Malware Analysis Report

2025-08-05 23:18

Sample ID 250115-2b4n3axmd1
Target JaffaCakes118_637d26ebff2da169c1d1dfa791628632
SHA256 21c1a601a71638dfca04cfa7563f28a806e37e51aa0ae4b66dabd8c8ebfea8e6
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

21c1a601a71638dfca04cfa7563f28a806e37e51aa0ae4b66dabd8c8ebfea8e6

Threat Level: Shows suspicious behavior

The file JaffaCakes118_637d26ebff2da169c1d1dfa791628632 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Drops file in Windows directory

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

NSIS installer

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 22:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral30

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:29

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_CF.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_CF.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 161.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1496-0-0x00007FFE36410000-0x00007FFE36420000-memory.dmp

memory/1496-1-0x00007FFE7642D000-0x00007FFE7642E000-memory.dmp

memory/1496-3-0x00007FFE36410000-0x00007FFE36420000-memory.dmp

memory/1496-4-0x00007FFE36410000-0x00007FFE36420000-memory.dmp

memory/1496-2-0x00007FFE36410000-0x00007FFE36420000-memory.dmp

memory/1496-6-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-5-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-11-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-14-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-13-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-15-0x00007FFE33AB0000-0x00007FFE33AC0000-memory.dmp

memory/1496-12-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-16-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-18-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-17-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-10-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-9-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-8-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-7-0x00007FFE36410000-0x00007FFE36420000-memory.dmp

memory/1496-19-0x00007FFE33AB0000-0x00007FFE33AC0000-memory.dmp

memory/1496-37-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-39-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

memory/1496-38-0x00007FFE7642D000-0x00007FFE7642E000-memory.dmp

memory/1496-40-0x00007FFE76390000-0x00007FFE76585000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 afe09be042add7287c238f581f6d5ba0
SHA1 7ecb90989e7a97d49b81f85f8daf33f6474fec32
SHA256 5a5db554b3efc4bc0495c9e06d60d991fe18663bf397d1cac4cf3be3acfa68e3
SHA512 93acfea766d9f29294d07d57ea052e2f601603f95d75f4039b3fd3ad358048dc052cf52bf3a6ecdc6367e87e79a80bea8435efeed083e8649cbd12bf9eac13f6

C:\Users\Admin\AppData\Local\Temp\TCD9A6.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral31

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:28

Platform

win7-20241010-en

Max time kernel

60s

Max time network

20s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2916-0-0x000000002F491000-0x000000002F492000-memory.dmp

memory/2916-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2916-2-0x000000007115D000-0x0000000071168000-memory.dmp

memory/2916-9-0x000000007115D000-0x0000000071168000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:27

Platform

win7-20241010-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 224

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:27

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2684-0-0x000000002F0F1000-0x000000002F0F2000-memory.dmp

memory/2684-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2684-2-0x000000007121D000-0x0000000071228000-memory.dmp

memory/2684-9-0x000000007121D000-0x0000000071228000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:28

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4572 wrote to memory of 872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4572 wrote to memory of 872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4572 wrote to memory of 872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 872 -ip 872

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:27

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 224

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:27

Platform

win7-20241023-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_BL.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_BL.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2264-0-0x000000002F7C1000-0x000000002F7C2000-memory.dmp

memory/2264-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2264-2-0x00000000712AD000-0x00000000712B8000-memory.dmp

memory/2264-9-0x00000000712AD000-0x00000000712B8000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:27

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_CF.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_CF.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2536-0-0x000000002F981000-0x000000002F982000-memory.dmp

memory/2536-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2536-2-0x000000007310D000-0x0000000073118000-memory.dmp

memory/2536-5-0x000000007310D000-0x0000000073118000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:29

