Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 14, 2021, 9:27 a.m.	Sept. 14, 2021, 9:29 a.m.

Size	10.1KB
Type	Microsoft Word 2007+
MD5	`5eb18f6228962f4303e189cd382446f4`
SHA256	`36bfa175b032a9938e9e8f1e2fd3847f8a1a3c1e7793c5471e4a60dc45bd5e7b`
CRC32	`20BA5F02`
ssdeep	`192:ScIMmtPi95kG/bGv7m7sOLAf0krFnuTE3Iz5b:SPXIBGv7jOLKlrFnuIwb`
Yara	docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\RVSD PO 2021090120.docx"
1336

Name	Response	Post-Analysis Lookup
checkvim.com	A 164.132.216.38	164.132.216.38
cml.lol	CNAME waws-prod-db3-107.vip.azurewebsites.windows.net A 52.138.218.121 CNAME camilyoshorturlwebapp.azurewebsites.net CNAME waws-prod-db3-107.cloudapp.net	52.138.218.121

IP Address	Status	Action
103.155.80.150	Active	Moloch
164.124.101.2	Active	Moloch
164.132.216.38	Active	Moloch
52.138.218.121	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49179 -> 164.132.216.38:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 103.155.80.150:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 164.132.216.38:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 103.155.80.150:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 103.155.80.150:80 -> 192.168.56.103:49173	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 164.132.216.38:80	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 164.132.216.38:80	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	Malware Command and Control Activity Detected
TCP 103.155.80.150:80 -> 192.168.56.103:49173	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 103.155.80.150:80 -> 192.168.56.103:49173	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 103.155.80.150:80 -> 192.168.56.103:49173	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 164.132.216.38:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49177 -> 164.132.216.38:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 164.132.216.38:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.103:49177 -> 164.132.216.38:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 164.132.216.38:80	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 164.132.216.38:80	2025381	ET MALWARE LokiBot Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 164.132.216.38:80	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	A Network Trojan was detected
TCP 192.168.56.103:49178 -> 164.132.216.38:80	2024317	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2	A Network Trojan was detected
TCP 103.155.80.150:80 -> 192.168.56.103:49172	2026863	ET INFO Possible RTF File With Obfuscated Version Header	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 14, 2021, 9:27 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x76201414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x76217b68 wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72b0c510 DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7241af0e DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72416760 DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72402219 DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x724008bb DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x723fe295 DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x723fd7f0 DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x71fa8a7d DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x71da4878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x7206492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818 wdCommandDispatch+0x1716a8 wdGetApplicationObject-0x195c23 wwlib+0xb18b64 @ 0x72888b64 wdCommandDispatch+0x2383b1 wdGetApplicationObject-0xcef1a wwlib+0xbdf86d @ 0x7294f86d DllGetLCID+0x1bdd3b ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x38d455 wwlib+0x410031 @ 0x72180031 DllGetLCID+0xa2959 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8837 wwlib+0x2f4c4f @ 0x72064c4f DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818 ?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72608677 DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x722e8b88 DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x72139365 DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x71d77ada FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x71d74a03 wdCommandDispatch-0x370 winword+0x15c4 @ 0x2315c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x231558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x7677b727 registers.esp: 5340336 registers.edi: 1981610512 registers.eax: 5340336 registers.ebp: 5340416 registers.edx: 0 registers.ebx: 78537948 registers.esi: 2147944126 registers.ecx: 1944599809	1	0	0
__exception__ Sept. 14, 2021, 9:27 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x761bb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x761bb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x761bb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x761ba66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7623a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x762177e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x762014b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x76217b68 wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72b0c510 DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7241af0e DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72416760 DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72402219 DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x724008bb DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x723fe295 DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x723fd7f0 DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x71fa8a7d DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x71da4878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x7206492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818 wdCommandDispatch+0x1716a8 wdGetApplicationObject-0x195c23 wwlib+0xb18b64 @ 0x72888b64 wdCommandDispatch+0x2383b1 wdGetApplicationObject-0xcef1a wwlib+0xbdf86d @ 0x7294f86d DllGetLCID+0x1bdd3b ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x38d455 wwlib+0x410031 @ 0x72180031 DllGetLCID+0xa2959 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8837 wwlib+0x2f4c4f @ 0x72064c4f DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818 ?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72608677 DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x722e8b88 DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x72139365 DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x71d77ada FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x71d74a03 wdCommandDispatch-0x370 winword+0x15c4 @ 0x2315c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x231558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x7677b727 registers.esp: 5340028 registers.edi: 1981610512 registers.eax: 5340028 registers.ebp: 5340108 registers.edx: 0 registers.ebx: 78537660 registers.esi: 2147944122 registers.ecx: 1944599809	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 14, 2021, 9:27 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x76201414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x76217b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72b0c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7241af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72416760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72402219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x724008bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x723fe295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x723fd7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x71fa8a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x71da4878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x7206492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818
wdCommandDispatch+0x1716a8 wdGetApplicationObject-0x195c23 wwlib+0xb18b64 @ 0x72888b64
wdCommandDispatch+0x2383b1 wdGetApplicationObject-0xcef1a wwlib+0xbdf86d @ 0x7294f86d
DllGetLCID+0x1bdd3b ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x38d455 wwlib+0x410031 @ 0x72180031
DllGetLCID+0xa2959 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8837 wwlib+0x2f4c4f @ 0x72064c4f
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72608677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x722e8b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x72139365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x71d77ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x71d74a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0x2315c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0x231558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 5340336
registers.edi: 1981610512
registers.eax: 5340336
registers.ebp: 5340416
registers.edx: 0
registers.ebx: 78537948
registers.esi: 2147944126
registers.ecx: 1944599809

