Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 25, 2021, 9:30 a.m.	June 25, 2021, 9:36 a.m.

Size	1.5MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`13511a7a45e3fa0b250a85484ce97150`
SHA256	`d40dcb67d0b0315c599e6cf70aea9c9e509bc0fd9d85c6524f760554143e568d`
CRC32	`6A48791E`
ssdeep	`24576:PFOaaDnb3rDqeA6l37WdGJLG0vZQSq8PEHRxkg/48TH9xbnM8c9ITMrWg:tKr2f6l3pJrvZfM0gwY1AiTy`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

so2game.exe "C:\Users\test22\AppData\Local\Temp\so2game.exe"
3532
- icsys.icn.exe C:\Windows\Resources\Themes\icsys.icn.exe
  5980
  - explorer.exe c:\windows\resources\themes\explorer.exe
    4716
    - spoolsv.exe c:\windows\resources\spoolsv.exe SE
      1160
      - svchost.exe c:\windows\resources\svchost.exe
        5888
        
        spoolsv.exe c:\windows\resources\spoolsv.exe PR
        8704
        
        schtasks.exe schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:32 /f
        8868
        
        schtasks.exe schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:37 /f
        296
    - explorer.exe C:\Windows\Explorer.exe
      8740

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW June 25, 2021, 9:30 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW June 25, 2021, 9:35 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 25, 2021, 9:30 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 25, 2021, 9:30 a.m.	buffer: SUCCESS: The scheduled task "svchost" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleW June 25, 2021, 9:35 a.m.	buffer: SUCCESS: The scheduled task "svchost" has successfully been created. console_handle: 0x00000007	1	1	0

One or more processes crashed (23 events)