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 161.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3596-0-0x00007FFCC38ED000-0x00007FFCC38EE000-memory.dmp

memory/3596-1-0x00007FFC838D0000-0x00007FFC838E0000-memory.dmp

memory/3596-2-0x00007FFC838D0000-0x00007FFC838E0000-memory.dmp

memory/3596-3-0x00007FFC838D0000-0x00007FFC838E0000-memory.dmp

memory/3596-6-0x00007FFCC3850000-0x00007FFCC3A45000-memory.dmp

memory/3596-5-0x00007FFCC3850000-0x00007FFCC3A45000-memory.dmp

memory/3596-4-0x00007FFC838D0000-0x00007FFC838E0000-memory.dmp

memory/3596-7-0x00007FFC838D0000-0x00007FFC838E0000-memory.dmp

memory/3596-10-0x00007FFCC3850000-0x00007FFCC3A45000-memory.dmp

memory/3596-11-0x00007FFCC3850000-0x00007FFCC3A45000-memory.dmp

memory/3596-9-0x00007FFCC3850000-0x00007FFCC3A45000-memory.dmp

memory/3596-12-0x00007FFC81480000-0x00007FFC81490000-memory.dmp

memory/3596-8-0x00007FFCC3850000-0x00007FFCC3A45000-memory.dmp

memory/3596-13-0x00007FFC81480000-0x00007FFC81490000-memory.dmp

memory/3596-25-0x00007FFCC3850000-0x00007FFCC3A45000-memory.dmp

memory/3596-26-0x00007FFCC38ED000-0x00007FFCC38EE000-memory.dmp

memory/3596-27-0x00007FFCC3850000-0x00007FFCC3A45000-memory.dmp

memory/3596-28-0x00007FFCC3850000-0x00007FFCC3A45000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 58d544a59c8ded097ae6c9fdf4a5f542
SHA1 221c4f8ebab3b3952687034cd02063edfc5ca5f0
SHA256 342d8a621406634c4cb9698de1028fb78dfe34c747e03e703ab1c03e2a084f09
SHA512 6bb39c5fdbb7732136db6582f6d35309d2302313dae330bbab8e401eccd345e9632f736155a6b2c572d58e9d958e3cc3b45d83b093dea917824dddf1f2fd8572

C:\Users\Admin\AppData\Local\Temp\TCDFDF5.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:27

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\215AppsChecker.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\215AppsChecker.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\215AppsChecker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\215AppsChecker.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\215AppsChecker.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\nsd75DC.tmp\StdUtils.dll

MD5 21010df9bc37daffcc0b5ae190381d85
SHA1 a8ba022aafc1233894db29e40e569dfc8b280eb9
SHA256 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16
SHA512 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Analysis: behavioral16

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:28

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4020 wrote to memory of 4460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4020 wrote to memory of 4460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4020 wrote to memory of 4460 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4460 -ip 4460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:29

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dlhelpdl.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dlhelpdl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dlhelpdl.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dlhelpdl.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nst8F60.tmp\inetc.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

Analysis: behavioral14

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:28

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4424 wrote to memory of 2896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4424 wrote to memory of 2896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4424 wrote to memory of 2896 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2896 -ip 2896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:28

Platform

win7-20240903-en

Max time kernel

14s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:28

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

147s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 161.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/3656-1-0x00007FFE7514D000-0x00007FFE7514E000-memory.dmp

memory/3656-0-0x00007FFE35130000-0x00007FFE35140000-memory.dmp

memory/3656-3-0x00007FFE35130000-0x00007FFE35140000-memory.dmp

memory/3656-2-0x00007FFE35130000-0x00007FFE35140000-memory.dmp

memory/3656-5-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-6-0x00007FFE35130000-0x00007FFE35140000-memory.dmp

memory/3656-9-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-10-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-12-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-11-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-13-0x00007FFE330D0000-0x00007FFE330E0000-memory.dmp

memory/3656-8-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-7-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-4-0x00007FFE35130000-0x00007FFE35140000-memory.dmp

memory/3656-14-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-16-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-19-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-20-0x00007FFE330D0000-0x00007FFE330E0000-memory.dmp

memory/3656-18-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-17-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-15-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-32-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-33-0x00007FFE7514D000-0x00007FFE7514E000-memory.dmp

memory/3656-34-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

memory/3656-35-0x00007FFE750B0000-0x00007FFE752A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 4809b41c56b0e01c0721be472baab5b7
SHA1 f6199d968155d73aeb585946fc517ad504c98db8
SHA256 af049236756bcc849b087cd4b1ae49d91c6ac4e593b59cc09dfaf8920a88e3d6
SHA512 cd1f63a3176bcb0d850e3eb141bf796dce48bdd397d6ba1337f24702b547821e9602cc59523acc3526666e531ef675a11f25234016d818a8614f836ee66e6a0b

