Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Jan. 9, 2024, 2:47 p.m.	Jan. 9, 2024, 2:49 p.m.

Size	1.2MB
Type	data
MD5	`eba5412c896ac51f09604239e059e1e7`
SHA256	`4a8effe0c5ca27816abe50dbe099ffc1ae28673ccfb28b7639b453c718cd7581`
CRC32	`D6CB658E`
ssdeep	`12288:zmuSZaYrdSNHHf5aD+55bdqaHkiDVXRtb/hFwzSkNqD+8UZ1upZFHqyjxRfm/UWa:SuS4wuHADA5bI2O+UqpTXjrHwCw`
Yara	SUSP_INDICATOR_RTF_MalVer_Objects - Detects RTF documents with non-standard version and embedding one of the object mostly observed in exploit (e.g. CVE-2017-11882) documents. Rich_Text_Format_Zero - Rich Text Format Signature Zero MS_RTF_Suspicious_documents - Suspicious documents using RTF document OLE object

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" C:\Users\test22\AppData\Local\Temp\DECEMBER_2023_COMMISSION_PAYMENT.doc
3020
- svchost.exe C:\Users\test22\AppData\Local\Temp\..\svchost.exe
  2224
  - RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    1044
- cmd.exe cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
  156
  - reg.exe reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
    2244
- cmd.exe cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
  2352
  - reg.exe reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
    2500
- WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\DECEMBER_2023_COMMISSION_PAYMENT.doc"
  2396

Name	Response	Post-Analysis Lookup
indigopeter.ddns.net	A 105.115.3.119	105.115.3.119
freegeoip.net	A 104.26.15.73 A 172.67.75.176 A 104.26.14.73	104.26.14.73

IP Address	Status	Action
105.115.3.119	Active	Moloch
164.124.101.2	Active	Moloch
172.67.75.176	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2036860	ET INFO External IP Lookup Domain (freegeiop .net in DNS lookup)	Device Retrieving External IP Address Detected
UDP 192.168.56.102:56630 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.102:62846 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 9, 2024, 2:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 9, 2024, 2:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 9, 2024, 2:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 9, 2024, 2:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 9, 2024, 2:47 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 9, 2024, 2:47 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (14 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 2:47 p.m.			0	0

Command line console output was observed (3 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 9, 2024, 2:47 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 9, 2024, 2:47 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW Jan. 9, 2024, 2:47 p.m.	buffer: The system was unable to find the specified registry key or value. console_handle: 0x0000000b	1	1

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptGenKey Jan. 9, 2024, 2:47 p.m.	crypto_handle: 0x006012c8 algorithm_identifier: 0x00006610 () flags: 1 key: f D5¼Ûm¨Y,©`¾¨ýØÉÉ ÓÄ.à\|2³Ã provider_handle: 0x00616ee0	1	1
CryptExportKey Jan. 9, 2024, 2:47 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006012c8 flags: 0 crypto_export_handle: 0x00601c48 blob_type: 1	1	1
CryptExportKey Jan. 9, 2024, 2:47 p.m.	buffer: f¤Ú1³n=="HWmíU³åWÿÙ»xÞsoTÌäÓ~v45}içU ÜhmîAX¤3q¤£½áXi¨}³©º8 B1d^ÀoQ ª J¶óT3-@]q°wèE$ØbópLØyW¿w crypto_handle: 0x006012c8 flags: 0 crypto_export_handle: 0x00601c48 blob_type: 1	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (4 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{FDF3ECB9-B56F-43B2-A9B8-1B48B6BAE1A7}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{191301D3-A579-428C-B0C7-D7988500F9E3}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{90140000-0011-0000-0000-0000000FF1CE}\DigitalProductID
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\14.0\Registration\{6F327760-8C5C-417C-9B61-836A98287E0C}\DigitalProductID

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 9, 2024, 2:47 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6ab133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6ab22074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x666585c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 108327116 registers.edi: 108327280 registers.eax: 108327116 registers.ebp: 108327196 registers.edx: 0 registers.ebx: 108328332 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0
__exception__ Jan. 9, 2024, 2:47 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6ab133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6ab23102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x6667f7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab ??0OdfStgParams@@QAE@XZ+0xf2cde mso+0xff5be4 @ 0x709c5be4 DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2f171602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2f17159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 2671252 registers.edi: 2671416 registers.eax: 2671252 registers.ebp: 2671332 registers.edx: 0 registers.ebx: 2672468 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 9, 2024, 2:47 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x6ab133cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6ab22074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x666585c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x8007007b
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 108327116
registers.edi: 108327280
registers.eax: 108327116
registers.ebp: 108327196
registers.edx: 0
registers.ebx: 108328332
registers.esi: 2147942523
registers.ecx: 2147483648

