Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 26, 2021, 10:42 a.m.	Oct. 26, 2021, 10:44 a.m.

Size	280.5KB
Type	CDFV2 Encrypted
MD5	`9adafeb992d82eba6e4c5d1e420a48ef`
SHA256	`13a23f2531da55410645a2a8f0da7bdd86cd656f2dbf268ec8f3204261e8cf27`
CRC32	`7F00A5FA`
ssdeep	`3072:vcO6UjaoZvFL5vOK/VOcjpHgU+vsfq7vzQlHvEjz1oV/hEt2TheYN+PoxzqIeCt/:vMWZtUKEqKU+vPQlPEjRXtGNN+PuTJvr`
Yara	Microsoft_Office_File_Zero - Microsoft Office File

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "xElOjwvE" C:\Users\test22\AppData\Local\Temp\reason.xlsx
2992
- EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
  748
explorer.exe C:\Windows\Explorer.EXE
1436
- taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
  2472

Name	Response	Post-Analysis Lookup
itisalllove.servepics.com	A 31.3.244.76	31.3.244.76
newme122.3utilities.com	A 23.105.131.228	23.105.131.228
newme1122.3utilities.com

IP Address	Status	Action
175.208.134.138	Active	Moloch
164.124.101.2	Active	Moloch
23.105.131.228	Active	Moloch
31.3.244.76	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:62008 -> 164.124.101.2:53	2028698	ET POLICY DNS Query to DynDNS Domain *.servepics .com	Potentially Bad Traffic
TCP 31.3.244.76:80 -> 192.168.56.102:49169	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
UDP 192.168.56.102:61848 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:63345 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:55103 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:51220 -> 164.124.101.2:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:56023 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:53172 -> 8.8.4.4:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:60364 -> 8.8.4.4:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:58643 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:57223 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:65483 -> 8.8.4.4:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:61567 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:54232 -> 8.8.4.4:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:51615 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:54374 -> 8.8.4.4:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:60981 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:64845 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:51775 -> 8.8.4.4:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:62172 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:57303 -> 8.8.4.4:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:56111 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:56856 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:64444 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:56907 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic
UDP 192.168.56.102:64077 -> 8.8.8.8:53	2028677	ET POLICY DNS Query to DynDNS Domain *.3utilities .com	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Oct. 26, 2021, 10:36 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 26, 2021, 10:36 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (50 out of 121 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:42 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0
IsDebuggerPresent Oct. 26, 2021, 10:43 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptGenKey Oct. 26, 2021, 10:42 a.m.	crypto_handle: 0x003ac670 algorithm_identifier: 0x00006610 () flags: 1 key: f '7¥[½î`®_dÄ;âôKr^É½],@69Ï ò provider_handle: 0x003c4b18	1	1
CryptExportKey Oct. 26, 2021, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ac670 flags: 0 crypto_export_handle: 0x003ac7b0 blob_type: 1	1	1
CryptExportKey Oct. 26, 2021, 10:42 a.m.	buffer: f¤kSDØ+Áøð9b¥¶$K *$×¶Â¿¾V:>ìÝy;y\6Ôlü ôeÆÍwìýë®7Ò6#x±·>µ-ßÊta×Ê5Bø]nÁìùêÍ6ÙX¢ d5UR\|nÞ2dÔ.¿KÏ¬G³ä}¶¨L crypto_handle: 0x003ac670 flags: 0 crypto_export_handle: 0x003ac7b0 blob_type: 1	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (4 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{FDF3ECB9-B56F-43B2-A9B8-1B48B6BAE1A7}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{191301D3-A579-428C-B0C7-D7988500F9E3}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{90140000-0011-0000-0000-0000000FF1CE}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{6F327760-8C5C-417C-9B61-836A98287E0C}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 26, 2021, 10:36 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 26, 2021, 10:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7638374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x748df725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7639414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x748dc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x747d98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74821414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74837b68 MdCallBack-0x5f79a6 excel+0x3f6187 @ 0x2f936187 MdCallBack-0x838622 excel+0x1b550b @ 0x2f6f550b MdCallBack-0x85136b excel+0x19c7c2 @ 0x2f6dc7c2 MdCallBack-0x8553c7 excel+0x198766 @ 0x2f6d8766 MdCallBack-0x8dbb84 excel+0x111fa9 @ 0x2f651fa9 MdCallBack-0x8db5c9 excel+0x112564 @ 0x2f652564 MdCallBack-0x8db82f excel+0x1122fe @ 0x2f6522fe MdCallBack-0x8db306 excel+0x112827 @ 0x2f652827 MdCallBack-0x9a51e3 excel+0x4894a @ 0x2f58894a MdCallBack-0x12bf15 excel+0x8c1c18 @ 0x2fe01c18 _LPenHelper+0x175d63 DllGetLCID-0x24ba4d excel+0xdb548c @ 0x302f548c MdCallBack-0x62e614 excel+0x3bf519 @ 0x2f8ff519 MdCallBack-0x9c9bd0 excel+0x23f5d @ 0x2f563f5d MdCallBack-0x9e98e2 excel+0x424b @ 0x2f54424b MdCallBack-0x9e9c23 excel+0x3f0a @ 0x2f543f0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x770a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x770a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x74a2b727 registers.esp: 2770768 registers.edi: 1954478608 registers.eax: 2770768 registers.ebp: 2770848 registers.edx: 2130566132 registers.ebx: 4169044 registers.esi: 2147944126 registers.ecx: 2486300776	1	0	0
__exception__ Oct. 26, 2021, 10:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7638374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x748df725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7639414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x748dc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x747d98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x747db641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x747db5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x747db172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x747da66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7485a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x748377e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x748214b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74837b68 MdCallBack-0x5f79a6 excel+0x3f6187 @ 0x2f936187 MdCallBack-0x838622 excel+0x1b550b @ 0x2f6f550b MdCallBack-0x85136b excel+0x19c7c2 @ 0x2f6dc7c2 MdCallBack-0x8553c7 excel+0x198766 @ 0x2f6d8766 MdCallBack-0x8dbb84 excel+0x111fa9 @ 0x2f651fa9 MdCallBack-0x8db5c9 excel+0x112564 @ 0x2f652564 MdCallBack-0x8db82f excel+0x1122fe @ 0x2f6522fe MdCallBack-0x8db306 excel+0x112827 @ 0x2f652827 MdCallBack-0x9a51e3 excel+0x4894a @ 0x2f58894a MdCallBack-0x12bf15 excel+0x8c1c18 @ 0x2fe01c18 _LPenHelper+0x175d63 DllGetLCID-0x24ba4d excel+0xdb548c @ 0x302f548c MdCallBack-0x62e614 excel+0x3bf519 @ 0x2f8ff519 MdCallBack-0x9c9bd0 excel+0x23f5d @ 0x2f563f5d MdCallBack-0x9e98e2 excel+0x424b @ 0x2f54424b MdCallBack-0x9e9c23 excel+0x3f0a @ 0x2f543f0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x770a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x770a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x74a2b727 registers.esp: 2770460 registers.edi: 1954478608 registers.eax: 2770460 registers.ebp: 2770540 registers.edx: 2130566132 registers.ebx: 4168756 registers.esi: 2147944122 registers.ecx: 2486300776	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 26, 2021, 10:42 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7638374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x748df725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7639414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x748dc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x747d98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74821414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74837b68
MdCallBack-0x5f79a6 excel+0x3f6187 @ 0x2f936187
MdCallBack-0x838622 excel+0x1b550b @ 0x2f6f550b
MdCallBack-0x85136b excel+0x19c7c2 @ 0x2f6dc7c2
MdCallBack-0x8553c7 excel+0x198766 @ 0x2f6d8766
MdCallBack-0x8dbb84 excel+0x111fa9 @ 0x2f651fa9
MdCallBack-0x8db5c9 excel+0x112564 @ 0x2f652564
MdCallBack-0x8db82f excel+0x1122fe @ 0x2f6522fe
MdCallBack-0x8db306 excel+0x112827 @ 0x2f652827
MdCallBack-0x9a51e3 excel+0x4894a @ 0x2f58894a
MdCallBack-0x12bf15 excel+0x8c1c18 @ 0x2fe01c18
_LPenHelper+0x175d63 DllGetLCID-0x24ba4d excel+0xdb548c @ 0x302f548c
MdCallBack-0x62e614 excel+0x3bf519 @ 0x2f8ff519
MdCallBack-0x9c9bd0 excel+0x23f5d @ 0x2f563f5d
MdCallBack-0x9e98e2 excel+0x424b @ 0x2f54424b
MdCallBack-0x9e9c23 excel+0x3f0a @ 0x2f543f0a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766933ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x770a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x770a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x74a2b727
registers.esp: 2770768
registers.edi: 1954478608
registers.eax: 2770768
registers.ebp: 2770848
registers.edx: 2130566132
registers.ebx: 4169044
registers.esi: 2147944126
registers.ecx: 2486300776

