Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 8, 2021, 9:09 a.m.	Sept. 8, 2021, 9:11 a.m.

Size	80.0KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Author: Leopard, Template: Normal.dotm, Last Saved By: Cloud, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Sep 3 09:34:00 2021, Last Saved Time/Date: Fri Sep 3 09:34:00 2021, Number of Pages: 8, Number of Words: 857, Number of Characters: 4891, Security: 0
MD5	`baa9b34f152076ecc4e01e35ecc2de18`
SHA256	`700db4ae28f53782d239e83db189c7c956b06f61e04cb4a55ff4bc759faa170e`
CRC32	`06CBBC50`
ssdeep	`768:kwAvo/qqTYY00aSj0GkSGCtpmKJncnuVY9ikxlK/EhTUDqC19tOtC1qv00pkRH:Mg/bcY00aHGr+KJ/VY9XfuqC19tOAX`
Yara	Generic_Malware_Zero - Generic Malware Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] Microsoft_Office_File_Zero - Microsoft Office File

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\북한의 최근 정세와 우리의 안보.doc"
2204
- notepad.exe notepad.exe
  2236

Name	Response	Post-Analysis Lookup
api.onedrive.com	CNAME common-afdrk.fe.1drv.com A 13.107.42.12 CNAME commonafdrk-brs.onedrive.akadns.net CNAME l-0003.l-msedge.net CNAME commonafdrk-geo.onedrive.akadns.net CNAME common.be.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net	13.107.42.12

IP Address	Status	Action
13.107.42.12	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49166 -> 13.107.42.12:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49166 13.107.42.12:443	C=US, O=Microsoft Corporation, CN=Microsoft RSA TLS CA 01	C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=storage.live.com	ec:e5:02:98:e6:c9:9a:12:fc:c0:4d:19:cd:2b:0c:ae:d0:c0:37:8e

