popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

jjjj%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23kk.doc

Formbook MS_RTF_Obfuscation_Objects RTF File doc
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us May 18, 2023, 9:32 a.m. May 18, 2023, 9:55 a.m.
Size 23.0KB
Type Rich Text Format data, version 1, unknown character set
MD5 f2af555f26393f34180a3845e92ba1cb
SHA256 ec2a06a3c292999bd6f1d97140328bcd8ea5793aa54e4138021d260f402ff2b4
CRC32 68EB44CB
ssdeep 384:QX+jVQUSBva/4Gy2ORCoaTRYEGXj59gWIq41kE8xMFK9GyOVLxMS/B94O063z82Q:CkFFqfSuFT59gWIq41kE8xMFK3OVLuEa
Yara
  • Rich_Text_Format_Zero - Rich Text Format Signature Zero
  • SUSP_INDICATOR_RTF_MalVer_Objects - Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49162 -> 195.201.147.116:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.103:49162 -> 195.201.147.116:80 2035207 ET MALWARE MSIL/GenKryptik.FQRH Download Request A Network Trojan was detected
TCP 192.168.56.103:49162 -> 195.201.147.116:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 67.223.117.160:80 2027876 ET INFO HTTP Request to Suspicious *.life Domain Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 67.223.117.160:80 2027876 ET INFO HTTP Request to Suspicious *.life Domain Potentially Bad Traffic
TCP 195.201.147.116:80 -> 192.168.56.103:49162 2022050 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 A Network Trojan was detected
TCP 195.201.147.116:80 -> 192.168.56.103:49162 2014819 ET INFO Packed Executable Download Misc activity
TCP 192.168.56.103:49171 -> 54.196.16.164:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 195.201.147.116:80 -> 192.168.56.103:49162 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 195.201.147.116:80 -> 192.168.56.103:49162 2022051 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 A Network Trojan was detected
TCP 195.201.147.116:80 -> 192.168.56.103:49162 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 164.124.101.2:53 2027867 ET INFO Observed DNS Query to .life TLD Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 67.223.117.160:80 2027876 ET INFO HTTP Request to Suspicious *.life Domain Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 185.27.134.115:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 154.94.121.119:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 67.223.117.160:80 2027876 ET INFO HTTP Request to Suspicious *.life Domain Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 104.21.34.8:80 2032991 ET INFO HTTP Request to a *.buzz domain Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 67.223.117.160:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 104.21.34.8:80 2032991 ET INFO HTTP Request to a *.buzz domain Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 104.21.34.8:80 2032991 ET INFO HTTP Request to a *.buzz domain Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 104.21.34.8:80 2032991 ET INFO HTTP Request to a *.buzz domain Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 104.21.34.8:80 2032991 ET INFO HTTP Request to a *.buzz domain Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 104.21.34.8:80 2032991 ET INFO HTTP Request to a *.buzz domain Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 104.21.34.8:80 2032991 ET INFO HTTP Request to a *.buzz domain Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 104.21.34.8:80 2032991 ET INFO HTTP Request to a *.buzz domain Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 104.21.34.8:80 2032991 ET INFO HTTP Request to a *.buzz domain Potentially Bad Traffic
TCP 192.168.56.103:49186 -> 208.113.186.56:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49189 -> 104.21.34.8:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 54.196.16.164:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 208.113.186.56:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 54.196.16.164:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 208.113.186.56:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 54.196.16.164:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 208.113.186.56:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 45.130.230.191:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 45.130.230.191:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 45.130.230.191:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49194 -> 137.220.225.73:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 104.21.34.8:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49194 -> 137.220.225.73:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 104.21.34.8:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49194 -> 137.220.225.73:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 104.21.34.8:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49192 -> 137.220.225.73:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 104.21.34.8:80 2032991 ET INFO HTTP Request to a *.buzz domain Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 154.94.121.119:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 154.94.121.119:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 154.94.121.119:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 5.157.87.204:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 5.157.87.204:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49169 -> 5.157.87.204:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 185.27.134.115:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 185.27.134.115:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 185.27.134.115:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 67.223.117.160:80 2031412 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 67.223.117.160:80 2031449 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 67.223.117.160:80 2031453 ET MALWARE FormBook CnC Checkin (GET) Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 67.223.117.160:80 2027876 ET INFO HTTP Request to Suspicious *.life Domain Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 45.130.230.191:80 2031413 ET MALWARE FormBook CnC Checkin (POST) M2 Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75bb1414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0xf015c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xf01558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 3981724
