popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

.......dot

AntiVM AntiDebug
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 29, 2021, 10:19 p.m. April 29, 2021, 10:27 p.m.
Size 14.2KB
Type data
MD5 befeeec69e0be81ba319c172e8f266d5
SHA256 ca2c8ea3db7f365130d1aec2bf39b359c81d377cf90775fd7af36a2453f08292
CRC32 009F847E
ssdeep 192:PkFubGKTK1F+yUWY021KdFgOWRV8VEW7PgRy9flWApvyFtZGv6yKnbcpjIQT5/r0:PBvK7rXzviOWRV1W7gS72to6yYwXd1S
Yara None matched

Name Response Post-Analysis Lookup
edgedl.me.gvt1.com
A 34.104.35.123
34.104.35.123
amrp.tw
A 35.247.234.230
35.247.234.230
IP Address Status Action
103.147.184.209 Active Moloch
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
34.104.35.123 Active Moloch
35.247.234.230 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49816 -> 35.247.234.230:80 2017930 ET MALWARE Trojan Generic - POST To gate.php with no referer A Network Trojan was detected
TCP 192.168.56.102:49816 -> 35.247.234.230:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.102:49816 -> 35.247.234.230:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.102:49816 -> 35.247.234.230:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.102:49816 -> 35.247.234.230:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected
TCP 192.168.56.102:49820 -> 216.58.200.67:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49817 -> 35.247.234.230:80 2017930 ET MALWARE Trojan Generic - POST To gate.php with no referer A Network Trojan was detected
TCP 192.168.56.102:49817 -> 35.247.234.230:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.102:49817 -> 35.247.234.230:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.102:49817 -> 35.247.234.230:80 2024312 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 A Network Trojan was detected
TCP 192.168.56.102:49817 -> 35.247.234.230:80 2024317 ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2 A Network Trojan was detected
TCP 192.168.56.102:49822 -> 35.247.234.230:80 2017930 ET MALWARE Trojan Generic - POST To gate.php with no referer A Network Trojan was detected
TCP 192.168.56.102:49822 -> 35.247.234.230:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.102:49822 -> 35.247.234.230:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.102:49822 -> 35.247.234.230:80 2024313 ET MALWARE LokiBot Request for C2 Commands Detected M1 Malware Command and Control Activity Detected
TCP 192.168.56.102:49822 -> 35.247.234.230:80 2024318 ET MALWARE LokiBot Request for C2 Commands Detected M2 Malware Command and Control Activity Detected
TCP 35.247.234.230:80 -> 192.168.56.102:49822 2025483 ET MALWARE LokiBot Fake 404 Response A Network Trojan was detected
TCP 192.168.56.102:49823 -> 216.58.200.67:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49811 -> 103.147.184.209:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.102:49811 -> 103.147.184.209:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 103.147.184.209:80 -> 192.168.56.102:49811 2022050 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 A Network Trojan was detected
TCP 103.147.184.209:80 -> 192.168.56.102:49811 2014819 ET INFO Packed Executable Download Misc activity
TCP 103.147.184.209:80 -> 192.168.56.102:49811 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 103.147.184.209:80 -> 192.168.56.102:49811 2022051 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 A Network Trojan was detected
TCP 103.147.184.209:80 -> 192.168.56.102:49811 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49818 -> 35.247.234.230:80 2017930 ET MALWARE Trojan Generic - POST To gate.php with no referer A Network Trojan was detected
TCP 192.168.56.102:49818 -> 35.247.234.230:80 2021641 ET MALWARE LokiBot User-Agent (Charon/Inferno) A Network Trojan was detected
TCP 192.168.56.102:49818 -> 35.247.234.230:80 2025381 ET MALWARE LokiBot Checkin Malware Command and Control Activity Detected
TCP 192.168.56.102:49818 -> 35.247.234.230:80 2024313 ET MALWARE LokiBot Request for C2 Commands Detected M1 Malware Command and Control Activity Detected
TCP 192.168.56.102:49818 -> 35.247.234.230:80 2024318 ET MALWARE LokiBot Request for C2 Commands Detected M2 Malware Command and Control Activity Detected
TCP 35.247.234.230:80 -> 192.168.56.102:49818 2025483 ET MALWARE LokiBot Fake 404 Response A Network Trojan was detected
TCP 34.104.35.123:80 -> 192.168.56.102:49821 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 34.104.35.123:80 -> 192.168.56.102:49821 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 34.104.35.123:80 -> 192.168.56.102:49821 2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) Misc activity
