Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 26, 2022, 9:09 a.m.	July 26, 2022, 9:11 a.m.

Size	10.5KB
Type	Zip archive data, at least v2.0 to extract
MD5	`730768c4f029608adf0032e95e8e8a1d`
SHA256	`94fabeeeffae82a107913815c2b62e4311aeef432197e0d2d6af40a7a65cd5f1`
CRC32	`E72B1BB1`
ssdeep	`192:CEhMA1GheFb8c9264wpHV7Z/c+8poF1d3jvvtlFOrGxjPkfzUUy2G:Cq/1GAFbx92hwhcfa7pr1lFOyxjPkfz+`
Yara	docx - Word 2007 file format detection

WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office15\WINWORD.EXE" "C:\Users\test22\AppData\Local\Temp\Court Fine.doc"
2280
- MSOSYNC.EXE "C:\Program Files (x86)\Microsoft Office\Office15\MsoSync.exe"
  2544

Name	Response	Post-Analysis Lookup
akmalreload.com	A 172.67.190.5 A 104.21.73.122	172.67.190.5

IP Address	Status	Action
104.21.73.122	Active	Moloch
117.18.232.200	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49167 -> 104.21.73.122:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 104.21.73.122:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 104.21.73.122:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 104.21.73.122:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49174 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.103:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.103:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 117.18.232.200:443 -> 192.168.56.103:49177	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 117.18.232.200:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49167 104.21.73.122:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a3:24:33:73:ac:39:45:2e:aa:54:cb:fe:cc:d2:87:8a:b0:7a:7c:20
TLSv1 192.168.56.103:49163 104.21.73.122:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a3:24:33:73:ac:39:45:2e:aa:54:cb:fe:cc:d2:87:8a:b0:7a:7c:20
TLSv1 192.168.56.103:49164 104.21.73.122:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a3:24:33:73:ac:39:45:2e:aa:54:cb:fe:cc:d2:87:8a:b0:7a:7c:20
TLSv1 192.168.56.103:49166 104.21.73.122:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a3:24:33:73:ac:39:45:2e:aa:54:cb:fe:cc:d2:87:8a:b0:7a:7c:20

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameA July 26, 2022, 9:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2022, 9:09 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2022, 9:09 a.m.	computer_name: TEST22-PC	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\15.0\Registration\{91150000-0011-0000-0000-0000000FF1CE}\DigitalProductID

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 26, 2022, 9:09 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 26, 2022, 9:09 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a SLClose-0x28c osppc+0x2cb5 @ 0x6ac62cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6ac75629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6ac63412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6ac729af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6655a648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70934a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70934823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x701f30d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x701f2e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x6fa12b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x6fa12456 0x582e99 _MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x6f730fda _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6f7308cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6f71fa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6f71f808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6f71f7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6f553b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6f5522ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6f6e522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6f6e5189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6f6e407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6f6e3fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6f6e3f6b DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x71b72aca DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x71b72a8c DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x71b8b117 DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x71b6b6c2 DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x71b688d5 wdCommandDispatch-0x370 winword+0x15c4 @ 0xbc15c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0xbc1558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 3265036 registers.edi: 3265200 registers.eax: 3265036 registers.ebp: 3265116 registers.edx: 0 registers.ebx: 3266252 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

July 26, 2022, 9:09 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a
SLClose-0x28c osppc+0x2cb5 @ 0x6ac62cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6ac75629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6ac63412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6ac729af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6655a648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70934a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70934823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x701f30d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x701f2e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x6fa12b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x6fa12456
0x582e99
_MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x6f730fda
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6f7308cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6f71fa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6f71f808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6f71f7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6f553b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6f5522ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6f6e522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6f6e5189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6f6e407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6f6e3fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6f6e3f6b
DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x71b72aca
DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x71b72a8c
DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x71b8b117
DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x71b6b6c2
DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x71b688d5
wdCommandDispatch-0x370 winword+0x15c4 @ 0xbc15c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xbc1558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x766fb727
registers.esp: 3265036
registers.edi: 3265200
registers.eax: 3265036
registers.ebp: 3265116
registers.edx: 0
registers.ebx: 3266252
registers.esi: 3221549073
registers.ecx: 2147483648

Performs some HTTP requests (5 events)

request	GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request	OPTIONS https://akmalreload.com/struk/
request	HEAD https://akmalreload.com/struk/wellcome.html
request	OPTIONS https://akmalreload.com/
request	GET https://akmalreload.com/struk/wellcome.html