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ Sept. 8, 2021, 9:09 a.m.	stacktrace: GlobalAlloc+0xaf GlobalMemoryStatusEx-0x10a kernelbase+0x14056 @ 0x75674056 CreateStreamOnHGlobal+0x63 ObjectStublessClient23-0x8e1 ole32+0x2369e @ 0x768f369e _MsoFreeCvsList@4+0x3abbc _MsoFHideTaiwan@0-0x3135b mso+0x23ee76 @ 0x7027ee76 _MsoFreeCvsList@4+0x3995b _MsoFHideTaiwan@0-0x325bc mso+0x23dc15 @ 0x7027dc15 _MsoFreeCvsList@4+0x397bb _MsoFHideTaiwan@0-0x3275c mso+0x23da75 @ 0x7027da75 _MsoFreeCvsList@4+0x39773 _MsoFHideTaiwan@0-0x327a4 mso+0x23da2d @ 0x7027da2d _MsoFreeCvsList@4+0x39669 _MsoFHideTaiwan@0-0x328ae mso+0x23d923 @ 0x7027d923 _MsoFreeCvsList@4+0x395f4 _MsoFHideTaiwan@0-0x32923 mso+0x23d8ae @ 0x7027d8ae _MsoFreeCvsList@4+0x39410 _MsoFHideTaiwan@0-0x32b07 mso+0x23d6ca @ 0x7027d6ca _MsoFreeCvsList@4+0x3935a _MsoFHideTaiwan@0-0x32bbd mso+0x23d614 @ 0x7027d614 _MsoFreeCvsList@4+0x3923a _MsoFHideTaiwan@0-0x32cdd mso+0x23d4f4 @ 0x7027d4f4 _MsoFreeCvsList@4+0x391d5 _MsoFHideTaiwan@0-0x32d42 mso+0x23d48f @ 0x7027d48f _MsoFreeCvsList@4+0x44a8c _MsoFHideTaiwan@0-0x2748b mso+0x248d46 @ 0x70288d46 _MsoFreeCvsList@4+0x44839 _MsoFHideTaiwan@0-0x276de mso+0x248af3 @ 0x70288af3 _MsoFreeCvsList@4+0x4873b _MsoFHideTaiwan@0-0x237dc mso+0x24c9f5 @ 0x7028c9f5 _MsoPeekMessage@8+0x2a9c _MsoGetStringTypeExW@20-0x359b mso+0xb5349 @ 0x700f5349 _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x700f3f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x700f4b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x700f3a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x72626e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x72627d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72624667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72623169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x726213e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fc81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fc8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 10 89 11 89 38 8b 4d 0c 3b cf 0f 85 b4 a2 00 exception.symbol: RtlAllocateHandle+0x21 RtlFreeHandle-0x21 ntdll+0x38221 exception.instruction: mov edx, dword ptr [eax] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 229921 exception.address: 0x77b18221 registers.esp: 3461564 registers.edi: 0 registers.eax: 3897568492 registers.ebp: 3461628 registers.edx: 3897568492 registers.ebx: 769 registers.esi: 1969882752 registers.ecx: 1969882768	1
__exception__ Sept. 8, 2021, 9:09 a.m.	stacktrace: GlobalAlloc+0xaf GlobalMemoryStatusEx-0x10a kernelbase+0x14056 @ 0x75674056 CreateStreamOnHGlobal+0x63 ObjectStublessClient23-0x8e1 ole32+0x2369e @ 0x768f369e _MsoFreeCvsList@4+0x3abbc _MsoFHideTaiwan@0-0x3135b mso+0x23ee76 @ 0x7027ee76 _MsoFreeCvsList@4+0x3995b _MsoFHideTaiwan@0-0x325bc mso+0x23dc15 @ 0x7027dc15 _MsoFreeCvsList@4+0x397bb _MsoFHideTaiwan@0-0x3275c mso+0x23da75 @ 0x7027da75 _MsoFreeCvsList@4+0x39773 _MsoFHideTaiwan@0-0x327a4 mso+0x23da2d @ 0x7027da2d _MsoFreeCvsList@4+0x39669 _MsoFHideTaiwan@0-0x328ae mso+0x23d923 @ 0x7027d923 _MsoFreeCvsList@4+0x395f4 _MsoFHideTaiwan@0-0x32923 mso+0x23d8ae @ 0x7027d8ae _MsoFreeCvsList@4+0x39410 _MsoFHideTaiwan@0-0x32b07 mso+0x23d6ca @ 0x7027d6ca _MsoFreeCvsList@4+0x3935a _MsoFHideTaiwan@0-0x32bbd mso+0x23d614 @ 0x7027d614 _MsoFreeCvsList@4+0x3923a _MsoFHideTaiwan@0-0x32cdd mso+0x23d4f4 @ 0x7027d4f4 _MsoFreeCvsList@4+0x391d5 _MsoFHideTaiwan@0-0x32d42 mso+0x23d48f @ 0x7027d48f _MsoFreeCvsList@4+0x44a8c _MsoFHideTaiwan@0-0x2748b mso+0x248d46 @ 0x70288d46 _MsoFreeCvsList@4+0x44868 _MsoFHideTaiwan@0-0x276af mso+0x248b22 @ 0x70288b22 _MsoFreeCvsList@4+0x4873b _MsoFHideTaiwan@0-0x237dc mso+0x24c9f5 @ 0x7028c9f5 _MsoPeekMessage@8+0x2a9c _MsoGetStringTypeExW@20-0x359b mso+0xb5349 @ 0x700f5349 _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x700f3f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x700f4b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x700f3a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x72626e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x72627d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72624667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72623169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x726213e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fc81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fc8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 10 89 11 89 38 8b 4d 0c 3b cf 0f 85 b4 a2 00 exception.symbol: RtlAllocateHandle+0x21 RtlFreeHandle-0x21 ntdll+0x38221 exception.instruction: mov edx, dword ptr [eax] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 229921 exception.address: 0x77b18221 registers.esp: 3461564 registers.edi: 0 registers.eax: 3897568492 registers.ebp: 3461628 registers.edx: 3897568492 registers.ebx: 769 registers.esi: 1969882752 registers.ecx: 1969882768	1
__exception__ Sept. 8, 2021, 9:09 a.m.	stacktrace: GlobalAlloc+0xaf GlobalMemoryStatusEx-0x10a kernelbase+0x14056 @ 0x75674056 CreateStreamOnHGlobal+0x63 ObjectStublessClient23-0x8e1 ole32+0x2369e @ 0x768f369e _MsoFreeCvsList@4+0x3abbc _MsoFHideTaiwan@0-0x3135b mso+0x23ee76 @ 0x7027ee76 _MsoFreeCvsList@4+0x3995b _MsoFHideTaiwan@0-0x325bc mso+0x23dc15 @ 0x7027dc15 _MsoFreeCvsList@4+0x397bb _MsoFHideTaiwan@0-0x3275c mso+0x23da75 @ 0x7027da75 _MsoFreeCvsList@4+0x39773 _MsoFHideTaiwan@0-0x327a4 mso+0x23da2d @ 0x7027da2d _MsoFreeCvsList@4+0x39669 _MsoFHideTaiwan@0-0x328ae mso+0x23d923 @ 0x7027d923 _MsoFreeCvsList@4+0x395f4 _MsoFHideTaiwan@0-0x32923 mso+0x23d8ae @ 0x7027d8ae _MsoFreeCvsList@4+0x39410 _MsoFHideTaiwan@0-0x32b07 mso+0x23d6ca @ 0x7027d6ca _MsoFreeCvsList@4+0x3935a _MsoFHideTaiwan@0-0x32bbd mso+0x23d614 @ 0x7027d614 _MsoFreeCvsList@4+0x3923a _MsoFHideTaiwan@0-0x32cdd mso+0x23d4f4 @ 0x7027d4f4 _MsoFreeCvsList@4+0x391d5 _MsoFHideTaiwan@0-0x32d42 mso+0x23d48f @ 0x7027d48f _MsoFreeCvsList@4+0x44a8c _MsoFHideTaiwan@0-0x2748b mso+0x248d46 @ 0x70288d46 _MsoFreeCvsList@4+0x44894 _MsoFHideTaiwan@0-0x27683 mso+0x248b4e @ 0x70288b4e _MsoFreeCvsList@4+0x4873b _MsoFHideTaiwan@0-0x237dc mso+0x24c9f5 @ 0x7028c9f5 _MsoPeekMessage@8+0x2a9c _MsoGetStringTypeExW@20-0x359b mso+0xb5349 @ 0x700f5349 _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x700f3f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x700f4b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x700f3a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x72626e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x72627d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72624667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72623169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x726213e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fc81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fc8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 10 89 11 89 38 8b 4d 0c 3b cf 0f 85 b4 a2 00 exception.symbol: RtlAllocateHandle+0x21 RtlFreeHandle-0x21 ntdll+0x38221 exception.instruction: mov edx, dword ptr [eax] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 229921 exception.address: 0x77b18221 registers.esp: 3461564 registers.edi: 0 registers.eax: 3897568492 registers.ebp: 3461628 registers.edx: 3897568492 registers.ebx: 769 registers.esi: 1969882752 registers.ecx: 1969882768	1
__exception__ Sept. 8, 2021, 9:09 a.m.	stacktrace: GlobalAlloc+0xaf GlobalMemoryStatusEx-0x10a kernelbase+0x14056 @ 0x75674056 CreateStreamOnHGlobal+0x63 ObjectStublessClient23-0x8e1 ole32+0x2369e @ 0x768f369e _MsoFreeCvsList@4+0x3abbc _MsoFHideTaiwan@0-0x3135b mso+0x23ee76 @ 0x7027ee76 _MsoFreeCvsList@4+0x3995b _MsoFHideTaiwan@0-0x325bc mso+0x23dc15 @ 0x7027dc15 _MsoFreeCvsList@4+0x397bb _MsoFHideTaiwan@0-0x3275c mso+0x23da75 @ 0x7027da75 _MsoFreeCvsList@4+0x39773 _MsoFHideTaiwan@0-0x327a4 mso+0x23da2d @ 0x7027da2d _MsoFreeCvsList@4+0x39669 _MsoFHideTaiwan@0-0x328ae mso+0x23d923 @ 0x7027d923 _MsoFreeCvsList@4+0x395f4 _MsoFHideTaiwan@0-0x32923 mso+0x23d8ae @ 0x7027d8ae _MsoFreeCvsList@4+0x39410 _MsoFHideTaiwan@0-0x32b07 mso+0x23d6ca @ 0x7027d6ca _MsoFreeCvsList@4+0x3935a _MsoFHideTaiwan@0-0x32bbd mso+0x23d614 @ 