TCP 192.168.56.102:49824 -> 216.58.200.67:443 906200022 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.102:49820
216.58.200.67:443 		C=US, O=Google Trust Services, CN=GTS CA 1O1 C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com c2:b5:f0:1b:46:55:3f:d3:65:b2:1d:5c:cc:56:a7:41:ac:9c:7a:22
TLS 1.2
192.168.56.102:49823
216.58.200.67:443 		C=US, O=Google Trust Services, CN=GTS CA 1O1 C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com c2:b5:f0:1b:46:55:3f:d3:65:b2:1d:5c:cc:56:a7:41:ac:9c:7a:22
TLS 1.2
192.168.56.102:49824
216.58.200.67:443 		C=US, O=Google Trust Services, CN=GTS CA 1O1 C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com c2:b5:f0:1b:46:55:3f:d3:65:b2:1d:5c:cc:56:a7:41:ac:9c:7a:22

registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x64e54dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x654292a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x656a8232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x658bc40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x658c699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x656aa206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x6542b9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x6538f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x64af25f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x64b1fe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x64b1f54e
wdCommandDispatch+0x3f3be7 DllCanUnloadNow-0xd94e6 wwlib+0x7d4e5c @ 0x65294e5c
DllGetClassObject+0x9b035 DllGetLCID-0x1c084b wwlib+0x9fc7f @ 0x64b5fc7f
DllGetClassObject+0x9ac3c DllGetLCID-0x1c0c44 wwlib+0x9f886 @ 0x64b5f886
DllGetClassObject+0x9a90c DllGetLCID-0x1c0f74 wwlib+0x9f556 @ 0x64b5f556
DllGetClassObject+0x115ef3 DllGetLCID-0x14598d wwlib+0x11ab3d @ 0x64bdab3d
DllGetClassObject+0x11457c DllGetLCID-0x147304 wwlib+0x1191c6 @ 0x64bd91c6
DllGetClassObject+0x115894 DllGetLCID-0x145fec wwlib+0x11a4de @ 0x64bda4de
DllCanUnloadNow+0x127d65 wwlib+0x9d60a7 @ 0x654960a7
wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x65289c27
DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x65703aa2
DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x65703ed4
DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x64b2395f
DllGetClassObject+0x5de5b DllGetLCID-0x1fda25 wwlib+0x62aa5 @ 0x64b22aa5
DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x64b227ab
FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x64ac4c0e
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f6f15d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f6f155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 4471672
registers.edi: 1957755408
registers.eax: 4471672
registers.ebp: 4471752
registers.edx: 2130566132
registers.ebx: 5528396
registers.esi: 2147944126
registers.ecx: 1324013454
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x64e54dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x654292a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x656a8232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x658bc40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x658c699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x656aa206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x6542b9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x6538f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x64af25f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x64b1fe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x64b1f54e
wdCommandDispatch+0x3f3be7 DllCanUnloadNow-0xd94e6 wwlib+0x7d4e5c @ 0x65294e5c
DllGetClassObject+0x9b035 DllGetLCID-0x1c084b wwlib+0x9fc7f @ 0x64b5fc7f
DllGetClassObject+0x9ac3c DllGetLCID-0x1c0c44 wwlib+0x9f886 @ 0x64b5f886
DllGetClassObject+0x9a90c DllGetLCID-0x1c0f74 wwlib+0x9f556 @ 0x64b5f556
DllGetClassObject+0x115ef3 DllGetLCID-0x14598d wwlib+0x11ab3d @ 0x64bdab3d
DllGetClassObject+0x11457c DllGetLCID-0x147304 wwlib+0x1191c6 @ 0x64bd91c6
DllGetClassObject+0x115894 DllGetLCID-0x145fec wwlib+0x11a4de @ 0x64bda4de
DllCanUnloadNow+0x127d65 wwlib+0x9d60a7 @ 0x654960a7
wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x65289c27
DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x65703aa2
DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x65703ed4
DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x64b2395f
DllGetClassObject+0x5de5b DllGetLCID-0x1fda25 wwlib+0x62aa5 @ 0x64b22aa5
DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x64b227ab
FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x64ac4c0e
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f6f15d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f6f155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 4471364
registers.edi: 1957755408
registers.eax: 4471364
registers.ebp: 4471444
registers.edx: 2130566132
registers.ebx: 5560628
registers.esi: 2147944122
registers.ecx: 1324013454
1 0 0
suspicious_features Connection to IP address suspicious_request GET http://103.147.184.209/ribbon/vbc.exe
suspicious_features POST method with no referer header, HTTP version 1.0 used suspicious_request POST http://amrp.tw/chud/gate.php
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:933805276&cup2hreq=bc5bad2e07a349d21221961523b8f1e1a86b356488e544d0a74df69dc039814c
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2
request GET http://103.147.184.209/ribbon/vbc.exe
request POST http://amrp.tw/chud/gate.php
request HEAD http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request GET http://edgedl.me.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request POST https://update.googleapis.com/service/update2?cup2key=10:933805276&cup2hreq=bc5bad2e07a349d21221961523b8f1e1a86b356488e544d0a74df69dc039814c
request POST https://update.googleapis.com/service/update2
request POST http://amrp.tw/chud/gate.php
request POST https://update.googleapis.com/service/update2?cup2key=10:933805276&cup2hreq=bc5bad2e07a349d21221961523b8f1e1a86b356488e544d0a74df69dc039814c
request POST https://update.googleapis.com/service/update2
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x2f6f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x64ac1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f4c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f5de000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x64d0e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x63aa1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6400a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75738000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70851000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70851000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ef1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73771000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73821000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8780
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ab0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72992000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8780
region_size: 786432
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02c40000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02cc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c71000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ac0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ac0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72021000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70741000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7079f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7079f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73db1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73361000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73711000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x062a1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x060d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x060d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x060e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8780
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x060f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6eac1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6eac4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8780
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x507c1000
process_handle: 0xffffffff
1 0 0
Application Crash Process WINWORD.EXE with pid 8780 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x64e54dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x654292a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x656a8232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x658bc40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x658c699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x656aa206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x6542b9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x6538f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x64af25f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x64b1fe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x64b1f54e
wdCommandDispatch+0x3f3be7 DllCanUnloadNow-0xd94e6 wwlib+0x7d4e5c @ 0x65294e5c