Allocates read-write-execute memory (usually to unpack itself) (40 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a796000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a77b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a787000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a76b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a766000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a7ab000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a747000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a78b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a7b2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a79b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a796000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a77b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a787000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a76b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a766000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a7ab000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a747000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6a78b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69f06000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69e04000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69d32000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x699c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a940000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0a9b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00981000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6f8bf000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x355a0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x355a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75599000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x355a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6acd4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7362a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69f06000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x69d32000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x691d1000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process WINWORD.EXE with pid 2280 crashed
__exception__ July 26, 2022, 9:09 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a SLClose-0x28c osppc+0x2cb5 @ 0x6ac62cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6ac75629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6ac63412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6ac729af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6655a648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70934a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70934823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x701f30d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x701f2e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x6fa12b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x6fa12456 0x582e99 _MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x6f730fda _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6f7308cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6f71fa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6f71f808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6f71f7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6f553b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6f5522ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6f6e522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6f6e5189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6f6e407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6f6e3fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6f6e3f6b DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x71b72aca DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x71b72a8c DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x71b8b117 DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x71b6b6c2 DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x71b688d5 wdCommandDispatch-0x370 winword+0x15c4 @ 0xbc15c4 wdCommandDispatch-0x3dc winword+0x1558 @ 0xbc1558 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 3265036 registers.edi: 3265200 registers.eax: 3265036 registers.ebp: 3265116 registers.edx: 0 registers.ebx: 3266252 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Application Crash

Process WINWORD.EXE with pid 2280 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

July 26, 2022, 9:09 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a
SLClose-0x28c osppc+0x2cb5 @ 0x6ac62cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6ac75629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6ac63412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6ac729af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6655a648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x70934a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x70934823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x701f30d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x701f2e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x6fa12b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x6fa12456
0x582e99
_MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x6f730fda
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x6f7308cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x6f71fa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x6f71f808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x6f71f7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x6f553b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x6f5522ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x6f6e522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x6f6e5189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x6f6e407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x6f6e3fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x6f6e3f6b
DllGetClassObject+0x6de67 DllGetLCID-0x1df82c wwlib+0x72aca @ 0x71b72aca
DllGetClassObject+0x6de29 DllGetLCID-0x1df86a wwlib+0x72a8c @ 0x71b72a8c
DllGetClassObject+0x864b4 DllGetLCID-0x1c71df wwlib+0x8b117 @ 0x71b8b117
DllGetClassObject+0x66a5f DllGetLCID-0x1e6c34 wwlib+0x6b6c2 @ 0x71b6b6c2
DllGetClassObject+0x63c72 DllGetLCID-0x1e9a21 wwlib+0x688d5 @ 0x71b688d5
wdCommandDispatch-0x370 winword+0x15c4 @ 0xbc15c4
wdCommandDispatch-0x3dc winword+0x1558 @ 0xbc1558
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

Creates (office) documents on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\~$urt Fine.doc

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile July 26, 2022, 9:09 a.m.	create_disposition: 5 (FILE_OVERWRITE_IF) file_handle: 0x0000048c filepath: C:\Users\test22\AppData\Local\Temp\~$urt Fine.doc desired_access: 0x40100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$urt Fine.doc create_options: 4194400 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 2 (FILE_CREATED) share_access: 0 ()	1	0	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 26, 2022, 9:09 a.m.	process_identifier: 2280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef50000 process_handle: 0xffffffff	1	0	0

Communicates with host for which no DNS query was performed (1 event)

host

117.18.232.200

One or more non-whitelisted processes were created (1 event)

parent_process

winword.exe

martian_process

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

C:\Program Files (x86)\Microsoft Office\Office15\MSOSYNC.EXE

Zeus P2P (Banking Trojan) (24 events)

mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{C89A3387-C516-4D9D-8B4F-0A73C72D24D6}:TID{F85AF7C9-265C-434D-ACAE-E783DFE17053}
mutex	Local\Microsoft_Office_15CSI_WDW:{99EC41DB-E08A-4CB7-B1C5-B132CF18328A}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{C89A3387-C516-4D9D-8B4F-0A73C72D24D6}:TID{7A3B9BC8-95AF-498B-A58A-AB578703D72A}
mutex	Local\Microsoft_Office_15CSI_WDW:{F5300F9B-67B3-4394-B36C-40535D719545}
mutex	Local\Microsoft_Office_15CSI_WDW:{F71CDDF5-B722-4875-91D9-6F35C2BFB69B}
mutex	Local\Microsoft_Office_15CSI_OMTX:{AC6EB2DF-8684-4913-9C8F-25C884C086A2}
mutex	Global\Microsoft_Office_15Csi:GC:C:/Users/test22/AppData/Local/Microsoft/Office/15.0/OfficeFileCache/LocalCacheFileEditManager/FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF
mutex	Local\Microsoft_Office_15CSI_OMTX:{F71CDDF5-B722-4875-91D9-6F35C2BFB69B}
mutex	Local\Microsoft_Office_15CSI_WDW:{EA5D96F4-B870-47B6-A354-3FF530F62905}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{C89A3387-C516-4D9D-8B4F-0A73C72D24D6}:TID{BFCEF68A-3F40-481B-B237-FD551CEC6C8A}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{C89A3387-C516-4D9D-8B4F-0A73C72D24D6}:TID{48DEC616-56E4-4F30-8030-C51111C102A9}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{C89A3387-C516-4D9D-8B4F-0A73C72D24D6}:TID{4A6D6FD4-6B5E-4B91-B650-BF1EC9669D4C}
mutex	Local\Microsoft_Office_15CSI_WDW:{E09B42F0-1980-49DC-9991-BBEDD8FB1BBD}
mutex	Local\Microsoft_Office_15CSI_WDW:{00C3B392-0EF5-43C2-9ABD-C30510CC21D8}
mutex	Local\Microsoft_Office_15CSI_WDW:{B5DB1F71-5BE6-4134-95F9-3C56939446B1}
mutex	Local\Microsoft_Office_15Csi_TableRuntimeBucketsLock:{00C3B392-0EF5-43C2-9ABD-C30510CC21D8}
mutex	Local\Microsoft_Office_15CSI_WDW:{AC6EB2DF-8684-4913-9C8F-25C884C086A2}
mutex	Local\Microsoft_Office_15CSI_OMTX:{99EC41DB-E08A-4CB7-B1C5-B132CF18328A}
mutex	Local\Microsoft_Office_15CSI_WDW:{3C7C869B-BE9C-40F7-B845-C19AA57C37AB}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{C89A3387-C516-4D9D-8B4F-0A73C72D24D6}:TID{5585BD79-2A2B-4359-8F93-404ED6147369}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{C89A3387-C516-4D9D-8B4F-0A73C72D24D6}:TID{D0A49606-3BBC-45A0-A810-6E7F9720E394}
mutex	Local\Microsoft_Office_15Csi_CTTxnTableLock:{C89A3387-C516-4D9D-8B4F-0A73C72D24D6}:TID{16284F64-D1CB-4015-ACFA-9E3944D6B6DD}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 81939, u'time': 4.102802038192749, u'dport': 3702, u'sport': 49152}
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 90315, u'time': 93.74365592002869, u'dport': 1900, u'sport': 51938}

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Lionic	Trojan.MSOffice.Agent.3!c
ClamAV	Win.Exploit.CVE_2022_30190-9951234-1
FireEye	Trojan.GenericKD.49402779
CAT-QuickHeal	XML.CVE-2022-30190.46638
McAfee	W97M/Downloader.dvh
VIPRE	Exploit.CVE-2022-30190.Gen.1
Sangfor	Exploit.Generic-Script.Save.c905d40d
Alibaba	Exploit:Office/CVE-2022-30190.d6d75549
Arcabit	Exploit.CVE-2022-30190.Gen.1
Cyren	DOCX/CVE-2022-30190.A.aggr!Camelot
ESET-NOD32	DOC/TrojanDownloader.Agent.AAP
Avast	Other:Malware-gen [Trj]
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Exploit.MSOffice.Agent.n
BitDefender	Trojan.GenericKD.49402779
NANO-Antivirus	Exploit.Xml.CVE-2017-0199.equmby
ViRobot	DOC.Z.CVE-2022-3019.10734.A
MicroWorld-eScan	Trojan.GenericKD.49402779
Ad-Aware	Trojan.GenericKD.49402779
Emsisoft	Trojan.GenericKD.49402779 (B)
McAfee-GW-Edition	W97M/Downloader.dve
GData	Trojan.GenericKD.49402779
Avira	W97M/Dldr.Agent.G1
MAX	malware (ai score=80)
Antiy-AVL	Trojan/Generic.ASDOH.52
Microsoft	Exploit:O97M/CVE-2017-0199.CBSM!MTB
ZoneAlarm	HEUR:Exploit.MSOffice.Agent.n
AhnLab-V3	Exploit/XML.CVE-2022-30190.S1842
ALYac	Exploit.CVE-2022-30190
Zoner	Probably Heur.W97OleLink
Rising	Exploit.ExtLink/OFFICE!1.DD7A (CLASSIC)
Fortinet	MSOffice/Agent.AAP!tr
AVG	Other:Malware-gen [Trj]

Court Fine.doc

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All