0x7027d614 _MsoFreeCvsList@4+0x3923a _MsoFHideTaiwan@0-0x32cdd mso+0x23d4f4 @ 0x7027d4f4 _MsoFreeCvsList@4+0x391d5 _MsoFHideTaiwan@0-0x32d42 mso+0x23d48f @ 0x7027d48f _MsoFreeCvsList@4+0x44a8c _MsoFHideTaiwan@0-0x2748b mso+0x248d46 @ 0x70288d46 _MsoFreeCvsList@4+0x448c0 _MsoFHideTaiwan@0-0x27657 mso+0x248b7a @ 0x70288b7a _MsoFreeCvsList@4+0x4873b _MsoFHideTaiwan@0-0x237dc mso+0x24c9f5 @ 0x7028c9f5 _MsoPeekMessage@8+0x2a9c _MsoGetStringTypeExW@20-0x359b mso+0xb5349 @ 0x700f5349 _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x700f3f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x700f4b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x700f3a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x72626e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x72627d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72624667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72623169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x726213e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fc81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fc8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 10 89 11 89 38 8b 4d 0c 3b cf 0f 85 b4 a2 00 exception.symbol: RtlAllocateHandle+0x21 RtlFreeHandle-0x21 ntdll+0x38221 exception.instruction: mov edx, dword ptr [eax] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 229921 exception.address: 0x77b18221 registers.esp: 3461564 registers.edi: 0 registers.eax: 3897568492 registers.ebp: 3461628 registers.edx: 3897568492 registers.ebx: 769 registers.esi: 1969882752 registers.ecx: 1969882768	1
__exception__ Sept. 8, 2021, 9:09 a.m.	stacktrace: GlobalAlloc+0xaf GlobalMemoryStatusEx-0x10a kernelbase+0x14056 @ 0x75674056 CreateStreamOnHGlobal+0x63 ObjectStublessClient23-0x8e1 ole32+0x2369e @ 0x768f369e _MsoFreeCvsList@4+0x3abbc _MsoFHideTaiwan@0-0x3135b mso+0x23ee76 @ 0x7027ee76 _MsoFreeCvsList@4+0x3995b _MsoFHideTaiwan@0-0x325bc mso+0x23dc15 @ 0x7027dc15 _MsoFreeCvsList@4+0x397bb _MsoFHideTaiwan@0-0x3275c mso+0x23da75 @ 0x7027da75 _MsoFreeCvsList@4+0x39773 _MsoFHideTaiwan@0-0x327a4 mso+0x23da2d @ 0x7027da2d _MsoFreeCvsList@4+0x39669 _MsoFHideTaiwan@0-0x328ae mso+0x23d923 @ 0x7027d923 _MsoFreeCvsList@4+0x395f4 _MsoFHideTaiwan@0-0x32923 mso+0x23d8ae @ 0x7027d8ae _MsoFreeCvsList@4+0x39410 _MsoFHideTaiwan@0-0x32b07 mso+0x23d6ca @ 0x7027d6ca _MsoFreeCvsList@4+0x3935a _MsoFHideTaiwan@0-0x32bbd mso+0x23d614 @ 0x7027d614 _MsoFreeCvsList@4+0x3923a _MsoFHideTaiwan@0-0x32cdd mso+0x23d4f4 @ 0x7027d4f4 _MsoFreeCvsList@4+0x391d5 _MsoFHideTaiwan@0-0x32d42 mso+0x23d48f @ 0x7027d48f MsoMakeCustomItem+0x48384 _MsoHrPrepareForIMShutdown@0-0x1577e mso+0x4e63c8 @ 0x705263c8 DllGetLCID+0x64da0 wdGetApplicationObject-0x8296e0 wwlib+0x272796 @ 0x72832796 _GetAllocCounters@0+0x4e132 DllGetLCID-0x1a8afc wwlib+0x64efa @ 0x72624efa _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72624667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72623169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x726213e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fc81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fc8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 10 89 11 89 38 8b 4d 0c 3b cf 0f 85 b4 a2 00 exception.symbol: RtlAllocateHandle+0x21 RtlFreeHandle-0x21 ntdll+0x38221 exception.instruction: mov edx, dword ptr [eax] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 229921 exception.address: 0x77b18221 registers.esp: 3462668 registers.edi: 0 registers.eax: 3897568492 registers.ebp: 3462732 registers.edx: 3897568492 registers.ebx: 769 registers.esi: 1969882752 registers.ecx: 1969882768	1
__exception__ Sept. 8, 2021, 9:09 a.m.	stacktrace: BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 12 0f 1e 16 35 14 0f 3d 14 0e 15 1f 59 57 59 16 exception.instruction: adc cl, byte ptr [edi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x3020012 registers.esp: 3078488 registers.edi: 0 registers.eax: 50462761 registers.ebp: 3078528 registers.edx: 65 registers.ebx: 3318158 registers.esi: 0 registers.ecx: 1768843639	1