DllGetClassObject+0x9b035 DllGetLCID-0x1c084b wwlib+0x9fc7f @ 0x64b5fc7f
DllGetClassObject+0x9ac3c DllGetLCID-0x1c0c44 wwlib+0x9f886 @ 0x64b5f886
DllGetClassObject+0x9a90c DllGetLCID-0x1c0f74 wwlib+0x9f556 @ 0x64b5f556
DllGetClassObject+0x115ef3 DllGetLCID-0x14598d wwlib+0x11ab3d @ 0x64bdab3d
DllGetClassObject+0x11457c DllGetLCID-0x147304 wwlib+0x1191c6 @ 0x64bd91c6
DllGetClassObject+0x115894 DllGetLCID-0x145fec wwlib+0x11a4de @ 0x64bda4de
DllCanUnloadNow+0x127d65 wwlib+0x9d60a7 @ 0x654960a7
wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x65289c27
DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x65703aa2
DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x65703ed4
DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x64b2395f
DllGetClassObject+0x5de5b DllGetLCID-0x1fda25 wwlib+0x62aa5 @ 0x64b22aa5
DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x64b227ab
FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x64ac4c0e
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f6f15d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f6f155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 4471672
registers.edi: 1957755408
registers.eax: 4471672
registers.ebp: 4471752
registers.edx: 2130566132
registers.ebx: 5528396
registers.esi: 2147944126
registers.ecx: 1324013454
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x64e54dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x654292a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x656a8232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x658bc40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x658c699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x656aa206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x6542b9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x6538f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x64af25f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x64b1fe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x64b1f54e
wdCommandDispatch+0x3f3be7 DllCanUnloadNow-0xd94e6 wwlib+0x7d4e5c @ 0x65294e5c
DllGetClassObject+0x9b035 DllGetLCID-0x1c084b wwlib+0x9fc7f @ 0x64b5fc7f
DllGetClassObject+0x9ac3c DllGetLCID-0x1c0c44 wwlib+0x9f886 @ 0x64b5f886
DllGetClassObject+0x9a90c DllGetLCID-0x1c0f74 wwlib+0x9f556 @ 0x64b5f556
DllGetClassObject+0x115ef3 DllGetLCID-0x14598d wwlib+0x11ab3d @ 0x64bdab3d
DllGetClassObject+0x11457c DllGetLCID-0x147304 wwlib+0x1191c6 @ 0x64bd91c6
DllGetClassObject+0x115894 DllGetLCID-0x145fec wwlib+0x11a4de @ 0x64bda4de
DllCanUnloadNow+0x127d65 wwlib+0x9d60a7 @ 0x654960a7
wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x65289c27
DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x65703aa2
DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x65703ed4
DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x64b2395f
DllGetClassObject+0x5de5b DllGetLCID-0x1fda25 wwlib+0x62aa5 @ 0x64b22aa5
DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x64b227ab
FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x64ac4c0e
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2f6f15d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2f6f155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 4471364
registers.edi: 1957755408
registers.eax: 4471364
registers.ebp: 4471444
registers.edx: 2130566132
registers.ebx: 5560628
registers.esi: 2147944122
registers.ecx: 1324013454
1 0 0
file C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000002c8
filepath: C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x000004a0
filepath: C:\Users\test22\AppData\Local\Temp\~$.......dot
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$.......dot
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
host 103.147.184.209
host 172.217.25.14
MicroWorld-eScan Exploit.RTF-ObfsStrm.Gen
Sangfor Malware.Generic-RTF.Save.c5a892ae
K7AntiVirus Trojan ( 0057b3a91 )
K7GW Trojan ( 0057b3a91 )
Arcabit Exploit.RTF-ObfsStrm.Gen
Symantec Bloodhound.RTF.20
ESET-NOD32 multiple detections
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Exploit.RTF-ObfsStrm.Gen
NANO-Antivirus Exploit.Rtf.Heuristic-rtf.dinbqn
Ad-Aware Exploit.RTF-ObfsStrm.Gen
Sophos Troj/RtfExp-EQ
F-Secure Heuristic.HEUR/Rtf.Malformed
DrWeb Exploit.Rtf.Obfuscated.32
TrendMicro HEUR_RTFMALFORM
FireEye Exploit.RTF-ObfsStrm.Gen
Emsisoft Exploit.RTF-ObfsStrm.Gen (B)
Ikarus Exploit.CVE-2017-11882
Avira HEUR/Rtf.Malformed
Antiy-AVL Trojan[Exploit]/RTF.Obscure.Gen
ZoneAlarm HEUR:Exploit.MSOffice.Generic
GData Exploit.RTF-ObfsStrm.Gen
Cynet Malicious (score: 99)
AhnLab-V3 RTF/Malform-A.Gen
Zoner Probably Heur.RTFBadHeader
MAX malware (ai score=89)
Fortinet RTF/CVE_2017_11882.C!exploit