__exception__

Sept. 14, 2021, 9:27 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x761bb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x761bb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x761bb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x761ba66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7623a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x762177e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x762014b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x76217b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72b0c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7241af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72416760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72402219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x724008bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x723fe295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x723fd7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x71fa8a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x71da4878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x7206492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818
wdCommandDispatch+0x1716a8 wdGetApplicationObject-0x195c23 wwlib+0xb18b64 @ 0x72888b64
wdCommandDispatch+0x2383b1 wdGetApplicationObject-0xcef1a wwlib+0xbdf86d @ 0x7294f86d
DllGetLCID+0x1bdd3b ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x38d455 wwlib+0x410031 @ 0x72180031
DllGetLCID+0xa2959 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8837 wwlib+0x2f4c4f @ 0x72064c4f
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72608677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x722e8b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x72139365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x71d77ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x71d74a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0x2315c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0x231558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 5340028
registers.edi: 1981610512
registers.eax: 5340028
registers.ebp: 5340108
registers.edx: 0
registers.ebx: 78537660
registers.esi: 2147944122
registers.ecx: 1944599809

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://103.155.80.150/receipt/recp_21000989.wbk
suspicious_features	Connection to IP address	suspicious_request	GET http://103.155.80.150/receipt/recp_21000989.wbk
suspicious_features	Connection to IP address	suspicious_request	GET http://103.155.80.150/ssl/vbc.exe
suspicious_features	POST method with no referer header, HTTP version 1.0 used	suspicious_request	POST http://checkvim.com/fd4/fre.php

Performs some HTTP requests (7 events)

request	OPTIONS http://cml.lol/
request	HEAD http://cml.lol/0a6wdc
request	HEAD http://103.155.80.150/receipt/recp_21000989.wbk
request	GET http://cml.lol/0a6wdc
request	GET http://103.155.80.150/receipt/recp_21000989.wbk
request	GET http://103.155.80.150/ssl/vbc.exe
request	POST http://checkvim.com/fd4/fre.php

Sends data using the HTTP POST Method (1 event)

request

POST http://checkvim.com/fd4/fre.php

Allocates read-write-execute memory (usually to unpack itself) (5 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 14, 2021, 9:27 a.m.	process_identifier: 1336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a216000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:27 a.m.	process_identifier: 1336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a114000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:27 a.m.	process_identifier: 1336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a0d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:27 a.m.	process_identifier: 1336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a042000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 14, 2021, 9:27 a.m.	process_identifier: 1336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69cd1000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 1336 crashed
__exception__ Sept. 14, 2021, 9:27 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x76201414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x76217b68 wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72b0c510 DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7241af0e DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72416760 DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72402219 DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x724008bb DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x723fe295 DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x723fd7f0 DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x71fa8a7d DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x71da4878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x7206492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818 wdCommandDispatch+0x1716a8 wdGetApplicationObject-0x195c23 wwlib+0xb18b64 @ 0x72888b64 wdCommandDispatch+0x2383b1 wdGetApplicationObject-0xcef1a wwlib+0xbdf86d @ 0x7294f86d DllGetLCID+0x1bdd3b ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x38d455 wwlib+0x410031 @ 0x72180031 DllGetLCID+0xa2959 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8837 wwlib+0x2f4c4f @ 0x72064c4f DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818 ?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72608677 DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x722e8b88 DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x72139365 DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x71d77ada FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x71d74a03 wdCommandDispatch-0x370 winword+0x15c4 @ 0x2315c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x231558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x7677b727 registers.esp: 5340336 registers.edi: 1981610512 registers.eax: 5340336 registers.ebp: 5340416 registers.edx: 0 registers.ebx: 78537948 registers.esi: 2147944126 registers.ecx: 1944599809	1	0	0
__exception__ Sept. 14, 2021, 9:27 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x761bb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x761bb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x761bb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x761ba66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7623a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x762177e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x762014b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x76217b68 wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72b0c510 DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7241af0e DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72416760 DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72402219 DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x724008bb DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x723fe295 DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x723fd7f0 DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x71fa8a7d DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x71da4878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x7206492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818 wdCommandDispatch+0x1716a8 wdGetApplicationObject-0x195c23 wwlib+0xb18b64 @ 0x72888b64 wdCommandDispatch+0x2383b1 wdGetApplicationObject-0xcef1a wwlib+0xbdf86d @ 0x7294f86d DllGetLCID+0x1bdd3b ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x38d455 wwlib+0x410031 @ 0x72180031 DllGetLCID+0xa2959 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8837 wwlib+0x2f4c4f @ 0x72064c4f DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818 ?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72608677 DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x722e8b88 DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x72139365 DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x71d77ada FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x71d74a03 wdCommandDispatch-0x370 winword+0x15c4 @ 0x2315c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x231558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x7677b727 registers.esp: 5340028 registers.edi: 1981610512 registers.eax: 5340028 registers.ebp: 5340108 registers.edx: 0 registers.ebx: 78537660 registers.esi: 2147944122 registers.ecx: 1944599809	1	0	0