registers.edi: 1974991376
registers.eax: 3981724
registers.ebp: 3981804
registers.edx: 0
registers.ebx: 77925604
registers.esi: 2147944126
registers.ecx: 47420073
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75bea68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75bc77e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75bb14b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0xf015c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xf01558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 3981416
registers.edi: 1974991376
registers.eax: 3981416
registers.ebp: 3981496
registers.edx: 0
registers.ebx: 77979748
registers.esi: 2147944122
registers.ecx: 47420073
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x754e2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x754b801a
SLClose-0x28c osppc+0x2cb5 @ 0x6b252cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6b265629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6b253412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6b2629af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6a8aa648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70f24a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70f24823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x707e30d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x707e2e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70002b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70002456
0x2c1ddf
_MsoDwGimmeUserInstallBehavior@8+0x1798b _MsoHrShowMetSharedNotebooksDlg@20-0x7dd5a mso+0xcbfd49 @ 0x707dfd49
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6fd208cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6fd0fa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6fd0f808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6fd0f7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6fb43b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6fb422ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6fcd522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6fcd5189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6fcd407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6fcd3fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6fcd3f6b
DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x72162aca
DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x72162a8c
DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x7217b117
DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x7215b6c2
DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x721588d5
wdCommandDispatch-0x370 winword+0x15c4 @ 0xf015c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xf01558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 4051256
registers.edi: 4051420
registers.eax: 4051256
registers.ebp: 4051336
registers.edx: 0
registers.ebx: 4052472
registers.esi: 3221549073
registers.ecx: 2147483648
1 0 0
suspicious_features Connection to IP address suspicious_request GET http://195.201.147.116/433/vbc.exe
suspicious_features GET method with no useragent header suspicious_request GET http://www.smartinnoventions.com/f619/?O7pS=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&CP-m=8c92fQNKIzrCDRX
suspicious_features GET method with no useragent header suspicious_request GET http://www.intake-tree.com/f619/?O7pS=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&CP-m=8c92fQNKIzrCDRX
suspicious_features GET method with no useragent header suspicious_request GET http://www.towfire.life/f619/?O7pS=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&CP-m=8c92fQNKIzrCDRX
suspicious_features GET method with no useragent header suspicious_request GET http://www.gospelfy.online/f619/?O7pS=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&CP-m=8c92fQNKIzrCDRX
suspicious_features GET method with no useragent header suspicious_request GET http://www.queenkidul.com/f619/?O7pS=flPn1CpczsmcmsloYAj+WZ9tyIXCLn2BUp15WA9gR+pRAl39PMpr22E4uA5K3fGksCy6GKGUT/KR36S7pADHdFopIcR3oqkCWwUH3Bw=&CP-m=8c92fQNKIzrCDRX
suspicious_features GET method with no useragent header suspicious_request GET http://www.sockmomma.com/f619/?O7pS=2xrbRaVqfFZAqlIaVxxROj1er0vApHth0WR1aJHeUhlKoHhTuPzXEzX44r40ys20rE4Ka7hzk9c+zV+d/czmBtVLQF0HWkNVVexiFz0=&CP-m=8c92fQNKIzrCDRX
suspicious_features GET method with no useragent header suspicious_request GET http://www.stephenwang.photography/f619/?O7pS=u5f4p4qz7o/fTtDm3nSz6hiFO4aCCN2AsW/usgJw6zJdWxar6/CI5CJVoaMo1PtwYoo0+7BD2Z2qbjCMw+JlDyQ8u/oV4aU03sHkcSA=&CP-m=8c92fQNKIzrCDRX
suspicious_features GET method with no useragent header suspicious_request GET http://www.skillfulp10.buzz/f619/?O7pS=35x6vbxblib5MVXL66MiYOFyCwyiW+WpCMCOaRW/LabtpXpMR316Gm+YR9yWJR7EH7/o0i+7abS9fGbf51xT5oPd3YLLmnWOCyaGRj8=&CP-m=8c92fQNKIzrCDRX
suspicious_features GET method with no useragent header suspicious_request GET http://www.28588v.com/f619/?O7pS=G3I5ds8dOpaKd+DH1ake2pRuUN+UMAJZaHOz+8NtztMbt4Q0fuIWaSpOJ5XO92YffYK2mOkzi8XK+GtmVritvfJB+FClpV7RO2AgtZU=&CP-m=8c92fQNKIzrCDRX
request GET http://195.201.147.116/433/vbc.exe
request POST http://www.smartinnoventions.com/f619/
request GET http://www.smartinnoventions.com/f619/?O7pS=Ek2xhbXtY1qXzB2JvbkcFvKbSmJm4K+Uyb5xsLYZ3zgsIlX7EFjcw6TuiLcQZ5KUivhxYJn0P8EizsHxKHQ+wy4OSt0bovGghjBDZDE=&CP-m=8c92fQNKIzrCDRX
request GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
request POST http://www.intake-tree.com/f619/
