | 1 DLL Side-Loading | DCSync | 1 File and Directory Discovery | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | 14 System Information Discovery | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
32% | ReversingLabs | |||
34% | Virustotal | Browse | ||
100% | Joe Sandbox ML |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs | |||
0% | Metadefender | Browse |
Source | Detection | Scanner | Label | Link | Download |
---|---|---|---|---|---|
100% | Avira | TR/ATRAPS.Gen | Download File | ||
100% | Avira | TR/ATRAPS.Gen | Download File | ||
100% | Avira | TR/ATRAPS.Gen | Download File |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
100% | Avira URL Cloud | malware | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
imarket-eg.com | 160.153.50.70 | true | false | unknown | |
vxsljuxgekdpuv.307xvytdn0 | unknown | unknown | false | unknown | |
www.imarket-eg.com | unknown | unknown | false | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
160.153.50.70 | imarket-eg.com | United States | 26496 | AS-26496-GO-DADDY-COM-LLCUS | false |
IP |
---|
127.0.0.1 |
Joe Sandbox Version: | 36.0.0 Rainbow Opal |
Analysis ID: | 749056 |
Start date and time: | 2022-11-18 07:51:36 +01:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 41s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | QHSgso4hXH.exe |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 24 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal88.troj.evad.winEXE@21/3@2/2 |
EGA Information: |
|
HDC Information: | Failed |
HCA Information: | Failed |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): MpCmdRun.exe, S grmBroker.exe, conhost.exe, sv chost.exe - Excluded domains from analysis
(whitelisted): fs.microsoft.c om, ctldl.windowsupdate.com - Execution Graph export aborted
for target ngentask.exe, PID 3128 because it is empty - Not all processes where analyz
ed, report is missing behavior information - Report size exceeded maximum c
apacity and may have missing b ehavior information. - Report size getting too big, t
oo many NtOpenKeyEx calls foun d. - Report size getting too big, t
oo many NtProtectVirtualMemory calls found. - Report size getting too big, t
oo many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
07:52:54 | Task Scheduler |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 321 |
Entropy (8bit): | 5.355221377978991 |
Encrypted: | false |
SSDEEP: | 6:Q3La/xwchM3RJoDLIP12MUAvvR+uCqDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21v |
MD5: | 03C5BA5FCE7124B503EA65EF522177C3 |
SHA1: | F76B1F538D5EA66664355901E927B2F870ACCDD8 |
SHA-256: | 8128CE419BBE0419F1A0BDE97C3A14E3377C0184DC1D7AF61AA01AAB756B625B |
SHA-512: | 151A974DDABA852144EC4BC18C548227A32E5261736F186A3920F2497434AEE9DBB0E0AB77E0E52A84A9FBC4529A158882B7549763400DDC2082D384B1135141 |
Malicious: | false |
Preview: |
Process: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 85096 |
Entropy (8bit): | 6.068116381033184 |
Encrypted: | false |
SSDEEP: | 1536:vJ7xS0hlY2s+zFVNzXmGU8fnqGHcZEVjgGI:vfAR+z7Nmf8fqlZoK |
MD5: | ED7F195F7121781CC3D380942765B57D |
SHA1: | AEE93C4D84C2035C2FB20E4550672203FD209C60 |
SHA-256: | CA003ECD9A6CAAE17824816D1D869173510B2EB3C13F62E1A5615F1DA64F9676 |
SHA-512: | 15CEC9427A9311539F352F3034293157FAA5EC6AD0C7B9777474359C6770C8DF1EEE689C3E1478698C90D58C296251759913DC255A2D7141B26A8B1BAFEFB4EA |
Malicious: | true |
Antivirus: |
|
Preview: |
Process: | C:\Users\user\Desktop\QHSgso4hXH.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 92160 |
Entropy (8bit): | 5.333658046180996 |
Encrypted: | false |
SSDEEP: | 1536:zrDVpcYyhR/mNhRPufA7E+k6CBbEXKv/tji21YFuGBXkNsMrFuGBXkNsM2KxPhXh:zrROHmNbPv7Ebtu2GFpBkNPrFpBkNP2c |
MD5: | D458D9192514B396EB8ED0354EBD93D0 |
SHA1: | BE508F92631C8532D7FEF5BA14B49C1AC22E72FB |
SHA-256: | 9062710822767EA3799FDD96221969724D9A27F45800F1E8598D27761E8F9631 |
SHA-512: | D76221B3885C18C7B7858AB16684B77E9E65FD47FCDC2441632544B6E90C6AB77C649795AD2FC147A9FDA8AF8B186927908E8F5DE1E416083D6F1150C618EBD0 |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 7.848246051600344 |
TrID: |
|
File name: | QHSgso4hXH.exe |
File size: | 1138176 |
MD5: | 2f8df206ba700503dbebf59e937af0ec |
SHA1: | 7c36d57af94f2dd16a62c09356b4ef2c63e456fd |
SHA256: | 6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7 |
SHA512: | 6fbb58b3e3046498c64ad659db07ecd28357c54d65d2f1cf00220ce1bbd4fa4693dbe2c0df607a801f5cf6757bd5327735448c3babecb997ec85e88049275a59 |
SSDEEP: | 24576:+JqzI2HEUvWMJsbHsoO0YTyllU3OWuA5aRn:+JrbG70Y4WFZ8Rn |
TLSH: | B435F16AF7C2513BE845F2780A5381B5B6B7E8509E202F637522EA1F2D72087DC5707E |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........."...q...q...q..lq...q..Yq...q..mq...q..Tq...q...q...q..hq...q..]q...q..Pq...q..Zq...qRich...q........................PE..L.. |