Performs some HTTP requests (1 event)

request

GET https://api.onedrive.com/v1.0/shares/u!aHR0cHM6Ly8xZHJ2Lm1zL3UvcyFBalVyZDlodU1wUWNjTGt4bXhBV0pjQU1ja2M_ZT1mUnc4VHg/root/content

Allocates read-write-execute memory (usually to unpack itself) (50 out of 72 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69ff1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00666000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00666000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00667000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00668000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00668000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00669000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00669000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2204 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (6 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 2204 crashed
__exception__ Sept. 8, 2021, 9:09 a.m.	stacktrace: GlobalAlloc+0xaf GlobalMemoryStatusEx-0x10a kernelbase+0x14056 @ 0x75674056 CreateStreamOnHGlobal+0x63 ObjectStublessClient23-0x8e1 ole32+0x2369e @ 0x768f369e _MsoFreeCvsList@4+0x3abbc _MsoFHideTaiwan@0-0x3135b mso+0x23ee76 @ 0x7027ee76 _MsoFreeCvsList@4+0x3995b _MsoFHideTaiwan@0-0x325bc mso+0x23dc15 @ 0x7027dc15 _MsoFreeCvsList@4+0x397bb _MsoFHideTaiwan@0-0x3275c mso+0x23da75 @ 0x7027da75 _MsoFreeCvsList@4+0x39773 _MsoFHideTaiwan@0-0x327a4 mso+0x23da2d @ 0x7027da2d _MsoFreeCvsList@4+0x39669 _MsoFHideTaiwan@0-0x328ae mso+0x23d923 @ 0x7027d923 _MsoFreeCvsList@4+0x395f4 _MsoFHideTaiwan@0-0x32923 mso+0x23d8ae @ 0x7027d8ae _MsoFreeCvsList@4+0x39410 _MsoFHideTaiwan@0-0x32b07 mso+0x23d6ca @ 0x7027d6ca _MsoFreeCvsList@4+0x3935a _MsoFHideTaiwan@0-0x32bbd mso+0x23d614 @ 0x7027d614 _MsoFreeCvsList@4+0x3923a _MsoFHideTaiwan@0-0x32cdd mso+0x23d4f4 @ 0x7027d4f4 _MsoFreeCvsList@4+0x391d5 _MsoFHideTaiwan@0-0x32d42 mso+0x23d48f @ 0x7027d48f _MsoFreeCvsList@4+0x44a8c _MsoFHideTaiwan@0-0x2748b mso+0x248d46 @ 0x70288d46 _MsoFreeCvsList@4+0x44839 _MsoFHideTaiwan@0-0x276de mso+0x248af3 @ 0x70288af3 _MsoFreeCvsList@4+0x4873b _MsoFHideTaiwan@0-0x237dc mso+0x24c9f5 @ 0x7028c9f5 _MsoPeekMessage@8+0x2a9c _MsoGetStringTypeExW@20-0x359b mso+0xb5349 @ 0x700f5349 _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x700f3f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x700f4b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x700f3a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x72626e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x72627d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72624667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72623169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x726213e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fc81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fc8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 10 89 11 89 38 8b 4d 0c 3b cf 0f 85 b4 a2 00 exception.symbol: RtlAllocateHandle+0x21 RtlFreeHandle-0x21 ntdll+0x38221 exception.instruction: mov edx, dword ptr [eax] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 229921 exception.address: 0x77b18221 registers.esp: 3461564 registers.edi: 0 registers.eax: 3897568492 registers.ebp: 3461628 registers.edx: 3897568492 registers.ebx: 769 registers.esi: 1969882752 registers.ecx: 1969882768	1	0	0
__exception__ Sept. 8, 2021, 9:09 a.m.	stacktrace: GlobalAlloc+0xaf GlobalMemoryStatusEx-0x10a kernelbase+0x14056 @ 0x75674056 CreateStreamOnHGlobal+0x63 ObjectStublessClient23-0x8e1 ole32+0x2369e @ 0x768f369e _MsoFreeCvsList@4+0x3abbc _MsoFHideTaiwan@0-0x3135b mso+0x23ee76 @ 0x7027ee76 _MsoFreeCvsList@4+0x3995b _MsoFHideTaiwan@0-0x325bc mso+0x23dc15 @ 0x7027dc15 _MsoFreeCvsList@4+0x397bb _MsoFHideTaiwan@0-0x3275c mso+0x23da75 @ 0x7027da75 _MsoFreeCvsList@4+0x39773 _MsoFHideTaiwan@0-0x327a4 mso+0x23da2d @ 0x7027da2d _MsoFreeCvsList@4+0x39669 _MsoFHideTaiwan@0-0x328ae mso+0x23d923 @ 0x7027d923 _MsoFreeCvsList@4+0x395f4 _MsoFHideTaiwan@0-0x32923 mso+0x23d8ae @ 0x7027d8ae _MsoFreeCvsList@4+0x39410 _MsoFHideTaiwan@0-0x32b07 mso+0x23d6ca @ 0x7027d6ca _MsoFreeCvsList@4+0x3935a _MsoFHideTaiwan@0-0x32bbd mso+0x23d614 @ 0x7027d614 _MsoFreeCvsList@4+0x3923a _MsoFHideTaiwan@0-0x32cdd mso+0x23d4f4 @ 0x7027d4f4 _MsoFreeCvsList@4+0x391d5 _MsoFHideTaiwan@0-0x32d42 mso+0x23d48f @ 0x7027d48f _MsoFreeCvsList@4+0x44a8c _MsoFHideTaiwan@0-0x2748b mso+0x248d46 @ 0x70288d46 _MsoFreeCvsList@4+0x44868 _MsoFHideTaiwan@0-0x276af mso+0x248b22 @ 0x70288b22 _MsoFreeCvsList@4+0x4873b _MsoFHideTaiwan@0-0x237dc mso+0x24c9f5 @ 0x7028c9f5 _MsoPeekMessage@8+0x2a9c _MsoGetStringTypeExW@20-0x359b mso+0xb5349 @ 0x700f5349 _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x700f3f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x700f4b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x700f3a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x72626e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x72627d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72624667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72623169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x726213e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fc81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fc8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 10 89 11 89 38 8b 4d 0c 3b cf 0f 85 b4 a2 00 exception.symbol: RtlAllocateHandle+0x21 RtlFreeHandle-0x21 ntdll+0x38221 exception.instruction: mov edx, dword ptr [eax] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 229921 exception.address: 0x77b18221 registers.esp: 3461564 registers.edi: 0 registers.eax: 3897568492 registers.ebp: 3461628 registers.edx: 3897568492 registers.ebx: 769 registers.esi: 1969882752 registers.ecx: 1969882768	1	0	0
__exception__ Sept. 8, 2021, 9:09 a.m.	stacktrace: GlobalAlloc+0xaf GlobalMemoryStatusEx-0x10a kernelbase+0x14056 @ 0x75674056 CreateStreamOnHGlobal+0x63 ObjectStublessClient23-0x8e1 ole32+0x2369e @ 0x768f369e _MsoFreeCvsList@4+0x3abbc _MsoFHideTaiwan@0-0x3135b mso+0x23ee76 @ 0x7027ee76 _MsoFreeCvsList@4+0x3995b _MsoFHideTaiwan@0-0x325bc mso+0x23dc15 @ 0x7027dc15 _MsoFreeCvsList@4+0x397bb _MsoFHideTaiwan@0-0x3275c mso+0x23da75 @ 0x7027da75 _MsoFreeCvsList@4+0x39773 _MsoFHideTaiwan@0-0x327a4 mso+0x23da2d @ 0x7027da2d _MsoFreeCvsList@4+0x39669 _MsoFHideTaiwan@0-0x328ae mso+0x23d923 @ 0x7027d923 _MsoFreeCvsList@4+0x395f4 _MsoFHideTaiwan@0-0x32923 mso+0x23d8ae @ 0x7027d8ae _MsoFreeCvsList@4+0x39410 _MsoFHideTaiwan@0-0x32b07 mso+0x23d6ca @ 0x7027d6ca _MsoFreeCvsList@4+0x3935a _MsoFHideTaiwan@0-0x32bbd mso+0x23d614 @ 0x7027d614 _MsoFreeCvsList@4+0x3923a _MsoFHideTaiwan@0-0x32cdd mso+0x23d4f4 @ 0x7027d4f4 _MsoFreeCvsList@4+0x391d5 _MsoFHideTaiwan@0-0x32d42 mso+0x23d48f @ 0x7027d48f _MsoFreeCvsList@4+0x44a8c _MsoFHideTaiwan@0-0x2748b mso+0x248d46 @ 0x70288d46 _MsoFreeCvsList@4+0x44894 _MsoFHideTaiwan@0-0x27683 mso+0x248b4e @ 0x70288b4e _MsoFreeCvsList@4+0x4873b _MsoFHideTaiwan@0-0x237dc mso+0x24c9f5 @ 0x7028c9f5 _MsoPeekMessage@8+0x2a9c _MsoGetStringTypeExW@20-0x359b mso+0xb5349 @ 0x700f5349 _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x700f3f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x700f4b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x700f3a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x72626e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x72627d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72624667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72623169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x726213e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fc81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fc8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 10 89 11 89 38 8b 4d 0c 3b cf 0f 85 b4 a2 00 exception.symbol: RtlAllocateHandle+0x21 RtlFreeHandle-0x21 ntdll+0x38221 exception.instruction: mov edx, dword ptr [eax] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 229921 exception.address: 0x77b18221 registers.esp: 3461564 registers.edi: 0 registers.eax: 3897568492 registers.ebp: 3461628 registers.edx: 3897568492 registers.ebx: 769 registers.esi: 1969882752 registers.ecx: 1969882768	1	0	0
__exception__ Sept. 8, 2021, 9:09 a.m.	stacktrace: GlobalAlloc+0xaf GlobalMemoryStatusEx-0x10a kernelbase+0x14056 @ 0x75674056 CreateStreamOnHGlobal+0x63 ObjectStublessClient23-0x8e1 ole32+0x2369e @ 0x768f369e _MsoFreeCvsList@4+0x3abbc _MsoFHideTaiwan@0-0x3135b mso+0x23ee76 @ 0x7027ee76 _MsoFreeCvsList@4+0x3995b _MsoFHideTaiwan@0-0x325bc mso+0x23dc15 @ 0x7027dc15 _MsoFreeCvsList@4+0x397bb _MsoFHideTaiwan@0-0x3275c mso+0x23da75 @ 0x7027da75 _MsoFreeCvsList@4+0x39773 _MsoFHideTaiwan@0-0x327a4 mso+0x23da2d @ 0x7027da2d _MsoFreeCvsList@4+0x39669 _MsoFHideTaiwan@0-0x328ae