Time & API	Arguments	Status
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636540 registers.edi: 5785216 registers.eax: 1636540 registers.ebp: 1636620 registers.edx: 0 registers.ebx: 5785216 registers.esi: 5785216 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636540 registers.edi: 8930872 registers.eax: 1636540 registers.ebp: 1636620 registers.edx: 0 registers.ebx: 8930872 registers.esi: 8930872 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636256 registers.edi: 5654072 registers.eax: 1636256 registers.ebp: 1636336 registers.edx: 0 registers.ebx: 5654072 registers.esi: 5654072 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1635956 registers.edi: 5654072 registers.eax: 1635956 registers.ebp: 1636036 registers.edx: 0 registers.ebx: 5654072 registers.esi: 5654072 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636256 registers.edi: 5654072 registers.eax: 1636256 registers.ebp: 1636336 registers.edx: 0 registers.ebx: 5654072 registers.esi: 5654072 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1635956 registers.edi: 5654072 registers.eax: 1635956 registers.ebp: 1636036 registers.edx: 0 registers.ebx: 5654072 registers.esi: 5654072 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636256 registers.edi: 5654072 registers.eax: 1636256 registers.ebp: 1636336 registers.edx: 0 registers.ebx: 5654072 registers.esi: 5654072 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1635956 registers.edi: 5654072 registers.eax: 1635956 registers.ebp: 1636036 registers.edx: 0 registers.ebx: 5654072 registers.esi: 5654072 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636256 registers.edi: 5654072 registers.eax: 1636256 registers.ebp: 1636336 registers.edx: 0 registers.ebx: 5654072 registers.esi: 5654072 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1635956 registers.edi: 5654072 registers.eax: 1635956 registers.ebp: 1636036 registers.edx: 0 registers.ebx: 5654072 registers.esi: 5654072 registers.ecx: 2	1
__exception__ June 25, 2021, 9:31 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1633600 registers.edi: 5654072 registers.eax: 1633600 registers.ebp: 1633680 registers.edx: 0 registers.ebx: 5654072 registers.esi: 5654072 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636540 registers.edi: 8832872 registers.eax: 1636540 registers.ebp: 1636620 registers.edx: 0 registers.ebx: 8832872 registers.esi: 8832872 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636256 registers.edi: 5380944 registers.eax: 1636256 registers.ebp: 1636336 registers.edx: 0 registers.ebx: 5380944 registers.esi: 5380944 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1635956 registers.edi: 5380944 registers.eax: 1635956 registers.ebp: 1636036 registers.edx: 0 registers.ebx: 5380944 registers.esi: 5380944 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636256 registers.edi: 5380944 registers.eax: 1636256 registers.ebp: 1636336 registers.edx: 0 registers.ebx: 5380944 registers.esi: 5380944 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1635956 registers.edi: 5380944 registers.eax: 1635956 registers.ebp: 1636036 registers.edx: 0 registers.ebx: 5380944 registers.esi: 5380944 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636256 registers.edi: 5380944 registers.eax: 1636256 registers.ebp: 1636336 registers.edx: 0 registers.ebx: 5380944 registers.esi: 5380944 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1635956 registers.edi: 5380944 registers.eax: 1635956 registers.ebp: 1636036 registers.edx: 0 registers.ebx: 5380944 registers.esi: 5380944 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636256 registers.edi: 5380944 registers.eax: 1636256 registers.ebp: 1636336 registers.edx: 0 registers.ebx: 5380944 registers.esi: 5380944 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1635956 registers.edi: 5380944 registers.eax: 1635956 registers.ebp: 1636036 registers.edx: 0 registers.ebx: 5380944 registers.esi: 5380944 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: DispCallFunc+0xa6 LHashValOfNameSysA-0x1b30 oleaut32+0x13e75 @ 0x767b3e75 __vbaAptOffset+0x68b TipInvokeMethod2-0x1ee1 msvbvm60+0xd6ef5 @ 0x72a16ef5 BASIC_CLASS_Invoke+0x65 Zombie_GetTypeInfo-0x10a5 msvbvm60+0xca1b4 @ 0x72a0a1b4 IID_IVbaHost+0x3b26c UserDllMain-0x2a04b msvbvm60+0x698ac @ 0x729a98ac TipInvokeMethod+0x3b6 __vbaCheckType-0x35d msvbvm60+0xd92ac @ 0x72a192ac __vbaVarSub+0x15c __vbaLateIdCallLd-0x11df msvbvm60+0x107946 @ 0x72a47946 __vbaLateIdCallLd+0x1a __vbaLateIdSt-0x5 msvbvm60+0x108b3f @ 0x72a48b3f svchost+0xce84 @ 0x40ce84 svchost+0xca18 @ 0x40ca18 svchost+0xe229 @ 0x40e229 DispCallFunc+0xa6 LHashValOfNameSysA-0x1b30 oleaut32+0x13e75 @ 0x767b3e75 __vbaAptOffset+0x68b TipInvokeMethod2-0x1ee1 msvbvm60+0xd6ef5 @ 0x72a16ef5 BASIC_DISPINTERFACE_GetTypeInfo+0x2aa EVENT_SINK_QueryInterface-0xa msvbvm60+0xc9a7b @ 0x72a09a7b EVENT_SINK_Invoke+0x50 BASIC_CLASS_GetIDsOfNames-0x487 msvbvm60+0xc9c2c @ 0x72a09c2c QueryPathOfRegTypeLib+0x845 VarI4FromI8-0x104 oleaut32+0x33d60 @ 0x767d3d60 DllGetClassObject+0xfe3 VarBstrCmp-0x2310 oleaut32+0xd5a8 @ 0x767ad5a8 NdrUnmarshallBasetypeInline+0x74 NdrAsyncClientCall-0x148 rpcrt4+0xb0966 @ 0x74de0966 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6 VarMonthName+0xefa OleLoadPicturePath-0x126b7 oleaut32+0x532cf @ 0x767f32cf WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4 DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x755b7bca __vbaStrToAnsi+0x2f1 EbGetObjConnectionCounts-0x479 msvbvm60+0xa6c8 @ 0x7294a6c8 __vbaStrToAnsi+0x268 EbGetObjConnectionCounts-0x502 msvbvm60+0xa63f @ 0x7294a63f __vbaStrToAnsi+0x146 EbGetObjConnectionCounts-0x624 msvbvm60+0xa51d @ 0x7294a51d exception.instruction_r: 8b 08 8d 55 d8 52 50 ff 91 94 00 00 00 db e2 3b exception.symbol: svchost+0xe2c5 exception.instruction: mov ecx, dword ptr [eax] exception.module: svchost.exe exception.exception_code: 0xc0000005 exception.offset: 58053 exception.address: 0x40e2c5 registers.esp: 1627376 registers.edi: 0 registers.eax: 0 registers.ebp: 1627456 registers.edx: 1627420 registers.ebx: 4309060 registers.esi: 0 registers.ecx: 1627420	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1625416 registers.edi: 5380944 registers.eax: 1625416 registers.ebp: 1625496 registers.edx: 0 registers.ebx: 5380944 registers.esi: 5380944 registers.ecx: 2	1
__exception__ June 25, 2021, 9:30 a.m.	stacktrace: EbGetHandleOfExecutingProject+0x22b3 rtcPackDate-0xba9 msvbvm60+0xd0dcf @ 0x72a10dcf rtcDoEvents+0x131 __vbaError-0x626 msvbvm60+0xce228 @ 0x72a0e228 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc000008f exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 1636540 registers.edi: 5970768 registers.eax: 1636540 registers.ebp: 1636620 registers.edx: 0 registers.ebx: 5970768 registers.esi: 5970768 registers.ecx: 2	1

Allocates read-write-execute memory (usually to unpack itself) (6 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 5980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 4716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 1160 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 5888 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 8704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

svchost.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds

Creates executable files on the filesystem (4 events)

file	c:\Windows\resources\svchost.exe
file	C:\Windows\Resources\Themes\icsys.icn.exe
file	c:\Windows\resources\Themes\explorer.exe
file	c:\Windows\resources\spoolsv.exe

Creates a suspicious process (3 events)

cmdline	schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:37 /f
cmdline	schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:32 /f
cmdline	c:\windows\resources\svchost.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (21 events)

Time & API	Arguments	Status	Return
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000120 process_name: pw.exe process_identifier: 7624	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000120 process_name: cmd.exe process_identifier: 7680	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000120 process_name: conhost.exe process_identifier: 5292	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000120 process_name: pw.exe process_identifier: 3872	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000120 process_name: so2game.exe process_identifier: 3532	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000120 process_name: icsys.icn.exe process_identifier: 5980	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000afc process_name: spoolsv.exe process_identifier: 1160	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000afc process_name: svchost.exe process_identifier: 5888	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000afc process_name: spoolsv.exe process_identifier: 8704	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000b94 process_name: explorer.exe process_identifier: 8740	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000c38 process_name: cmd.exe process_identifier: 7316	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000c38 process_name: conhost.exe process_identifier: 6444	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000c38 process_name: pw.exe process_identifier: 7076	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000c38 process_name: dllhost.exe process_identifier: 9100	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000cd8 process_name: inject-x86.exe process_identifier: 6324	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000e20 process_name: inject-x86.exe process_identifier: 7000	1	1
Process32NextW June 25, 2021, 9:32 a.m.	snapshot_handle: 0x00000fcc process_name: cmd.exe process_identifier: 6512	1	1
Process32NextW June 25, 2021, 9:32 a.m.	snapshot_handle: 0x00000fcc process_name: pw.exe process_identifier: 2164	1	1
Process32NextW June 25, 2021, 9:30 a.m.	snapshot_handle: 0x00000b38 process_name: conhost.exe process_identifier: 6696	1	1
Process32NextW June 25, 2021, 9:32 a.m.	snapshot_handle: 0x00000b1c process_name: schtasks.exe process_identifier: 296	1	1
Process32NextW June 25, 2021, 9:32 a.m.	snapshot_handle: 0x00000b1c process_name: conhost.exe process_identifier: 2308	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 25, 2021, 9:30 a.m.	process_identifier: 3532 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 24576 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x00500000 process_handle: 0xffffffff	1	0	0

Yara rule detected in process memory (50 out of 608 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vba
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Communications over FTP	rule	Network_FTP
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Steal credential	rule	local_credential_Steal
description	Take ScreenShot	rule	ScreenShot
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:37 /f
cmdline	schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:32 /f

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Installs itself for autorun at Windows startup (8 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer	reg_value	c:\windows\resources\themes\explorer.exe RO
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost	reg_value	c:\windows\resources\svchost.exe RO
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer	reg_value	c:\windows\resources\themes\explorer.exe RO
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost	reg_value	c:\windows\resources\svchost.exe RO
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer	reg_value	c:\windows\resources\themes\explorer.exe RO
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost	reg_value	c:\windows\resources\svchost.exe RO
cmdline	schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:37 /f
cmdline	schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 15:32 /f

Expresses interest in specific running processes (2 events)

process: potential process injection target	svchost.exe
process: potential process injection target	explorer.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (20 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 4716 resumed a thread in remote process 5888
Process injection	Process 5888 resumed a thread in remote process 4716
NtResumeThread June 25, 2021, 9:30 a.m.	thread_handle: 0x00000c34 suspend_count: 0 process_identifier: 5888	1	0	0
NtResumeThread June 25, 2021, 9:30 a.m.	thread_handle: 0x00000cc4 suspend_count: 0 process_identifier: 5888	1	0	0
NtResumeThread June 25, 2021, 9:30 a.m.	thread_handle: 0x00000d64 suspend_count: 0 process_identifier: 5888	1	0	0
NtResumeThread June 25, 2021, 9:30 a.m.	thread_handle: 0x00000e08 suspend_count: 0 process_identifier: 5888	1	0	0
NtResumeThread June 25, 2021, 9:30 a.m.	thread_handle: 0x00000eac suspend_count: 0 process_identifier: 5888	1	0	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x00000f3c suspend_count: 0 process_identifier: 5888	1	0	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x00000fc8 suspend_count: 0 process_identifier: 5888	1	0	0
NtResumeThread June 25, 2021, 9:32 a.m.	thread_handle: 0x00001050 suspend_count: 0 process_identifier: 5888	1	0	0
NtResumeThread June 25, 2021, 9:30 a.m.	thread_handle: 0x00000bcc suspend_count: 0 process_identifier: 4716	1	0	0
NtResumeThread June 25, 2021, 9:30 a.m.	thread_handle: 0x00000c6c suspend_count: 0 process_identifier: 4716	1	0	0
NtResumeThread June 25, 2021, 9:30 a.m.	thread_handle: 0x00000d0c suspend_count: 0 process_identifier: 4716	1	0	0
NtResumeThread June 25, 2021, 9:30 a.m.	thread_handle: 0x00000dac suspend_count: 0 process_identifier: 4716	1	0	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x00000e4c suspend_count: 0 process_identifier: 4716	1	0	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x00000ed8 suspend_count: 0 process_identifier: 4716	1	0	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x00000f64 suspend_count: 0 process_identifier: 4716	1	0	0
NtResumeThread June 25, 2021, 9:31 a.m.	thread_handle: 0x00000ff0 suspend_count: 0 process_identifier: 4716	1	0	0
NtResumeThread June 25, 2021, 9:32 a.m.	thread_handle: 0x00001070 suspend_count: 0 process_identifier: 4716	1	0	0
NtResumeThread June 25, 2021, 9:32 a.m.	thread_handle: 0x000010f8 suspend_count: 0 process_identifier: 4716	1	0	0

Attempts to modify Explorer settings to prevent hidden files from being displayed (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden

Stops Windows services (2 events)

service	Schedule (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Schedule\Start)
service	SharedAccess (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Start)

so2game.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All