Icon Hash: | 6e61c9d46464f2d5 |
Entrypoint: | 0x40607a |
Entrypoint Section: | .text |
Digitally signed: | false |
Imagebase: | 0x400000 |
Subsystem: | windows gui |
Image File Characteristics: | RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | NX_COMPAT, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x637709BB [Fri Nov 18 04:27:39 2022 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 5 |
OS Version Minor: | 1 |
File Version Major: | 5 |
File Version Minor: | 1 |
Subsystem Version Major: | 5 |
Subsystem Version Minor: | 1 |
Import Hash: | 15e5ac4e63af04f3034d99698484adf1 |
Instruction |
---|
call 00007FBDC0E6447Ah |
jmp 00007FBDC0E60D1Eh |
mov edi, edi |
push ebp |
mov ebp, esp |
sub esp, 00000328h |
mov dword ptr [004F3F00h], eax |
mov dword ptr [004F3EFCh], ecx |
mov dword ptr [004F3EF8h], edx |
mov dword ptr [004F3EF4h], ebx |
mov dword ptr [004F3EF0h], esi |
mov dword ptr [004F3EECh], edi |
mov word ptr [004F3F18h], ss |
mov word ptr [004F3F0Ch], cs |
mov word ptr [004F3EE8h], ds |
mov word ptr [004F3EE4h], es |
mov word ptr [004F3EE0h], fs |
mov word ptr [004F3EDCh], gs |
pushfd |
pop dword ptr [004F3F10h] |
mov eax, dword ptr [ebp+00h] |
mov dword ptr [004F3F04h], eax |
mov eax, dword ptr [ebp+04h] |
mov dword ptr [004F3F08h], eax |
lea eax, dword ptr [ebp+08h] |
mov dword ptr [004F3F14h], eax |
mov eax, dword ptr [ebp-00000320h] |
mov dword ptr [004F3E50h], 00010001h |
mov eax, dword ptr [004F3F08h] |
mov dword ptr [004F3E04h], eax |
mov dword ptr [004F3DF8h], C0000409h |
mov dword ptr [004F3DFCh], 00000001h |
mov eax, dword ptr [004F3284h] |
mov dword ptr [ebp-00000328h], eax |
mov eax, dword ptr [004F3288h] |
mov dword ptr [ebp-00000324h], eax |
call dword ptr [0000008Ch] |
Programming Language: |
|
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0xf1dc4 | 0x50 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0xf7000 | 0x23c70 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0xf0000 | 0x158 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0xee6b8 | 0xee800 | False | 0.8445238797169812 | data | 7.8950275690936 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0xf0000 | 0x254a | 0x2600 | False | 0.3405633223684211 | data | 4.93477861528342 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0xf3000 | 0x31a4 | 0xe00 | False | 0.19921875 | data | 2.249537468379531 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0xf7000 | 0x23c70 | 0x23e00 | False | 0.8160864002613241 | data | 7.279101888009963 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country |
---|---|---|---|---|---|
RT_ICON | 0xf7400 | 0x18084 | PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced | Portuguese | Brazil |
RT_ICON | 0x10f488 | 0x4228 | Device independent bitmap graphic, 64 x 128 x 32, image size 16384 | Portuguese | Brazil |
RT_ICON | 0x1136b0 | 0x25a8 | Device independent bitmap graphic, 48 x 96 x 32, image size 9216 | Portuguese | Brazil |
RT_ICON | 0x115c58 | 0xea8 | Device independent bitmap graphic, 48 x 96 x 8, image size 2304 | Portuguese | Brazil |
RT_ICON | 0x116b00 | 0x668 | Device independent bitmap graphic, 48 x 96 x 4, image size 1152 | Portuguese | Brazil |
RT_ICON | 0x117168 | 0x10a8 | Device independent bitmap graphic, 32 x 64 x 32, image size 4096 | Portuguese | Brazil |
RT_ICON | 0x118210 | 0x8a8 | Device independent bitmap graphic, 32 x 64 x 8, image size 1024 | Portuguese | Brazil |
RT_ICON | 0x118ab8 | 0x2e8 | Device independent bitmap graphic, 32 x 64 x 4, image size 512 | Portuguese | Brazil |
RT_ICON | 0x118da0 | 0x988 | Device independent bitmap graphic, 24 x 48 x 32, image size 2304 | Portuguese | Brazil |
RT_ICON | 0x119728 | 0x6c8 | Device independent bitmap graphic, 24 x 48 x 8, image size 576 | Portuguese | Brazil |
RT_ICON | 0x119df0 | 0x1e8 | Device independent bitmap graphic, 24 x 48 x 4, image size 288 | Portuguese | Brazil |
RT_ICON | 0x119fd8 | 0x468 | Device independent bitmap graphic, 16 x 32 x 32, image size 1024 | Portuguese | Brazil |
RT_ICON | 0x11a440 | 0x568 | Device independent bitmap graphic, 16 x 32 x 8, image size 256 | Portuguese | Brazil |
RT_ICON | 0x11a9a8 | 0x128 | Device independent bitmap graphic, 16 x 32 x 4, image size 128 | Portuguese | Brazil |
RT_MENU | 0x11aba0 | 0x48 | Matlab v4 mat-file (little endian) C, numeric, rows 5636240, columns 7077985, imaginary | Portuguese | Brazil |
RT_MENU | 0x11abe8 | 0x6c | data | Portuguese | Brazil |
RT_ACCELERATOR | 0x11ac58 | 0x8 | data | Portuguese | Brazil |
RT_ACCELERATOR | 0x11ac60 | 0x10 | data | Portuguese | Brazil |
RT_GROUP_ICON | 0x11aad0 | 0xca | Targa image data - Map 32 x 32900 x 1 +1 | Portuguese | Brazil |
DLL | Import |
---|---|