mso+0x23d923 @ 0x7027d923 _MsoFreeCvsList@4+0x395f4 _MsoFHideTaiwan@0-0x32923 mso+0x23d8ae @ 0x7027d8ae _MsoFreeCvsList@4+0x39410 _MsoFHideTaiwan@0-0x32b07 mso+0x23d6ca @ 0x7027d6ca _MsoFreeCvsList@4+0x3935a _MsoFHideTaiwan@0-0x32bbd mso+0x23d614 @ 0x7027d614 _MsoFreeCvsList@4+0x3923a _MsoFHideTaiwan@0-0x32cdd mso+0x23d4f4 @ 0x7027d4f4 _MsoFreeCvsList@4+0x391d5 _MsoFHideTaiwan@0-0x32d42 mso+0x23d48f @ 0x7027d48f _MsoFreeCvsList@4+0x44a8c _MsoFHideTaiwan@0-0x2748b mso+0x248d46 @ 0x70288d46 _MsoFreeCvsList@4+0x448c0 _MsoFHideTaiwan@0-0x27657 mso+0x248b7a @ 0x70288b7a _MsoFreeCvsList@4+0x4873b _MsoFHideTaiwan@0-0x237dc mso+0x24c9f5 @ 0x7028c9f5 _MsoPeekMessage@8+0x2a9c _MsoGetStringTypeExW@20-0x359b mso+0xb5349 @ 0x700f5349 _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x700f3f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x700f4b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x700f3a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x72626e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x72627d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72624667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72623169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x726213e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fc81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fc8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 10 89 11 89 38 8b 4d 0c 3b cf 0f 85 b4 a2 00 exception.symbol: RtlAllocateHandle+0x21 RtlFreeHandle-0x21 ntdll+0x38221 exception.instruction: mov edx, dword ptr [eax] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 229921 exception.address: 0x77b18221 registers.esp: 3461564 registers.edi: 0 registers.eax: 3897568492 registers.ebp: 3461628 registers.edx: 3897568492 registers.ebx: 769 registers.esi: 1969882752 registers.ecx: 1969882768	1	0	0
__exception__ Sept. 8, 2021, 9:09 a.m.	stacktrace: GlobalAlloc+0xaf GlobalMemoryStatusEx-0x10a kernelbase+0x14056 @ 0x75674056 CreateStreamOnHGlobal+0x63 ObjectStublessClient23-0x8e1 ole32+0x2369e @ 0x768f369e _MsoFreeCvsList@4+0x3abbc _MsoFHideTaiwan@0-0x3135b mso+0x23ee76 @ 0x7027ee76 _MsoFreeCvsList@4+0x3995b _MsoFHideTaiwan@0-0x325bc mso+0x23dc15 @ 0x7027dc15 _MsoFreeCvsList@4+0x397bb _MsoFHideTaiwan@0-0x3275c mso+0x23da75 @ 0x7027da75 _MsoFreeCvsList@4+0x39773 _MsoFHideTaiwan@0-0x327a4 mso+0x23da2d @ 0x7027da2d _MsoFreeCvsList@4+0x39669 _MsoFHideTaiwan@0-0x328ae mso+0x23d923 @ 0x7027d923 _MsoFreeCvsList@4+0x395f4 _MsoFHideTaiwan@0-0x32923 mso+0x23d8ae @ 0x7027d8ae _MsoFreeCvsList@4+0x39410 _MsoFHideTaiwan@0-0x32b07 mso+0x23d6ca @ 0x7027d6ca _MsoFreeCvsList@4+0x3935a _MsoFHideTaiwan@0-0x32bbd mso+0x23d614 @ 0x7027d614 _MsoFreeCvsList@4+0x3923a _MsoFHideTaiwan@0-0x32cdd mso+0x23d4f4 @ 0x7027d4f4 _MsoFreeCvsList@4+0x391d5 _MsoFHideTaiwan@0-0x32d42 mso+0x23d48f @ 0x7027d48f MsoMakeCustomItem+0x48384 _MsoHrPrepareForIMShutdown@0-0x1577e mso+0x4e63c8 @ 0x705263c8 DllGetLCID+0x64da0 wdGetApplicationObject-0x8296e0 wwlib+0x272796 @ 0x72832796 _GetAllocCounters@0+0x4e132 DllGetLCID-0x1a8afc wwlib+0x64efa @ 0x72624efa _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72624667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72623169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x726213e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fc81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fc8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x76a433ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 10 89 11 89 38 8b 4d 0c 3b cf 0f 85 b4 a2 00 exception.symbol: RtlAllocateHandle+0x21 RtlFreeHandle-0x21 ntdll+0x38221 exception.instruction: mov edx, dword ptr [eax] exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 229921 exception.address: 0x77b18221 registers.esp: 3462668 registers.edi: 0 registers.eax: 3897568492 registers.ebp: 3462732 registers.edx: 3897568492 registers.ebx: 769 registers.esi: 1969882752 registers.ecx: 1969882768	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$의 최근 정세와 우리의 안보.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 8, 2021, 9:09 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000047c filepath: C:\Users\test22\AppData\Local\Temp\~$의 최근 정세와 우리의 안보.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$의 최근 정세와 우리의 안보.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Word document hooks document open