__exception__

Oct. 26, 2021, 10:42 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7638374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x748df725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7639414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x748dc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x747d98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x747db641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x747db5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x747db172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x747da66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7485a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x748377e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x748214b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74837b68
MdCallBack-0x5f79a6 excel+0x3f6187 @ 0x2f936187
MdCallBack-0x838622 excel+0x1b550b @ 0x2f6f550b
MdCallBack-0x85136b excel+0x19c7c2 @ 0x2f6dc7c2
MdCallBack-0x8553c7 excel+0x198766 @ 0x2f6d8766
MdCallBack-0x8dbb84 excel+0x111fa9 @ 0x2f651fa9
MdCallBack-0x8db5c9 excel+0x112564 @ 0x2f652564
MdCallBack-0x8db82f excel+0x1122fe @ 0x2f6522fe
MdCallBack-0x8db306 excel+0x112827 @ 0x2f652827
MdCallBack-0x9a51e3 excel+0x4894a @ 0x2f58894a
MdCallBack-0x12bf15 excel+0x8c1c18 @ 0x2fe01c18
_LPenHelper+0x175d63 DllGetLCID-0x24ba4d excel+0xdb548c @ 0x302f548c
MdCallBack-0x62e614 excel+0x3bf519 @ 0x2f8ff519
MdCallBack-0x9c9bd0 excel+0x23f5d @ 0x2f563f5d
MdCallBack-0x9e98e2 excel+0x424b @ 0x2f54424b
MdCallBack-0x9e9c23 excel+0x3f0a @ 0x2f543f0a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766933ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x770a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x770a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x74a2b727
registers.esp: 2770460
registers.edi: 1954478608
registers.eax: 2770460
registers.ebp: 2770540
registers.edx: 2130566132
registers.ebx: 4168756
registers.esi: 2147944122
registers.ecx: 2486300776

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (2 events)

domain	newme122.3utilities.com
domain	newme1122.3utilities.com

Performs some HTTP requests (1 event)

request

GET http://itisalllove.servepics.com/georgia/city/reason.exe

Allocates read-write-execute memory (usually to unpack itself) (21 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2f5c4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7183d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70ab0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76698000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x736b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73489000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73489000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 region_size: 1966080 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04480000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x5fff0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x747a6000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x753b4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x753b3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x753b5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x753b3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b271000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:42 a.m.	process_identifier: 748 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6b0c3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:36 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefa207000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Oct. 26, 2021, 10:36 a.m.	process_identifier: 2472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef6969000 process_handle: 0xffffffffffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW Oct. 26, 2021, 10:36 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 10908778496 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1	0