KERNEL32.dll | CreateFileW, lstrcmpiW, HeapSize, WriteConsoleW, SetStdHandle, IsProcessorFeaturePresent, FlushFileBuffers, GetDiskFreeSpaceW, GetProcAddress, GetLastError, lstrcmpW, LoadLibraryW, CloseHandle, GlobalAlloc, MultiByteToWideChar, MoveFileA, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, DeleteFileA, HeapReAlloc, GetCommandLineW, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, DecodePointer, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, ExitProcess, WriteFile, GetModuleFileNameW, HeapCreate, Sleep, HeapFree, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, WideCharToMultiByte, LCMapStringW, GetStringTypeW, SetFilePointer, GetConsoleCP, GetConsoleMode, RtlUnwind |
USER32.dll | GetMessageW, LoadCursorW, GetDC, TranslateMessage, LoadIconW, ShowWindow, CreateWindowExW, RegisterClassW, DispatchMessageW |
GDI32.dll | CreateFontW, ChoosePixelFormat, SetPixelFormat, GetStockObject, CreateSolidBrush, DeleteObject |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
Portuguese | Brazil |
- Total Packets: 30
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 18, 2022 07:52:44.552045107 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:44.552134037 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:44.552263975 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:44.607594967 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:44.607652903 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:45.107064962 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:45.107203960 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:45.531378984 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:45.531441927 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:45.532157898 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:45.532262087 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:45.536410093 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:45.536426067 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.669153929 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.669244051 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.669364929 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.669424057 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.669467926 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.669487953 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.831084013 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.831202984 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.831209898 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.831233978 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.831283092 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.831288099 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.831312895 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.831322908 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.831348896 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.831372976 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.831379890 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.831424952 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.993324995 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.993482113 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.993555069 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.993590117 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.993628025 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.993664026 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.993762970 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.993833065 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.993840933 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.993885040 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.994016886 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.994083881 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.994091988 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.994137049 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.994291067 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.994364977 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:47.994373083 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:47.994420052 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:48.156018972 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:48.156172991 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Nov 18, 2022 07:52:48.156321049 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:48.156404972 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:48.173702002 CET | 49702 | 443 | 192.168.2.6 | 160.153.50.70 |
Nov 18, 2022 07:52:48.173732042 CET | 443 | 49702 | 160.153.50.70 | 192.168.2.6 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Nov 18, 2022 07:52:42.022449970 CET | 53107 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 18, 2022 07:52:42.040594101 CET | 53 | 53107 | 8.8.8.8 | 192.168.2.6 |
