popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

AzQcBgcWyFzwiyxiYMiwahvAS65uNb

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 2, 2021, 10:34 a.m. April 2, 2021, 10:52 a.m.
Size 224.1KB
Type Rich Text Format data, version 1, unknown character set
MD5 a4389b334e80bd96442138b2dd196209
SHA256 c3b5503a0a89fd2eae9a77ff92eef69f08d68b963140b0a31721bb4960545e07
CRC32 EE588C25
ssdeep 1536:+r4DOTg8X0t9yOo6SnDsxI2+6VkoZoOfRb9JmkjJydLksx0ChndVXDke/zmCOcmY:+cDh8OMgoIXmCkpF0SjzPmKUqZBZTw2
Yara None matched

Name Response Post-Analysis Lookup
newtw2016.kr44.78host.com
IP Address Status Action
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The system was unable to find the specified registry key or value.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The operation completed successfully.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The system was unable to find the specified registry key or value.
console_handle: 0x0000000b
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 7388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06cc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743c1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7388
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7388
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x064f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7388
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06500000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7388
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06510000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70731000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70734000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x507c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7388
stack_dep_bypass: 0
stack_pivoted: 1
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7c38a000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7388
region_size: 5242880
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07630000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x2f241000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x64ac1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f4c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f5de000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x64d0e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x63aa1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6400a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75738000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71fc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71fc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ef1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73771000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74491000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4384
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a70000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4384
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ab0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73852000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4384
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b60000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4384
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02bb0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c71000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4384
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4384
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72971000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ed51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6edaf000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6edaf000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73db1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73361000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73711000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66ab1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66a91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66a71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70731000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70734000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 4384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743c1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4384
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06a40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 4384
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x06a40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description ..exe tried to sleep 174 seconds, actually delayed analysis time by 174 seconds
file C:\Users\test22\AppData\Local\~$..doc
file C:\Users\test22\AppData\Local\..doc
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RO0000.doc
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRO0000.doc
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\..doc.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Local.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Local.LNK
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\..doc.LNK
file C:\Users\test22\AppData\Local\..exe
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000003e4
filepath: C:\Users\test22\AppData\Local\Temp\~$QcBgcWyFzwiyxiYMiwahvAS65uNb
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$QcBgcWyFzwiyxiYMiwahvAS65uNb
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000444
filepath: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RO0000.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~$RO0000.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000004ec
filepath: C:\Users\test22\AppData\Local\~$..doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\~$..doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat
1 1 0

SetFileAttributesW

 file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\index.dat
1 1 0
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\..doc.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Recent\Local.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\Local.LNK
file C:\Users\test22\AppData\Roaming\Microsoft\Office\Recent\..doc.LNK
cmdline cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
cmdline cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\11.0\Word\Resiliency" /F
cmdline cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
file C:\Users\test22\AppData\Local\..exe
filetype_details Rich Text Format data, version 1, unknown character set filename AzQcBgcWyFzwiyxiYMiwahvAS65uNb
cmdline reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
cmdline reg delete "HKCU\Software\Microsoft\Office\11.0\Word\Resiliency" /F
cmdline cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
cmdline reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
cmdline cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\11.0\Word\Resiliency" /F
cmdline cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
host 172.217.25.14
parent_process winword.exe martian_process cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
parent_process winword.exe martian_process cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
parent_process winword.exe martian_process cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\11.0\Word\Resiliency" /F
parent_process winword.exe martian_process "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\AzQcBgcWyFzwiyxiYMiwahvAS65uNb C:\Users\test22\AppData\Local\Temp\..\\..doc
parent_process winword.exe martian_process C:\Users\test22\AppData\Local\Temp\..\\..exe
parent_process winword.exe martian_process cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
parent_process winword.exe martian_process cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
parent_process winword.exe martian_process cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\11.0\Word\Resiliency" /F
file C:\Users\test22\AppData\Local\..exe
MicroWorld-eScan Trojan.RTF-COM-Dropper.Gen
FireEye Trojan.RTF-COM-Dropper.Gen
CAT-QuickHeal Exp.RTF.Downloader.36599.GC
ALYac Exploit.CVE-2015-1641
Cyren RTF/Rtfcmdrp.B
Symantec Trojan.Mdropper
ESET-NOD32 Win32/Exploit.Agent.NQU
TrendMicro-HouseCall TROJ_EXPLOYT.JEJOOK
Avast Other:Malware-gen [Trj]
ClamAV Win.Trojan.DragonOK-5580506-0
Kaspersky Exploit.MSWord.Agent.hf
BitDefender Trojan.RTF-COM-Dropper.Gen
NANO-Antivirus Exploit.Rtf.Agent.eqweep
Tencent Word.Exploit.Word.Lkdk
Ad-Aware Trojan.RTF-COM-Dropper.Gen
Emsisoft Trojan.RTF-COM-Dropper.Gen (B)
Comodo Malware@#10gk29kzyorn7
Zillya Exploit.Agent.MacroWord.55
TrendMicro TROJ_EXPLOYT.JEJOOK
McAfee-GW-Edition BehavesLike.Trojan.dj
Sophos Troj/DocDrop-FK
Avira EXP/Word.85484
MAX malware (ai score=98)
Antiy-AVL Trojan[Exploit]/Office.CVE-2015-1641
Microsoft Trojan:O97M/Donoff
ZoneAlarm HEUR:Exploit.MSWord.Generic
GData Exploit.CVE-2015-1641.Gen (2x)
Cynet Malicious (score: 85)
AhnLab-V3 RTF/Exploit
McAfee Exploit-CVE2015-1641!rtf.e
Zoner Probably Heur.RTFObfuscationD
Ikarus Exploit.CVE-2015-1641
Fortinet MSOffice/CVE_2015_1641.A!exploit
AVG Other:Malware-gen [Trj]
Qihoo-360 Generic/TrojanDownloader.Donoff.HgAASRQA
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 7388
stack_dep_bypass: 0
stack_pivoted: 1
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7c38a000
process_handle: 0xffffffff
1 0 0