Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 21, 2022, 8 a.m.	June 21, 2022, 8:03 a.m.

Size	12.2KB
Type	Microsoft OOXML
MD5	`783f850d06c9f1286eb9b1bda0af0bce`
SHA256	`211a1f74eea68ebe7178d90f0df0446a87cdda865145c397b7a32e253086139e`
CRC32	`D6BC7F01`
ssdeep	`384:Fkv41E49wKxhpp+gX6eILI7RMobB/P/sQGwZRB98PG0S:evyE4aWfKetlV9PDXgA`
Yara	docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\Questions.docx
2136

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 21, 2022, 8 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x75f92b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x75f6801a SLClose-0x28e osppc+0x33cf @ 0x73b833cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x73b95dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x73b83b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x73b92074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x69f885c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x70d4dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7044c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fe590c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fe59076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fe4724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fdc0f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6fdbdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6fdbd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6fdbc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6fdb2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 120451980 registers.edi: 120452144 registers.eax: 120451980 registers.ebp: 120452060 registers.edx: 0 registers.ebx: 120453196 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0
__exception__ June 21, 2022, 8 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x75f92b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x75f6801a SLClose-0x28e osppc+0x33cf @ 0x73b833cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x73b95dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x73b83b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x73b93102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x69faf7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x70d4e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x70d4e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70814871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x708148ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x70004ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x703ad7ab ??0OdfStgParams@@QAE@XZ+0xf10f7 mso+0xff3ffd @ 0x70d83ffd DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7044c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fe590c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fe58ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fe47292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fe4724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fdc0f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6fdbdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6fdbd991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fe46de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fe46d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fe43f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fe44b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fe43a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x72376e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x72377d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72374667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72373169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x723713e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fff1602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fff159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 1885128 registers.edi: 1885292 registers.eax: 1885128 registers.ebp: 1885208 registers.edx: 0 registers.ebx: 1886344 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

June 21, 2022, 8 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x75f92b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x75f6801a
SLClose-0x28e osppc+0x33cf @ 0x73b833cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x73b95dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x73b83b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x73b92074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x69f885c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x70d4dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7044c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fe590c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fe59076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fe4724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fdc0f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6fdbdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6fdbd991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6fdbc60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6fdb2ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x8007007b
exception.offset: 46887
exception.address: 0x75d6b727
registers.esp: 120451980
registers.edi: 120452144
registers.eax: 120451980
registers.ebp: 120452060
registers.edx: 0
registers.ebx: 120453196
registers.esi: 2147942523
registers.ecx: 2147483648

__exception__

June 21, 2022, 8 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x75f92b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x75f6801a
SLClose-0x28e osppc+0x33cf @ 0x73b833cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x73b95dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x73b83b21
SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x73b93102
SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x69faf7d0
??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x70d4e0ed
??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x70d4e2cf
DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70814871
DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x708148ef
_MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x70004ea0
_MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x703ad7ab
??0OdfStgParams@@QAE@XZ+0xf10f7 mso+0xff3ffd @ 0x70d83ffd
DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7044c517
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fe590c4
_MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fe58ff0
_MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fe47292
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fe4724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fdc0f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6fdbdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6fdbd991
_MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fe46de4
_MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fe46d1b
_MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fe43f5a
_MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fe44b41
_MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fe43a43
_GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x72376e37
_GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x72377d5d
_GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72374667
_GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72373169
_GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x723713e6
wdCommandDispatch-0x964 winword+0x1602 @ 0x2fff1602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2fff159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x75d6b727
registers.esp: 1885128
registers.edi: 1885292
registers.eax: 1885128
registers.ebp: 1885208
registers.edx: 0
registers.ebx: 1886344
registers.esi: 3221549073
registers.ecx: 2147483648

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 21, 2022, 8 a.m.	process_identifier: 2136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a5a4000 process_handle: 0xffffffff	1	0	0

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 2136 crashed
__exception__ June 21, 2022, 8 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x75f92b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x75f6801a SLClose-0x28e osppc+0x33cf @ 0x73b833cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x73b95dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x73b83b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x73b92074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x69f885c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x70d4dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7044c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fe590c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fe59076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fe4724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fdc0f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6fdbdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6fdbd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6fdbc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6fdb2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 120451980 registers.edi: 120452144 registers.eax: 120451980 registers.ebp: 120452060 registers.edx: 0 registers.ebx: 120453196 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0
__exception__ June 21, 2022, 8 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x75f92b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x75f6801a SLClose-0x28e osppc+0x33cf @ 0x73b833cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x73b95dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x73b83b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x73b93102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x69faf7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x70d4e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x70d4e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70814871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x708148ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x70004ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x703ad7ab ??0OdfStgParams@@QAE@XZ+0xf10f7 mso+0xff3ffd @ 0x70d83ffd DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7044c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fe590c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fe58ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fe47292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fe4724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fdc0f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6fdbdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6fdbd991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fe46de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fe46d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fe43f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fe44b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fe43a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x72376e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x72377d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72374667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72373169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x723713e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fff1602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fff159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x75d6b727 registers.esp: 1885128 registers.edi: 1885292 registers.eax: 1885128 registers.ebp: 1885208 registers.edx: 0 registers.ebx: 1886344 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Application Crash

Process WINWORD.EXE with pid 2136 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

June 21, 2022, 8 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x75f92b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x75f6801a
SLClose-0x28e osppc+0x33cf @ 0x73b833cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x73b95dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x73b83b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x73b92074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x69f885c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x70d4dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7044c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fe590c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fe59076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fe4724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fdc0f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6fdbdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6fdbd991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6fdbc60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6fdb2ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5

__exception__

June 21, 2022, 8 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75f7374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x75f92b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x75f6801a
SLClose-0x28e osppc+0x33cf @ 0x73b833cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x73b95dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x73b83b21
SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x73b93102
SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x69faf7d0
??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x70d4e0ed
??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x70d4e2cf
DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70814871
DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x708148ef
_MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x70004ea0
_MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x703ad7ab
??0OdfStgParams@@QAE@XZ+0xf10f7 mso+0xff3ffd @ 0x70d83ffd
DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7044c517
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fe590c4
_MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fe58ff0
_MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fe47292
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fe4724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fdc0f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6fdbdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6fdbd991
_MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fe46de4
_MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fe46d1b
_MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fe43f5a
_MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fe44b41
_MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fe43a43
_GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x72376e37
_GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x72377d5d
_GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x72374667
_GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x72373169
_GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x723713e6
wdCommandDispatch-0x964 winword+0x1602 @ 0x2fff1602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2fff159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x75d6b727
registers.esp: 1885128
registers.edi: 1885292
registers.eax: 1885128
registers.ebp: 1885208
registers.edx: 0
registers.ebx: 1886344
registers.esi: 3221549073
registers.ecx: 2147483648

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$estions.docx

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile June 21, 2022, 8 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000454 filepath: C:\Users\test22\AppData\Local\Temp\~$estions.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$estions.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

Lionic	Trojan.MSOffice.Agent.3!c
MicroWorld-eScan	Trojan.GenericKD.39837084
CAT-QuickHeal	XML.CVE-2022-30190.46638
ALYac	Exploit.CVE-2022-30190
Alibaba	Exploit:Office/CVE-2022-30190.3257f471
Cyren	DOCX/CVE-2022-30190.A.aggr!Camelot
ESET-NOD32	Win32/Exploit.CVE-2022-30190.J
Kaspersky	HEUR:Exploit.MSOffice.Agent.n
BitDefender	Trojan.GenericKD.39837084
Ad-Aware	Trojan.GenericKD.39837084
McAfee-GW-Edition	Artemis!Trojan
FireEye	Trojan.GenericKD.39837084
Emsisoft	Exploit.CVE-2022-30190.Gen.1 (B)
GData	Trojan.GenericKD.39837084
Microsoft	Exploit:O97M/CVE-2022-30190.PK!MTB
AhnLab-V3	Trojan/DOC.Generic
MAX	malware (ai score=88)
Zoner	Probably Heur.W97OleLink
Fortinet	HTML/Agent.0BCE!tr

Questions.docx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All