Potentially malicious URLs were found in the process memory dump (1 event)

url	https://api.onedrive.com/v1.0/shares/u

Yara rule detected in process memory (31 events)

description	Communication using DGA	rule	Network_DGA
description	Communications use DNS	rule	Network_DNS
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Create a windows service	rule	Create_Service
description	Record Audio	rule	Sniff_Audio
description	Escalate priviledges	rule	Escalate_priviledges
description	Run a KeyLogger	rule	KeyLogger
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Steal credential	rule	local_credential_Steal
description	File Downloader	rule	Network_Downloader
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Install itself for autorun at Windows startup	rule	Persistence

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000056c	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 process_handle: 0x0000056c	1
NtProtectVirtualMemory Sept. 8, 2021, 9:09 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000b0000 process_handle: 0x0000056c	1

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

notepad.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2204 resumed a thread in remote process 2236
NtResumeThread Sept. 8, 2021, 9:09 a.m.	thread_handle: 0x00000568 suspend_count: 1 process_identifier: 2236	1	0	0

File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 events)

Lionic	Trojan.MSWord.Generic.4!c
Elastic	malicious (high confidence)
ALYac	Trojan.Downloader.DOC.Gen
VIPRE	LooksLike.Macro.Malware.k (v)
Arcabit	HEUR.VBA.CG.1
Symantec	W97M.Downloader
Avast	Other:Malware-gen [Trj]
Kaspersky	UDS:Trojan.MSOffice.SAgent.gen
BitDefender	VBA.Heur.ObfDldr.25.53233014.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
MicroWorld-eScan	VBA.Heur.ObfDldr.25.53233014.Gen
Ad-Aware	VBA.Heur.ObfDldr.25.53233014.Gen
Emsisoft	VBA.Heur.ObfDldr.25.53233014.Gen (B)
TrendMicro	HEUR_VBA.O2
McAfee-GW-Edition	BehavesLike.OLE2.Bad-VBA.ml
FireEye	VBA.Heur.ObfDldr.25.53233014.Gen
Microsoft	Trojan:Script/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	VBA.Heur.ObfDldr.25.53233014.Gen
TACHYON	Suspicious/W97M.Script.Gen
McAfee	RDN/Generic.ole
MAX	malware (ai score=89)
Zoner	Probably Heur.W97Obfuscated
SentinelOne	Static AI - Suspicious OLE
AVG	Other:Malware-gen [Trj]

북한의 최근 정세와 우리의 안보.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All