__exception__

Jan. 9, 2024, 2:47 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x6ab133cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21
SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6ab23102
SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x6667f7d0
??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed
??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf
DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871
DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef
_MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0
_MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab
??0OdfStgParams@@QAE@XZ+0xf2cde mso+0xff5be4 @ 0x709c5be4
DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0
_MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4
_MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b
_MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a
_MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41
_MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43
_GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37
_GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d
_GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667
_GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169
_GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6
wdCommandDispatch-0x964 winword+0x1602 @ 0x2f171602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2f17159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 2671252
registers.edi: 2671416
registers.eax: 2671252
registers.ebp: 2671332
registers.edx: 0
registers.ebx: 2672468
registers.esi: 3221549073
registers.ecx: 2147483648

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET http://freegeoip.net/json/
suspicious_features	GET method with no useragent header				suspicious_request	GET http://freegeoip.net/shutdown

Connects to a Dynamic DNS Domain (1 event)

domain

indigopeter.ddns.net

Performs some HTTP requests (2 events)

request	GET http://freegeoip.net/json/
request	GET http://freegeoip.net/shutdown

Allocates read-write-execute memory (usually to unpack itself) (50 out of 82 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 3020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b0b000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 3020 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05130000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 3020 region_size: 5242880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06020000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 3020 region_size: 5242880 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x06520000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ad52000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x2f171000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7425c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70c37000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7213f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x709bd000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc30000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74e88000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6adc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ad52000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ac49000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ac49000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03bd0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03d30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x5fff0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75a86000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75004000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75003000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75005000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75003000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a8f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66cd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 2396 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x66c74000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69e91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69e92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00457000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

RegSvcs.exe tried to sleep 294 seconds, actually delayed analysis time by 294 seconds

An application raised an exception which may be indicative of an exploit crash (3 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 2396 crashed
__exception__ Jan. 9, 2024, 2:47 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6ab133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21 SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6ab22074 SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x666585c7 ??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28 DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d _MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x8007007b exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 108327116 registers.edi: 108327280 registers.eax: 108327116 registers.ebp: 108327196 registers.edx: 0 registers.ebx: 108328332 registers.esi: 2147942523 registers.ecx: 2147483648	1	0	0
__exception__ Jan. 9, 2024, 2:47 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a SLClose-0x28e osppc+0x33cf @ 0x6ab133cf SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21 SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6ab23102 SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x6667f7d0 ??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed ??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871 DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef _MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0 _MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab ??0OdfStgParams@@QAE@XZ+0xf2cde mso+0xff5be4 @ 0x709c5be4 DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517 _MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4 _MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0 _MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292 _MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d _MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14 _MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21 _MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991 _MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4 _MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b _MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a _MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41 _MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43 _GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37 _GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d _GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667 _GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169 _GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6 wdCommandDispatch-0x964 winword+0x1602 @ 0x2f171602 wdCommandDispatch-0x9cc winword+0x159a @ 0x2f17159a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 2671252 registers.edi: 2671416 registers.eax: 2671252 registers.ebp: 2671332 registers.edx: 0 registers.ebx: 2672468 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Application Crash

Process WINWORD.EXE with pid 2396 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 9, 2024, 2:47 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x6ab133cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21
SLpVLActivateProduct+0xcb SLpGetMSPidInformation-0x111 osppc+0x12074 @ 0x6ab22074
SLActivateProduct+0x48e SLInitialize-0x110a osppcext+0x385c7 @ 0x666585c7
??0OdfStgParams@@QAE@XZ+0xbae22 mso+0xfbdd28 @ 0x7098dd28
DllGetLCID+0x5c042 _MsoWebServerSupportEx@12-0x1c8a2b mso+0x6bc415 @ 0x7008c415
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x88ca _MsoHrSimpleQueryInterface@16-0x12268 mso+0xc9076 @ 0x6fa99076
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoGetHmodPTLServices@0+0x326f _MsoCpgFromChs@4-0x3424 mso+0x2c60d @ 0x6f9fc60d
_MsoFCreateIPref@28+0x143f _MsoFUseIEFeature@8-0xee0 mso+0x22ce6 @ 0x6f9f2ce6
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