Nov 18, 2022 07:52:44.477853060 CET | 64601 | 53 | 192.168.2.6 | 8.8.8.8 |
Nov 18, 2022 07:52:44.497093916 CET | 53 | 64601 | 8.8.8.8 | 192.168.2.6 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Nov 18, 2022 07:52:42.022449970 CET | 192.168.2.6 | 8.8.8.8 | 0xd30b | Standard query (0) | A (IP address) | IN (0x0001) | false | |
Nov 18, 2022 07:52:44.477853060 CET | 192.168.2.6 | 8.8.8.8 | 0x1cd7 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Nov 18, 2022 07:52:42.040594101 CET | 8.8.8.8 | 192.168.2.6 | 0xd30b | Name error (3) | none | none | A (IP address) | IN (0x0001) | false | |
Nov 18, 2022 07:52:44.497093916 CET | 8.8.8.8 | 192.168.2.6 | 0x1cd7 | No error (0) | imarket-eg.com | CNAME (Canonical name) | IN (0x0001) | false | ||
Nov 18, 2022 07:52:44.497093916 CET | 8.8.8.8 | 192.168.2.6 | 0x1cd7 | No error (0) | 160.153.50.70 | A (IP address) | IN (0x0001) | false |
|
Click to jump to process
Target ID: | 0 |
Start time: | 07:52:34 |
Start date: | 18/11/2022 |
Path: | C:\Users\user\Desktop\QHSgso4hXH.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 1138176 bytes |
MD5 hash: | 2F8DF206BA700503DBEBF59E937AF0EC |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Yara matches: |
|
Reputation: | low |
Target ID: | 1 |
Start time: | 07:52:43 |
Start date: | 18/11/2022 |
Path: | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xae0000 |
File size: | 85096 bytes |
MD5 hash: | ED7F195F7121781CC3D380942765B57D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Reputation: | moderate |
Target ID: | 2 |
Start time: | 07:52:45 |
Start date: | 18/11/2022 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1b0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 3 |
Start time: | 07:52:45 |
Start date: | 18/11/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6da640000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 4 |
Start time: | 07:52:45 |
Start date: | 18/11/2022 |
Path: | C:\Windows\SysWOW64\chcp.com |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1b0000 |
File size: | 12800 bytes |
MD5 hash: | 561054CF9C4B2897E80D7E7D9027FED9 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Target ID: | 5 |
Start time: | 07:52:45 |
Start date: | 18/11/2022 |
Path: | C:\Windows\SysWOW64\PING.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x13e0000 |
File size: | 18944 bytes |
MD5 hash: | 70C24A306F768936563ABDADB9CA9108 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 7 |
Start time: | 07:52:52 |
Start date: | 18/11/2022 |
Path: | C:\Windows\SysWOW64\schtasks.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x950000 |
File size: | 185856 bytes |
MD5 hash: | 15FF7D8324231381BAD48A052F85DF04 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Target ID: | 8 |
Start time: | 07:52:53 |
Start date: | 18/11/2022 |
Path: | C:\Users\user\AppData\Local\ServiceHub\ngentask.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6d0000 |
File size: | 85096 bytes |
MD5 hash: | ED7F195F7121781CC3D380942765B57D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Antivirus matches: |
|
Reputation: | moderate |
Target ID: | 9 |
Start time: | 07:52:53 |
Start date: | 18/11/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6da640000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 11 |
Start time: | 07:52:55 |
Start date: | 18/11/2022 |
Path: | C:\Users\user\AppData\Local\ServiceHub\ngentask.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x6d0000 |
File size: | 85096 bytes |
MD5 hash: | ED7F195F7121781CC3D380942765B57D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Target ID: | 13 |
Start time: | 07:52:55 |
Start date: | 18/11/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6da640000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 18 |
Start time: | 07:53:01 |
Start date: | 18/11/2022 |
Path: | C:\Users\user\AppData\Local\ServiceHub\ngentask.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x580000 |
File size: | 85096 bytes |
MD5 hash: | ED7F195F7121781CC3D380942765B57D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Target ID: | 19 |
Start time: | 07:53:02 |
Start date: | 18/11/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6da640000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Target ID: | 22 |
Start time: | 07:54:00 |
Start date: | 18/11/2022 |
Path: | C:\Users\user\AppData\Local\ServiceHub\ngentask.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xd60000 |
File size: | 85096 bytes |
MD5 hash: | ED7F195F7121781CC3D380942765B57D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | .Net C# or VB.NET |
Target ID: | 23 |
Start time: | 07:54:01 |
Start date: | 18/11/2022 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6da640000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |