popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

microsoftdecidedtoupdateentirethingsfromthepcfordletehistorycachecookiefromthepc.Doc

MS_RTF_Obfuscation_Objects doc RTF File
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Dec. 13, 2023, 6:23 p.m. Dec. 13, 2023, 6:26 p.m.
Size 61.0KB
Type ISO-8859 text, with very long lines, with CRLF, CR, LF line terminators
MD5 911181c9ce56b902706424dfcc600236
SHA256 300f0a2bc495ec461fb3be211465b982cd7336f3b2d98a6e7c08394c38090a5b
CRC32 4983FD69
ssdeep 1536:yBbyRStOIeh8WFjsQhKvEmSxUg3SFHZS3FGK8LltlzuN:gtt8hKvvmUg0ZS3FGK8Lltlzk
Yara
  • SUSP_INDICATOR_RTF_MalVer_Objects - Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents.
  • Rich_Text_Format_Zero - Rich Text Format Signature Zero
  • MS_RTF_Suspicious_documents - Suspicious documents using RTF document OLE object

Name Response Post-Analysis Lookup
www.synergyinnovationgroup.com
A 65.60.36.22
CNAME synergyinnovationgroup.com
65.60.36.22
IP Address Status Action
164.124.101.2 Active Moloch
172.245.208.4 Active Moloch
65.60.36.22 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 65.60.36.22:443 -> 192.168.56.102:49173 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49175 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49183 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49162 -> 172.245.208.4:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.102:49180 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49187 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49181 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 172.245.208.4:80 -> 192.168.56.102:49162 2022050 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 A Network Trojan was detected
TCP 192.168.56.102:49200 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49197 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49185 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49189 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49193 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49201 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49191 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49192 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49208 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49195 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49217 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49196 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49228 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.245.208.4:80 -> 192.168.56.102:49162 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49205 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.245.208.4:80 -> 192.168.56.102:49162 2022051 ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 A Network Trojan was detected
TCP 192.168.56.102:49229 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.245.208.4:80 -> 192.168.56.102:49162 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49242 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49204 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49244 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49206 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49214 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49248 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49218 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49213 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49210 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49220 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49265 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49237 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49276 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49249 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49277 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49252 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49282 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49254 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49286 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49264 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49292 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49270 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49294 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49284 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49298 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49285 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49305 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49314 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49313 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49222 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49317 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49234 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49322 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49224 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49236 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49233 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49241 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49238 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49256 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49250 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49266 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49260 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49262 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49289 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49304 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49268 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49176 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49316 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49177 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49278 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49318 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49188 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49280 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49321 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49216 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49290 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49225 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49296 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49226 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49301 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49230 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49302 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49245 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49308 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49246 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 65.60.36.22:443 -> 192.168.56.102:49310 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49257 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49320 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49261 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49269 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49273 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49274 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49281 