__exception__

Jan. 9, 2024, 2:47 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x750d2b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x750a801a
SLClose-0x28e osppc+0x33cf @ 0x6ab133cf
SLLoadApplicationPolicies+0xa99 SLCallServer-0x330 osppc+0x15dba @ 0x6ab25dba
SLClose+0x4c4 SLpBeginGenuineTicketTransaction-0x4f79 osppc+0x3b21 @ 0x6ab13b21
SLpGetTokenActivationGrantInfo+0x13c SLpGenerateTokenActivationChallenge-0x11c osppc+0x13102 @ 0x6ab23102
SLGetTokenActivationGrants+0x710 SLGetTokenActivationCertificates-0x7a8 osppcext+0x5f7d0 @ 0x6667f7d0
??0OdfStgParams@@QAE@XZ+0xbb1e7 mso+0xfbe0ed @ 0x7098e0ed
??0OdfStgParams@@QAE@XZ+0xbb3c9 mso+0xfbe2cf @ 0x7098e2cf
DllGetClassObject+0x3c2bb _MsoFActivateControl@4-0x25231 mso+0xa84871 @ 0x70454871
DllGetClassObject+0x3c339 _MsoFActivateControl@4-0x251b3 mso+0xa848ef @ 0x704548ef
_MsoFHideTaiwan@0+0x4ccf _MsoSetLVProperty@8-0x7e2a9 mso+0x274ea0 @ 0x6fc44ea0
_MsoFDoSmartTagSecurityCheck@8+0xb6367 _MsoCompareStringA@24-0x391 mso+0x61d7ab @ 0x6ffed7ab
??0OdfStgParams@@QAE@XZ+0xf2cde mso+0xff5be4 @ 0x709c5be4
DllGetLCID+0x5c144 _MsoWebServerSupportEx@12-0x1c8929 mso+0x6bc517 @ 0x7008c517
_MsoFGetTooltips@0+0x8918 _MsoHrSimpleQueryInterface@16-0x1221a mso+0xc90c4 @ 0x6fa990c4
_MsoFGetTooltips@0+0x8844 _MsoHrSimpleQueryInterface@16-0x122ee mso+0xc8ff0 @ 0x6fa98ff0
_MsoPeekMessage@8+0x49e5 _MsoGetStringTypeExW@20-0x1652 mso+0xb7292 @ 0x6fa87292
_MsoPeekMessage@8+0x49a0 _MsoGetStringTypeExW@20-0x1697 mso+0xb724d @ 0x6fa8724d
_MsoCpgFromChs@4+0x14e3 _MsoCrCbvGet@4-0xa6c mso+0x30f14 @ 0x6fa00f14
_MsoGetHmodPTLServices@0+0x4883 _MsoCpgFromChs@4-0x1e10 mso+0x2dc21 @ 0x6f9fdc21
_MsoGetHmodPTLServices@0+0x45f3 _MsoCpgFromChs@4-0x20a0 mso+0x2d991 @ 0x6f9fd991
_MsoPeekMessage@8+0x4537 _MsoGetStringTypeExW@20-0x1b00 mso+0xb6de4 @ 0x6fa86de4
_MsoPeekMessage@8+0x446e _MsoGetStringTypeExW@20-0x1bc9 mso+0xb6d1b @ 0x6fa86d1b
_MsoPeekMessage@8+0x16ad _MsoGetStringTypeExW@20-0x498a mso+0xb3f5a @ 0x6fa83f5a
_MsoPeekMessage@8+0x2294 _MsoGetStringTypeExW@20-0x3da3 mso+0xb4b41 @ 0x6fa84b41
_MsoPeekMessage@8+0x1196 _MsoGetStringTypeExW@20-0x4ea1 mso+0xb3a43 @ 0x6fa83a43
_GetAllocCounters@0+0x5006f DllGetLCID-0x1a6bbf wwlib+0x66e37 @ 0x71fb6e37
_GetAllocCounters@0+0x50f95 DllGetLCID-0x1a5c99 wwlib+0x67d5d @ 0x71fb7d5d
_GetAllocCounters@0+0x4d89f DllGetLCID-0x1a938f wwlib+0x64667 @ 0x71fb4667
_GetAllocCounters@0+0x4c3a1 DllGetLCID-0x1aa88d wwlib+0x63169 @ 0x71fb3169
_GetAllocCounters@0+0x4a61e DllGetLCID-0x1ac610 wwlib+0x613e6 @ 0x71fb13e6
wdCommandDispatch-0x964 winword+0x1602 @ 0x2f171602
wdCommandDispatch-0x9cc winword+0x159a @ 0x2f17159a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 2671252
registers.edi: 2671416
registers.eax: 2671252
registers.ebp: 2671332
registers.edx: 0
registers.ebx: 2672468
registers.esi: 3221549073
registers.ecx: 2147483648