Application Crash

Process WINWORD.EXE with pid 1336 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 14, 2021, 9:27 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x76201414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x76217b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72b0c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7241af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72416760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72402219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x724008bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x723fe295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x723fd7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x71fa8a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x71da4878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x7206492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818
wdCommandDispatch+0x1716a8 wdGetApplicationObject-0x195c23 wwlib+0xb18b64 @ 0x72888b64
wdCommandDispatch+0x2383b1 wdGetApplicationObject-0xcef1a wwlib+0xbdf86d @ 0x7294f86d
DllGetLCID+0x1bdd3b ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x38d455 wwlib+0x410031 @ 0x72180031
DllGetLCID+0xa2959 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8837 wwlib+0x2f4c4f @ 0x72064c4f
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72608677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x722e8b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x72139365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x71d77ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x71d74a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0x2315c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0x231558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

__exception__

Sept. 14, 2021, 9:27 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x762bc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x761b98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x761bb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x761bb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x761bb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x761ba66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7623a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x762177e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x762014b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x76217b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72b0c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7241af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72416760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72402219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x724008bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x723fe295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x723fd7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x71fa8a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x71da4878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x7206492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818
wdCommandDispatch+0x1716a8 wdGetApplicationObject-0x195c23 wwlib+0xb18b64 @ 0x72888b64
wdCommandDispatch+0x2383b1 wdGetApplicationObject-0xcef1a wwlib+0xbdf86d @ 0x7294f86d
DllGetLCID+0x1bdd3b ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x38d455 wwlib+0x410031 @ 0x72180031
DllGetLCID+0xa2959 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8837 wwlib+0x2f4c4f @ 0x72064c4f
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x72056818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72608677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x722e8b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x72139365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x71d77ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x71d74a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0x2315c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0x231558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7677b727
registers.esp: 5340028
registers.edi: 1981610512
registers.eax: 5340028
registers.ebp: 5340108
registers.edx: 0
registers.ebx: 78537660
registers.esi: 2147944122
registers.ecx: 1944599809

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$SD PO 2021090120.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 14, 2021, 9:27 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000488 filepath: C:\Users\test22\AppData\Local\Temp\~$SD PO 2021090120.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$SD PO 2021090120.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 14, 2021, 9:27 a.m.	process_identifier: 1336 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef50000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

103.155.80.150

File has been identified by 15 AntiVirus engines on VirusTotal as malicious (15 events)

Lionic	Trojan.MSWord.Generic.4!c
Arcabit	Trojan.Groooboor.Gen.31
ESET-NOD32	DOC/TrojanDownloader.Agent.AWB
BitDefender	Trojan.Groooboor.Gen.31
NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
MicroWorld-eScan	Trojan.Groooboor.Gen.31
DrWeb	W97M.DownLoader.2692
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.Groooboor.Gen.31
Emsisoft	Trojan.Groooboor.Gen.31 (B)
Ikarus	Win32.SuspectCrc
GData	Trojan.Groooboor.Gen.31
Microsoft	Exploit:O97M/CVE-2017-0199.BKMS!MTB
Zoner	Probably Heur.W97OleLink
Fortinet	MSOffice/Agent.BD77!tr.dldr

RVSD PO 2021090120.docx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All