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49288 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49293 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49297 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49300 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49306 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49309 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49171 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49172 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49179 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49184 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49199 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49209 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49212 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49221 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49232 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49240 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49253 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 65.60.36.22:443 -> 192.168.56.102:49258 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.102:49272 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49312 -> 65.60.36.22:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75b01414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68
wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a
DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a
DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5
DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8
DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27
DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c
DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436
_GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee
_GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a
DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5
DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac
DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43
DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73
DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17
DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6
FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c
wdCommandDispatch-0x964 winword+0x1602 @ 0x2f3d1602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2f3d159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 4248744
registers.edi: 1974270480
registers.eax: 4248744
registers.ebp: 4248824
registers.edx: 0
registers.ebx: 5609644
registers.esi: 2147944126
registers.ecx: 951576384
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75abb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75abb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75abb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75aba66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75b3a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75b177e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75b014b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68
wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a
DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a
DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5
DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8
DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27
DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c
DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436
_GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee
_GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a
DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5
DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac
DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43
DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73
DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17
DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6
FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c
wdCommandDispatch-0x964 winword+0x1602 @ 0x2f3d1602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2f3d159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 4248436
registers.edi: 1974270480
registers.eax: 4248436
registers.ebp: 4248516
registers.edx: 0
registers.ebx: 5609140
registers.esi: 2147944122
registers.ecx: 951576384
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x737c33cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x737d2074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x69bf85c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x8007007b
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 109048180
registers.edi: 109048344
registers.eax: 109048180
registers.ebp: 109048260
registers.edx: 0
registers.ebx: 109049396
registers.esi: 2147942523
registers.ecx: 2147483648
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x737c33cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21
SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x737d3102
SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x69c1f7d0
??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed
??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf
DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871
DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef
_MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0
_MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab
??0OdfStgParams@@QAE@XZ+0xf3485 mso+0xff638b @ 0x709c638b
DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0
_MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4
_MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b
_MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a
_MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41
_MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43
_GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37
_GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d
_GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667
_GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169
_GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6
wdCommandDispatch-0x964 winword+0x1602 @ 0x2f3d1602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2f3d159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 4311384
registers.edi: 4311548
registers.eax: 4311384
registers.ebp: 4311464
registers.edx: 0
registers.ebx: 4312600
registers.esi: 3221549073
registers.ecx: 2147483648
1 0 0
suspicious_features Connection to IP address suspicious_request GET http://172.245.208.4/2116/wlanext.exe
request GET http://172.245.208.4/2116/wlanext.exe
Application Crash Process WINWORD.EXE with pid 3016 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad
OleCreateEmbeddingHelper+0x2a1 CreateFileMoniker-0x17de ole32+0x81414 @ 0x75b01414
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68
wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a
DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a
DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5
DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8
DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27
DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c
DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436
_GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee
_GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a
DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5
DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac
DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43
DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73
DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17
DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6
FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c
wdCommandDispatch-0x964 winword+0x1602 @ 0x2f3d1602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2f3d159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706be
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 4248744
registers.edi: 1974270480
registers.eax: 4248744
registers.ebp: 4248824
registers.edx: 0
registers.ebx: 5609644
registers.esi: 2147944126
registers.ecx: 951576384
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b
WdtpInterfacePointer_UserUnmarshal+0x166b DllDebugObjectRPCHook-0x2d8d ole32+0x13c8e2 @ 0x75bbc8e2
CoRegisterMessageFilter+0x32b4 ObjectStublessClient5-0x1db5 ole32+0x398ad @ 0x75ab98ad
CoRegisterMessageFilter+0x5048 ObjectStublessClient5-0x21 ole32+0x3b641 @ 0x75abb641
CoRegisterMessageFilter+0x4ff4 ObjectStublessClient5-0x75 ole32+0x3b5ed @ 0x75abb5ed
CoRegisterMessageFilter+0x4b79 ObjectStublessClient5-0x4f0 ole32+0x3b172 @ 0x75abb172
CoRegisterMessageFilter+0x4075 ObjectStublessClient5-0xff4 ole32+0x3a66e @ 0x75aba66e
ObjectStublessClient31+0x2961c STGMEDIUM_UserUnmarshal-0x92 ole32+0xba68c @ 0x75b3a68c
ObjectStublessClient31+0x6776 STGMEDIUM_UserUnmarshal-0x22f38 ole32+0x977e6 @ 0x75b177e6
OleCreateEmbeddingHelper+0x344 CreateFileMoniker-0x173b ole32+0x814b7 @ 0x75b014b7
ObjectStublessClient31+0x6af8 STGMEDIUM_UserUnmarshal-0x22bb6 ole32+0x97b68 @ 0x75b17b68
wdGetApplicationObject+0x692e4 wdCommandDispatch-0xec808 wwlib+0xb0515a @ 0x72a5515a
DllGetLCID+0x46ee14 wdGetApplicationObject-0x41f66c wwlib+0x67c80a @ 0x725cc80a
DllGetLCID+0x431abf wdGetApplicationObject-0x45c9c1 wwlib+0x63f4b5 @ 0x7258f4b5
DllGetLCID+0x41dc02 wdGetApplicationObject-0x47087e wwlib+0x62b5f8 @ 0x7257b5f8
DllGetLCID+0x41c431 wdGetApplicationObject-0x47204f wwlib+0x629e27 @ 0x72579e27
DllGetLCID+0x46bf56 wdGetApplicationObject-0x42252a wwlib+0x67994c @ 0x725c994c
DllGetLCID+0x46ba40 wdGetApplicationObject-0x422a40 wwlib+0x679436 @ 0x725c9436
_GetAllocCounters@0+0x1ed526 DllGetLCID-0x9708 wwlib+0x2042ee @ 0x721542ee
_GetAllocCounters@0+0x1bc92 DllGetLCID-0x1daf9c wwlib+0x32a5a @ 0x71f82a5a
DllGetLCID+0x492af wdGetApplicationObject-0x8451d1 wwlib+0x256ca5 @ 0x721a6ca5
DllGetLCID+0x3bdb6 wdGetApplicationObject-0x8526ca wwlib+0x2497ac @ 0x721997ac
DllGetLCID+0x60114d wdGetApplicationObject-0x28d333 wwlib+0x80eb43 @ 0x7275eb43
DllGetLCID+0x34c17d wdGetApplicationObject-0x542303 wwlib+0x559b73 @ 0x724a9b73
DllGetLCID+0x321 wdGetApplicationObject-0x88e15f wwlib+0x20dd17 @ 0x7215dd17
DllGetClassObject+0x29ea _GetAllocCounters@0-0xee02 wwlib+0x7fc6 @ 0x71f57fc6
FMain+0x245 DllGetClassObject-0x2a0 wwlib+0x533c @ 0x71f5533c
wdCommandDispatch-0x964 winword+0x1602 @ 0x2f3d1602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2f3d159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x800706ba
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 4248436
registers.edi: 1974270480
registers.eax: 4248436
registers.ebp: 4248516
registers.edx: 0
registers.ebx: 5609140
registers.esi: 2147944122
registers.ecx: 951576384
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x737c33cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x737d2074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x69bf85c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x8007007b
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 109048180
registers.edi: 109048344
registers.eax: 109048180
registers.ebp: 109048260
registers.edx: 0
registers.ebx: 109049396
registers.esi: 2147942523
registers.ecx: 2147483648
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x737c33cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x737d5dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x737c3b21
SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x737d3102
SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x69c1f7d0
??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed
??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf
DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871
DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef
_MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0
_MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab
??0OdfStgParams@@QAE@XZ+0xf3485 mso+0xff638b @ 0x709c638b
DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0
_MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4
_MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b
_MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a
_MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41
_MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43
_GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37
_GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d
_GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667
_GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169
_GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6
wdCommandDispatch-0x964 winword+0x1602 @ 0x2f3d1602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2f3d159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 4311384
registers.edi: 4311548
registers.eax: 4311384
registers.ebp: 4311464
registers.edx: 0
registers.ebx: 4312600
registers.esi: 3221549073
registers.ecx: 2147483648
1 0 0
file C:\Users\test22\AppData\Local\Temp\~$crosoftdecidedtoupdateentirethingsfromthepcfordletehistorycachecookiefromthepc.Doc
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000454
filepath: C:\Users\test22\AppData\Local\Temp\~$crosoftdecidedtoupdateentirethingsfromthepcfordletehistorycachecookiefromthepc.Doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$crosoftdecidedtoupdateentirethingsfromthepcfordletehistorycachecookiefromthepc.Doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
host 172.245.208.4
Lionic Trojan.MSOffice.ObfsStrm.4!c
DrWeb Exploit.Siggen3.44122
FireEye Exploit.RTF-ObfsStrm.Gen
CAT-QuickHeal Exp.RTF.Obfus.Gen
VIPRE Exploit.RTF-ObfsStrm.Gen
Sangfor Malware.Generic-RTF.Save.ecfa366c
Symantec Exp.CVE-2017-11882!g2
ESET-NOD32 a variant of DOC/Abnormal.B
Avast OLE:CVE-2017-11882-B [Expl]
Cynet Malicious (score: 99)
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Exploit.RTF-ObfsStrm.Gen
NANO-Antivirus Exploit.Rtf.Heuristic-rtf.dinbqn
MicroWorld-eScan Exploit.RTF-ObfsStrm.Gen
Emsisoft Exploit.RTF-ObfsStrm.Gen (B)
F-Secure Heuristic.HEUR/Rtf.Malformed
TrendMicro HEUR_RTFMALFORM
Sophos Troj/RtfExp-EQ
Ikarus Exploit.CVE-2017-11882
Avira HEUR/Rtf.Malformed
Antiy-AVL Trojan[Exploit]/OLE2.CVE-2017-11882
Kingsoft Win32.Infected.AutoInfector.a
Microsoft Trojan:Script/Wacatac.B!ml
Arcabit Exploit.RTF-ObfsStrm.Gen
ZoneAlarm HEUR:Exploit.MSOffice.Generic
GData Exploit.RTF-ObfsStrm.Gen
Varist CVE-2017-11882.C.gen!Camelot
AhnLab-V3 RTF/Malform-A.Gen
McAfee RTFObfustream.c!911181C9CE56
MAX malware (ai score=89)
Zoner Probably Heur.RTFBadHeader
Tencent Exp.Office.CVE-2017-11882.a
Fortinet RTF/GenericKD.47107450!tr
AVG OLE:CVE-2017-11882-B [Expl]