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process EXCEL.EXE with pid 748 crashed
__exception__ Oct. 26, 2021, 10:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7638374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x748df725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7639414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x748dc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x747d98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74821414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74837b68 MdCallBack-0x5f79a6 excel+0x3f6187 @ 0x2f936187 MdCallBack-0x838622 excel+0x1b550b @ 0x2f6f550b MdCallBack-0x85136b excel+0x19c7c2 @ 0x2f6dc7c2 MdCallBack-0x8553c7 excel+0x198766 @ 0x2f6d8766 MdCallBack-0x8dbb84 excel+0x111fa9 @ 0x2f651fa9 MdCallBack-0x8db5c9 excel+0x112564 @ 0x2f652564 MdCallBack-0x8db82f excel+0x1122fe @ 0x2f6522fe MdCallBack-0x8db306 excel+0x112827 @ 0x2f652827 MdCallBack-0x9a51e3 excel+0x4894a @ 0x2f58894a MdCallBack-0x12bf15 excel+0x8c1c18 @ 0x2fe01c18 _LPenHelper+0x175d63 DllGetLCID-0x24ba4d excel+0xdb548c @ 0x302f548c MdCallBack-0x62e614 excel+0x3bf519 @ 0x2f8ff519 MdCallBack-0x9c9bd0 excel+0x23f5d @ 0x2f563f5d MdCallBack-0x9e98e2 excel+0x424b @ 0x2f54424b MdCallBack-0x9e9c23 excel+0x3f0a @ 0x2f543f0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x770a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x770a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x74a2b727 registers.esp: 2770768 registers.edi: 1954478608 registers.eax: 2770768 registers.ebp: 2770848 registers.edx: 2130566132 registers.ebx: 4169044 registers.esi: 2147944126 registers.ecx: 2486300776	1	0	0
__exception__ Oct. 26, 2021, 10:42 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7638374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x748df725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7639414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x748dc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x747d98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x747db641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x747db5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x747db172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x747da66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7485a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x748377e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x748214b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74837b68 MdCallBack-0x5f79a6 excel+0x3f6187 @ 0x2f936187 MdCallBack-0x838622 excel+0x1b550b @ 0x2f6f550b MdCallBack-0x85136b excel+0x19c7c2 @ 0x2f6dc7c2 MdCallBack-0x8553c7 excel+0x198766 @ 0x2f6d8766 MdCallBack-0x8dbb84 excel+0x111fa9 @ 0x2f651fa9 MdCallBack-0x8db5c9 excel+0x112564 @ 0x2f652564 MdCallBack-0x8db82f excel+0x1122fe @ 0x2f6522fe MdCallBack-0x8db306 excel+0x112827 @ 0x2f652827 MdCallBack-0x9a51e3 excel+0x4894a @ 0x2f58894a MdCallBack-0x12bf15 excel+0x8c1c18 @ 0x2fe01c18 _LPenHelper+0x175d63 DllGetLCID-0x24ba4d excel+0xdb548c @ 0x302f548c MdCallBack-0x62e614 excel+0x3bf519 @ 0x2f8ff519 MdCallBack-0x9c9bd0 excel+0x23f5d @ 0x2f563f5d MdCallBack-0x9e98e2 excel+0x424b @ 0x2f54424b MdCallBack-0x9e9c23 excel+0x3f0a @ 0x2f543f0a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x770a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x770a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x74a2b727 registers.esp: 2770460 registers.edi: 1954478608 registers.eax: 2770460 registers.ebp: 2770540 registers.edx: 2130566132 registers.ebx: 4168756 registers.esi: 2147944122 registers.ecx: 2486300776	1	0	0

Application Crash

Process EXCEL.EXE with pid 748 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 26, 2021, 10:42 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7638374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x748df725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7639414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x748dc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x747d98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x74821414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74837b68
MdCallBack-0x5f79a6 excel+0x3f6187 @ 0x2f936187
MdCallBack-0x838622 excel+0x1b550b @ 0x2f6f550b
MdCallBack-0x85136b excel+0x19c7c2 @ 0x2f6dc7c2
MdCallBack-0x8553c7 excel+0x198766 @ 0x2f6d8766
MdCallBack-0x8dbb84 excel+0x111fa9 @ 0x2f651fa9
MdCallBack-0x8db5c9 excel+0x112564 @ 0x2f652564
MdCallBack-0x8db82f excel+0x1122fe @ 0x2f6522fe
MdCallBack-0x8db306 excel+0x112827 @ 0x2f652827
MdCallBack-0x9a51e3 excel+0x4894a @ 0x2f58894a
MdCallBack-0x12bf15 excel+0x8c1c18 @ 0x2fe01c18
_LPenHelper+0x175d63 DllGetLCID-0x24ba4d excel+0xdb548c @ 0x302f548c
MdCallBack-0x62e614 excel+0x3bf519 @ 0x2f8ff519
MdCallBack-0x9c9bd0 excel+0x23f5d @ 0x2f563f5d
MdCallBack-0x9e98e2 excel+0x424b @ 0x2f54424b
MdCallBack-0x9e9c23 excel+0x3f0a @ 0x2f543f0a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766933ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x770a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x770a9ea5