Creates (office) documents on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\~$CEMBER_2023_COMMISSION_PAYMENT.doc
file	C:\Users\test22\AppData\Local\Temp\DECEMBER_2023_COMMISSION_PAYMENT.doc

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\svchost.exe

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Jan. 9, 2024, 2:47 p.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x00000454 filepath: C:\Users\test22\AppData\Local\Temp\~$CEMBER_2023_COMMISSION_PAYMENT.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$CEMBER_2023_COMMISSION_PAYMENT.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Creates a suspicious process (3 events)

cmdline	C:\Users\test22\AppData\Local\Temp\..\svchost.exe
cmdline	cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
cmdline	cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\svchost.exe

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Jan. 9, 2024, 2:47 p.m.	flags: 15 family: 0		111	0

Yara rule detected in process memory (14 events)

description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger
description	Remote Administration toolkit using webcam	rule	RAT_WebCam

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
cmdline	cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
cmdline	cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
cmdline	reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000118	1	0	0

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CN9281H				reg_value	C:\Users\test22\AppData\Roaming\CN9281H.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svchost				reg_value	C:\Users\test22\AppData\Roaming\server\server.exe

Executes one or more WMI queries (3 events)

wmi	Select * from AntiVirusProduct
wmi	SELECT * FROM FirewallProduct
wmi	select * from Win32_OperatingSystem

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 9, 2024, 2:47 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELVgeà n7 @ @7O@` H.textt `.rsrc@@@.reloc`"@B base_address: 0x00400000 process_identifier: 1044 process_handle: 0x00000118	1	1
WriteProcessMemory Jan. 9, 2024, 2:47 p.m.	buffer: 0HX@ÄÄ4VS_VERSION_INFO½ïþf°f°?DVarFileInfo$Translation°$StringFileInfo000004b0HCommentsWindows Desktop Gadgets4 CompanyNameMicrosoftHFileDescriptionWindows Sidebar<FileVersion1.0.7600.1638< InternalNamemyserver.exe\|,LegalCopyrightMicrosoft Corperation. All rights reserved.D OriginalFilenamemyserver.exeh#ProductNameMicrosoft Windows Operating System@ProductVersion1.0.7600.1638DAssembly Version1.0.7600.1638 base_address: 0x00434000 process_identifier: 1044 process_handle: 0x00000118	1	1
WriteProcessMemory Jan. 9, 2024, 2:47 p.m.	buffer: 0p7 base_address: 0x00436000 process_identifier: 1044 process_handle: 0x00000118	1	1
WriteProcessMemory Jan. 9, 2024, 2:47 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1044 process_handle: 0x00000118	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 9, 2024, 2:47 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELVgeà n7 @ @7O@` H.textt `.rsrc@@@.reloc`"@B base_address: 0x00400000 process_identifier: 1044 process_handle: 0x00000118	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA Jan. 9, 2024, 2:47 p.m.	thread_identifier: 0 callback_function: 0x00651682 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00000000	1	852447	0

A command shell or script process was created by an unexpected parent process (2 events)

parent_process	winword.exe				martian_process	cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
parent_process	winword.exe				martian_process	cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2224 called NtSetContextThread to modify thread in remote process 1044
NtSetContextThread Jan. 9, 2024, 2:47 p.m.	registers.eip: 2001207748 registers.esp: 3406272 registers.edi: 0 registers.eax: 4405102 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 1044	1	0	0

One or more non-whitelisted processes were created (4 events)

parent_process	winword.exe	martian_process	C:\Users\test22\AppData\Local\Temp\..\svchost.exe
parent_process	winword.exe	martian_process	cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F
parent_process	winword.exe	martian_process	cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F
parent_process	winword.exe	martian_process	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE "C:\Users\test22\AppData\Local\Temp\DECEMBER_2023_COMMISSION_PAYMENT.doc"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2224 resumed a thread in remote process 1044
NtResumeThread Jan. 9, 2024, 2:47 p.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 1044	1	0	0

