Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 25, 2023, 6:45 p.m.	July 25, 2023, 6:48 p.m.

Size	45.9KB
Type	Rich Text Format data, version 1, unknown character set
MD5	`31332915ea2a23d649e1ccb1c15c6a1c`
SHA256	`c69955cc5536c486d1e243b7d4f4e365ba043f72dcab8d202645a566615dbe75`
CRC32	`8927384D`
ssdeep	`768:7Fx0XaIsnPRIa4fwJMh4x622Ie432Mw8UOWOb4btSw3oY3Hv2wJc22:7f0Xvx3EMex32i32/OWxbtSwvHv2wJl2`
Yara	Rich_Text_Format_Zero - Rich Text Format Signature Zero SUSP_INDICATOR_RTF_MalVer_Objects - Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\lawzx.doc
3008

Name	Response	Post-Analysis Lookup
us2.smtp.mailhostbox.com	A 208.91.199.224 A 208.91.198.143 A 208.91.199.225 A 208.91.199.223	208.91.199.224

IP Address	Status	Action
164.124.101.2	Active	Moloch
208.91.199.225	Active	Moloch
87.121.221.212	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49162 -> 87.121.221.212:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 87.121.221.212:80 -> 192.168.56.102:49162	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 87.121.221.212:80 -> 192.168.56.102:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 87.121.221.212:80 -> 192.168.56.102:49162	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 87.121.221.212:80 -> 192.168.56.102:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 208.91.199.225:587 -> 192.168.56.102:49169	2260002	SURICATA Applayer Detect protocol only one direction	Generic Protocol Command Decode
TCP 192.168.56.102:49169 -> 208.91.199.225:587	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49169 208.91.199.225:587	C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA	CN=us2.smtp.mailhostbox.com	79:bb:04:15:02:ff:78:37:34:29:1e:fc:fa:e0:81:f1:1b:89:2b:c9

One or more processes crashed (4 events)

Time & API	Arguments	Status
__exception__ July 25, 2023, 6:35 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75b01414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2fb81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fb8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 3396300 registers.edi: 1974270480 registers.eax: 3396300 registers.ebp: 3396380 registers.edx: 0 registers.ebx: 4290100 registers.esi: 2147944126 registers.ecx: 1764496550	1
__exception__ July 25, 2023, 6:35 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75abb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75abb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75abb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75aba66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75b3a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75b177e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75b014b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2fb81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fb8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 3395992 registers.edi: 1974270480 registers.eax: 3395992 registers.ebp: 3396072 registers.edx: 0 registers.ebx: 4289596 registers.esi: 2147944122 registers.ecx: 1764496550	1
__exception__ July 25, 2023, 6:35 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6ab133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6ab22074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x662a85c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 108262684 registers.edi: 108262848 registers.eax: 108262684 registers.ebp: 108262764 registers.edx: 0 registers.ebx: 108263900 registers.esi: 2147942523 registers.ecx: 2147483648	1
__exception__ July 25, 2023, 6:35 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6ab133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6ab23102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x662cf7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab ??0OdfStgParams@@QAE@XZ+0xf19cd mso+0xff48d3 @ 0x709c48d3 DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fb81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fb8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 3458940 registers.edi: 3459104 registers.eax: 3458940 registers.ebp: 3459020 registers.edx: 0 registers.ebx: 3460156 registers.esi: 3221549073 registers.ecx: 2147483648	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://87.121.221.212/lawzx.exe

Performs some HTTP requests (1 event)

request

GET http://87.121.221.212/lawzx.exe

An application raised an exception which may be indicative of an exploit crash (5 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 3008 crashed
__exception__ July 25, 2023, 6:35 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75b01414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2fb81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fb8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 3396300 registers.edi: 1974270480 registers.eax: 3396300 registers.ebp: 3396380 registers.edx: 0 registers.ebx: 4290100 registers.esi: 2147944126 registers.ecx: 1764496550	1	0	0
__exception__ July 25, 2023, 6:35 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75abb641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75abb5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75abb172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75aba66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75b3a68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75b177e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75b014b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68 wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5 DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8 DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27 DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436 _GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee _GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5 DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43 DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73 DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17 DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6 FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c wdCommandDispatch-0x964 winword+0x1602 @ 0x2fb81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fb8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 3395992 registers.edi: 1974270480 registers.eax: 3395992 registers.ebp: 3396072 registers.edx: 0 registers.ebx: 4289596 registers.esi: 2147944122 registers.ecx: 1764496550	1	0	0
__exception__ July 25, 2023, 6:35 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6ab133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6ab22074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x662a85c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 108262684 registers.edi: 108262848 registers.eax: 108262684 registers.ebp: 108262764 registers.edx: 0 registers.ebx: 108263900 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0
__exception__ July 25, 2023, 6:35 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6ab133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6ab23102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x662cf7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab ??0OdfStgParams@@QAE@XZ+0xf19cd mso+0xff48d3 @ 0x709c48d3 DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2fb81602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2fb8159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 3458940 registers.edi: 3459104 registers.eax: 3458940 registers.ebp: 3459020 registers.edx: 0 registers.ebx: 3460156 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$lawzx.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 25, 2023, 6:35 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000044c filepath: C:\Users\test22\AppData\Local\Temp\~$lawzx.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$lawzx.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

RTF file has an unknown character set (1 event)

filetype_details

Rich Text Format data, version 1, unknown character set

filename

lawzx.doc

Makes SMTP requests, possibly sending spam (1 event)

receiver

[]

sender

[]

server

208.91.199.225

Communicates with host for which no DNS query was performed (1 event)

host

87.121.221.212

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

MicroWorld-eScan	Exploit.RTF-ObfsObjDat.Gen
CAT-QuickHeal	Exp.RTF.Obfus.Gen
ALYac	Exploit.RTF-ObfsObjDat.Gen
VIPRE	Exploit.RTF-ObfsObjDat.Gen
Sangfor	Malware.Generic-RTF.Save.c14d744d
Arcabit	Exploit.RTF-ObfsObjDat.Gen
Cyren	RTF/CVE-2017-11882.U.gen!Camelot
Symantec	Bloodhound.RTF.20
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Exploit.MSOffice.CVE-2018-0802.gen
BitDefender	Exploit.RTF-ObfsObjDat.Gen
NANO-Antivirus	Exploit.Rtf.Heuristic-rtf.dinbqn
Emsisoft	Exploit.RTF-ObfsObjDat.Gen (B)
F-Secure	Heuristic.HEUR/Rtf.Malformed
DrWeb	Exploit.CVE-2018-0798.4
TrendMicro	HEUR_RTFMALFORM
FireEye	Exploit.RTF-ObfsObjDat.Gen
Sophos	Troj/RTFDl-CJA
Ikarus	Exploit.RTF.Doc
Avira	HEUR/Rtf.Malformed
ZoneAlarm	HEUR:Exploit.MSOffice.CVE-2018-0802.gen
GData	Exploit.RTF-ObfsObjDat.Gen
Google	Detected
AhnLab-V3	RTF/Malform-D.Gen
McAfee	RTFObfustream.c!31332915EA2A
Zoner	Probably Heur.RTFObfuscation
Yandex	Trojan.AvsRicher.bZAyIk
MAX	malware (ai score=85)
Fortinet	MSOffice/CVE_2018_0798.BOR!exploit

lawzx.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All