request GET http://www.intake-tree.com/f619/?O7pS=YCaZye8ndW5O5ejCJ7uN2558Y+97WERyr3klZ+XCKIlwv4gr+zruhmNXWBgIbED6mtP3DBYvR0gpojWOjcOh+ihVnCiMcphzPiGO29A=&CP-m=8c92fQNKIzrCDRX
request POST http://www.towfire.life/f619/
request GET http://www.towfire.life/f619/?O7pS=Ehbg4LlyVMHP0pAFmIQxhDDkp6Kxs477sF6nDv0EaT5K8/1GH5wf1bgzqSKTUaDZXTnW9d28cNYQDMZcc5x0F8aQqyCdRYlsL10lLoU=&CP-m=8c92fQNKIzrCDRX
request POST http://www.gospelfy.online/f619/
request GET http://www.gospelfy.online/f619/?O7pS=mqENKO6x6u0B1RhcdIeKlgDLrDi38FKwdcw4276gfXsD1t5r0KVruS6mnpdZvtzm+Q0xGOUHk2EA1TA3TL1CSm4H2R6TK8LtJrZ83YI=&CP-m=8c92fQNKIzrCDRX
request POST http://www.queenkidul.com/f619/
request GET http://www.queenkidul.com/f619/?O7pS=flPn1CpczsmcmsloYAj+WZ9tyIXCLn2BUp15WA9gR+pRAl39PMpr22E4uA5K3fGksCy6GKGUT/KR36S7pADHdFopIcR3oqkCWwUH3Bw=&CP-m=8c92fQNKIzrCDRX
request POST http://www.sockmomma.com/f619/
request GET http://www.sockmomma.com/f619/?O7pS=2xrbRaVqfFZAqlIaVxxROj1er0vApHth0WR1aJHeUhlKoHhTuPzXEzX44r40ys20rE4Ka7hzk9c+zV+d/czmBtVLQF0HWkNVVexiFz0=&CP-m=8c92fQNKIzrCDRX
request POST http://www.stephenwang.photography/f619/
request GET http://www.stephenwang.photography/f619/?O7pS=u5f4p4qz7o/fTtDm3nSz6hiFO4aCCN2AsW/usgJw6zJdWxar6/CI5CJVoaMo1PtwYoo0+7BD2Z2qbjCMw+JlDyQ8u/oV4aU03sHkcSA=&CP-m=8c92fQNKIzrCDRX
request POST http://www.skillfulp10.buzz/f619/
request GET http://www.skillfulp10.buzz/f619/?O7pS=35x6vbxblib5MVXL66MiYOFyCwyiW+WpCMCOaRW/LabtpXpMR316Gm+YR9yWJR7EH7/o0i+7abS9fGbf51xT5oPd3YLLmnWOCyaGRj8=&CP-m=8c92fQNKIzrCDRX
request POST http://www.28588v.com/f619/
request GET http://www.28588v.com/f619/?O7pS=G3I5ds8dOpaKd+DH1ake2pRuUN+UMAJZaHOz+8NtztMbt4Q0fuIWaSpOJ5XO92YffYK2mOkzi8XK+GtmVritvfJB+FClpV7RO2AgtZU=&CP-m=8c92fQNKIzrCDRX
request POST http://www.smartinnoventions.com/f619/
request POST http://www.intake-tree.com/f619/
request POST http://www.towfire.life/f619/
request POST http://www.gospelfy.online/f619/
request POST http://www.queenkidul.com/f619/
request POST http://www.sockmomma.com/f619/
request POST http://www.stephenwang.photography/f619/
request POST http://www.skillfulp10.buzz/f619/
request POST http://www.28588v.com/f619/
Application Crash Process WINWORD.EXE with pid 1984 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75bb1414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0xf015c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xf01558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 3981724
registers.edi: 1974991376
registers.eax: 3981724
registers.ebp: 3981804
registers.edx: 0
registers.ebx: 77925604
registers.esi: 2147944126
registers.ecx: 47420073
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75bea68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75bc77e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75bb14b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0xf015c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xf01558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 3981416
registers.edi: 1974991376
registers.eax: 3981416
registers.ebp: 3981496
registers.edx: 0
registers.ebx: 77979748
registers.esi: 2147944122
registers.ecx: 47420073
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x754e2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x754b801a
SLClose-0x28c osppc+0x2cb5 @ 0x6b252cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6b265629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6b253412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6b2629af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6a8aa648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70f24a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70f24823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x707e30d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x707e2e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70002b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70002456
0x2c1ddf
_MsoDwGimmeUserInstallBehavior@8+0x1798b _MsoHrShowMetSharedNotebooksDlg@20-0x7dd5a mso+0xcbfd49 @ 0x707dfd49
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6fd208cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6fd0fa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6fd0f808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6fd0f7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6fb43b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6fb422ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6fcd522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6fcd5189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6fcd407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6fcd3fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6fcd3f6b
DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x72162aca
DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x72162a8c
DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x7217b117
DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x7215b6c2
DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x721588d5
wdCommandDispatch-0x370 winword+0x15c4 @ 0xf015c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xf01558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 4051256
registers.edi: 4051420
registers.eax: 4051256
registers.ebp: 4051336
registers.edx: 0
registers.ebx: 4052472
registers.esi: 3221549073
registers.ecx: 2147483648
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$jj#############################kk.doc
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000490
filepath: C:\Users\test22\AppData\Local\Temp\~$jj#############################kk.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$jj#############################kk.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x7ef81000
process_handle: 0xffffffff
1 0 0
filetype_details Rich Text Format data, version 1, unknown character set filename jjjj%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23kk.doc
host 195.201.147.116