The process winword.exe wrote an executable file to disk (1 event)

file	C:\Users\test22\AppData\Local\svchost.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

105.115.3.119:2033

Executed a process and injected code into it, probably while unpacking (27 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Jan. 9, 2024, 2:47 p.m.	thread_identifier: 2208 thread_handle: 0x0000049c process_identifier: 2212 current_directory: C:\Windows filepath: C:\Windows\splwow64.exe track: 0 command_line: C:\Windows\splwow64.exe 12288 filepath_r: C:\Windows\splwow64.exe stack_pivoted: 0 creation_flags: 201326600 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NO_WINDOW\|DETACHED_PROCESS) inherit_handles: 0 process_handle: 0x000004a0	1	1
CreateProcessInternalW Jan. 9, 2024, 2:47 p.m.	thread_identifier: 2228 thread_handle: 0x00000498 process_identifier: 2224 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\..\svchost.exe filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x000004a0	1	1
CreateProcessInternalW Jan. 9, 2024, 2:47 p.m.	thread_identifier: 2312 thread_handle: 0x00000108 process_identifier: 156 current_directory: filepath: track: 1 command_line: cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000498	1	1
CreateProcessInternalW Jan. 9, 2024, 2:47 p.m.	thread_identifier: 2356 thread_handle: 0x00000108 process_identifier: 2352 current_directory: filepath: track: 1 command_line: cmd.exe /c reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000498	1	1
CreateProcessInternalW Jan. 9, 2024, 2:47 p.m.	thread_identifier: 2384 thread_handle: 0x00000108 process_identifier: 2396 current_directory: filepath: track: 1 command_line: C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE "C:\Users\test22\AppData\Local\Temp\DECEMBER_2023_COMMISSION_PAYMENT.doc" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000498	1	1
CreateProcessInternalW Jan. 9, 2024, 2:47 p.m.	thread_identifier: 1324 thread_handle: 0x00000124 process_identifier: 1044 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000118	1	1
NtUnmapViewOfSection Jan. 9, 2024, 2:47 p.m.	base_address: 0x00400000 region_size: 1994981376 process_identifier: 1044 process_handle: 0x00000118		3221225497
NtAllocateVirtualMemory Jan. 9, 2024, 2:47 p.m.	process_identifier: 1044 region_size: 229376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000118	1	0
WriteProcessMemory Jan. 9, 2024, 2:47 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELVgeà n7 @ @7O@` H.textt `.rsrc@@@.reloc`"@B base_address: 0x00400000 process_identifier: 1044 process_handle: 0x00000118	1	1
WriteProcessMemory Jan. 9, 2024, 2:47 p.m.	buffer: base_address: 0x00402000 process_identifier: 1044 process_handle: 0x00000118	1	1
WriteProcessMemory Jan. 9, 2024, 2:47 p.m.	buffer: 0HX@ÄÄ4VS_VERSION_INFO½ïþf°f°?DVarFileInfo$Translation°$StringFileInfo000004b0HCommentsWindows Desktop Gadgets4 CompanyNameMicrosoftHFileDescriptionWindows Sidebar<FileVersion1.0.7600.1638< InternalNamemyserver.exe\|,LegalCopyrightMicrosoft Corperation. All rights reserved.D OriginalFilenamemyserver.exeh#ProductNameMicrosoft Windows Operating System@ProductVersion1.0.7600.1638DAssembly Version1.0.7600.1638 base_address: 0x00434000 process_identifier: 1044 process_handle: 0x00000118	1	1
WriteProcessMemory Jan. 9, 2024, 2:47 p.m.	buffer: 0p7 base_address: 0x00436000 process_identifier: 1044 process_handle: 0x00000118	1	1
NtGetContextThread Jan. 9, 2024, 2:47 p.m.	thread_handle: 0x00000124	1	0
WriteProcessMemory Jan. 9, 2024, 2:47 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1044 process_handle: 0x00000118	1	1
NtSetContextThread Jan. 9, 2024, 2:47 p.m.	registers.eip: 2001207748 registers.esp: 3406272 registers.edi: 0 registers.eax: 4405102 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000124 process_identifier: 1044	1	0
NtResumeThread Jan. 9, 2024, 2:47 p.m.	thread_handle: 0x00000124 suspend_count: 1 process_identifier: 1044	1	0
CreateProcessInternalW Jan. 9, 2024, 2:47 p.m.	thread_identifier: 1596 thread_handle: 0x00000084 process_identifier: 2244 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete "HKCU\Software\Microsoft\Office\14.0\Word\Resiliency" /F filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW Jan. 9, 2024, 2:47 p.m.	thread_identifier: 2516 thread_handle: 0x00000084 process_identifier: 2500 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\reg.exe track: 1 command_line: reg delete "HKCU\Software\Microsoft\Office\12.0\Word\Resiliency" /F filepath_r: C:\Windows\system32\reg.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
NtResumeThread Jan. 9, 2024, 2:47 p.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2396	1	0
NtResumeThread Jan. 9, 2024, 2:47 p.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 1044	1	0
NtResumeThread Jan. 9, 2024, 2:47 p.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 1044	1	0
NtResumeThread Jan. 9, 2024, 2:47 p.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 1044	1	0
NtResumeThread Jan. 9, 2024, 2:47 p.m.	thread_handle: 0x00000424 suspend_count: 1 process_identifier: 1044	1	0
NtResumeThread Jan. 9, 2024, 2:47 p.m.	thread_handle: 0x00000470 suspend_count: 1 process_identifier: 1044	1	0
NtResumeThread Jan. 9, 2024, 2:47 p.m.	thread_handle: 0x00000508 suspend_count: 1 process_identifier: 1044	1	0
NtResumeThread Jan. 9, 2024, 2:47 p.m.	thread_handle: 0x0000051c suspend_count: 1 process_identifier: 1044	1	0
NtResumeThread Jan. 9, 2024, 2:47 p.m.	thread_handle: 0x00000530 suspend_count: 1 process_identifier: 1044	1	0