__exception__

Oct. 26, 2021, 10:42 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x7638374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x748df725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x7639414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x748dc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x747d98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x747db641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x747db5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x747db172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x747da66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x7485a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x748377e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x748214b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x74837b68
MdCallBack-0x5f79a6 excel+0x3f6187 @ 0x2f936187
MdCallBack-0x838622 excel+0x1b550b @ 0x2f6f550b
MdCallBack-0x85136b excel+0x19c7c2 @ 0x2f6dc7c2
MdCallBack-0x8553c7 excel+0x198766 @ 0x2f6d8766
MdCallBack-0x8dbb84 excel+0x111fa9 @ 0x2f651fa9
MdCallBack-0x8db5c9 excel+0x112564 @ 0x2f652564
MdCallBack-0x8db82f excel+0x1122fe @ 0x2f6522fe
MdCallBack-0x8db306 excel+0x112827 @ 0x2f652827
MdCallBack-0x9a51e3 excel+0x4894a @ 0x2f58894a
MdCallBack-0x12bf15 excel+0x8c1c18 @ 0x2fe01c18
_LPenHelper+0x175d63 DllGetLCID-0x24ba4d excel+0xdb548c @ 0x302f548c
MdCallBack-0x62e614 excel+0x3bf519 @ 0x2f8ff519
MdCallBack-0x9c9bd0 excel+0x23f5d @ 0x2f563f5d
MdCallBack-0x9e98e2 excel+0x424b @ 0x2f54424b
MdCallBack-0x9e9c23 excel+0x3f0a @ 0x2f543f0a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x766933ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x770a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x770a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x74a2b727
registers.esp: 2770460
registers.edi: 1954478608
registers.eax: 2770460
registers.ebp: 2770540
registers.edx: 2130566132
registers.ebx: 4168756
registers.esi: 2147944122
registers.ecx: 2486300776

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$reason.xlsx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Oct. 26, 2021, 10:42 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000468 filepath: C:\Users\test22\AppData\Local\Temp\~$reason.xlsx desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$reason.xlsx create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 26, 2021, 10:36 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 26, 2021, 10:36 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 26, 2021, 10:36 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 26, 2021, 10:36 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 26, 2021, 10:36 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 26, 2021, 10:36 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 26, 2021, 10:36 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 26, 2021, 10:36 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Yara rule detected in process memory (23 events)

description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger
description	Escalate priviledges	rule	Escalate_priviledges
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

175.208.134.138

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1436 resumed a thread in remote process 2472
NtResumeThread Oct. 26, 2021, 10:36 a.m.	thread_handle: 0x0000000000000b80 suspend_count: 1 process_identifier: 2472	1	0	0

Created a process named as a common system process (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Oct. 26, 2021, 10:36 a.m.	thread_identifier: 2428 thread_handle: 0x0000000000000b80 process_identifier: 2472 current_directory: C:\Windows\system32 filepath: C:\Windows\System32\taskmgr.exe track: 1 command_line: "C:\Windows\system32\taskmgr.exe" /4 filepath_r: C:\Windows\system32\taskmgr.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000000000000b74	1	1	0
ShellExecuteExW Oct. 26, 2021, 10:36 a.m.	show_type: 1 filepath_r: C:\Windows\system32\taskmgr.exe parameters: /4 filepath: C:\Windows\System32\taskmgr.exe	1	1	0

The process excel.exe wrote an executable file to disk (1 event)

file	c:\Windows\installer\{90140000-0011-0000-0000-0000000ff1ce}\xlicons.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (10 events)

dead_host	192.168.56.102:49196
dead_host	192.168.56.102:49176
dead_host	192.168.56.102:49191
dead_host	23.105.131.228:8822
dead_host	192.168.56.102:49194
dead_host	192.168.56.102:49201
dead_host	192.168.56.102:49181
dead_host	192.168.56.102:49192
dead_host	192.168.56.102:49175
dead_host	192.168.56.102:49207

reason.xlsx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All