File has been identified by 37 AntiVirus engines on VirusTotal as malicious (37 events)

CAT-QuickHeal	Exp.RTF.CVE-2012-0158.A
Skyhigh	Exploit-CVE2012-0158.n
McAfee	Exploit-CVE2012-0158.n
VIPRE	Exploit.RTF-ObfsStrm.Gen
Sangfor	Exploit.Doc.CVE-2014-1761.a
Arcabit	Exploit.RTF-ObfsStrm.Gen [many]
Baidu	Win32.Exploit.CVE-2012-0158.i
VirIT	Trojan.Win32.X-Expl.ACRC
Symantec	Trojan.Mdropper.AE
ESET-NOD32	Win32/Exploit.CVE-2012-0158.AER
Avast	MO97:ShellCode-ET [Expl]
Cynet	Malicious (score: 99)
Kaspersky	Exploit.Win32.CVE-2012-0158.j
BitDefender	Exploit.RTF-ObfsStrm.Gen
NANO-Antivirus	Exploit.Rtf.Heuristic-rtf.dinbqn
MicroWorld-eScan	Exploit.RTF-ObfsStrm.Gen
Rising	Exploit.CVE-2012-0158!1.A584 (CLASSIC)
Emsisoft	Exploit.RTF-ObfsStrm.Gen (B)
F-Secure	Heuristic.HEUR/Rtf.Malformed
DrWeb	Exploit.CVE-2012-0158.135
Zillya	Downloader.OpenConnection.JS.115660
TrendMicro	HEUR_RTFMALFORM
Sophos	Troj/DocDrop-JK
Ikarus	Trojan.Win32.Exploit
Jiangmin	Exploit.CVE-2012-0158.c
Google	Detected
Avira	HEUR/Rtf.Malformed
Antiy-AVL	Trojan[Exploit]/RTF.CVE-2014-1761
Microsoft	Exploit:Win32/CVE-2012-0158
ZoneAlarm	UDS:DangerousObject.Multi.Generic
GData	Exploit.RTF-ObfsStrm.Gen
Varist	RTF/CVE122539
AhnLab-V3	RTF/Cve-2012-0158
TACHYON	Suspicious/RTF.GDO.Gen
Zoner	Probably Heur.RTFBadHeader
MAX	malware (ai score=82)
AVG	MO97:ShellCode-ET [Expl]

DECEMBER_2023_COMMISSION_PAYMENT.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All