C:\Users\Admin\AppData\Local\Temp\TCDBBF2.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral22

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:29

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 161.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/1008-0-0x00007FF973AF0000-0x00007FF973B00000-memory.dmp

memory/1008-1-0x00007FF9B3B0D000-0x00007FF9B3B0E000-memory.dmp

memory/1008-3-0x00007FF973AF0000-0x00007FF973B00000-memory.dmp

memory/1008-2-0x00007FF973AF0000-0x00007FF973B00000-memory.dmp

memory/1008-4-0x00007FF973AF0000-0x00007FF973B00000-memory.dmp

memory/1008-5-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

memory/1008-8-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

memory/1008-9-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

memory/1008-14-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

memory/1008-13-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

memory/1008-12-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

memory/1008-11-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

memory/1008-10-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

memory/1008-7-0x00007FF973AF0000-0x00007FF973B00000-memory.dmp

memory/1008-6-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

memory/1008-15-0x00007FF971A90000-0x00007FF971AA0000-memory.dmp

memory/1008-16-0x00007FF971A90000-0x00007FF971AA0000-memory.dmp

memory/1008-28-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

memory/1008-29-0x00007FF9B3B0D000-0x00007FF9B3B0E000-memory.dmp

memory/1008-30-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

memory/1008-31-0x00007FF9B3A70000-0x00007FF9B3C65000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 eea40cb1faf75e1dd1d139c9319217fd
SHA1 61a01acfc1caf13605bdae43e16c5e5f67ce8b2c
SHA256 474a628b184f2757578e8f6d4b85469105d96df71e24d5ecc873b1b4f607594d
SHA512 407579326bacb0c1a68b13895195c66eb532be4cd8f13df63a09b611cbf5b03d69864386c0aea6cf08bbdd300f0225e56654b2fe6b31638c3741e373c7f19bd1

C:\Users\Admin\AppData\Local\Temp\TCD109C.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral25

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:28

Platform

win7-20240903-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2676 -s 236

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:29

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_BL.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_BL.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1168-0-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/1168-1-0x00007FF87446D000-0x00007FF87446E000-memory.dmp

memory/1168-3-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/1168-2-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/1168-4-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/1168-6-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/1168-5-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/1168-7-0x00007FF834450000-0x00007FF834460000-memory.dmp

memory/1168-10-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/1168-9-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/1168-11-0x00007FF8323F0000-0x00007FF832400000-memory.dmp

memory/1168-8-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/1168-15-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/1168-14-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/1168-16-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/1168-17-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/1168-13-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/1168-12-0x00007FF8323F0000-0x00007FF832400000-memory.dmp

memory/1168-29-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/1168-30-0x00007FF87446D000-0x00007FF87446E000-memory.dmp

memory/1168-31-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

memory/1168-32-0x00007FF8743D0000-0x00007FF8745C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 59f51c4806fe140b7fef181be1f3f2f6
SHA1 c50a131dac9f74f46c5c5de5de1d0a1722e06fa5
SHA256 43e3f5151205314aec9da1ec0c591c8040900d074976923791d8876980eab86c
SHA512 89b1f9bb8afb7d451f589bb93828cddbeaa23b89dc5afd898c4e77dd2ae2e949bfeb158c387c7be39996d10838cb6b25cdb0b9ca5cb11fefbfdb10f1235c7197

C:\Users\Admin\AppData\Local\Temp\TCDFDD0.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral32

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:29

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 161.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/3060-1-0x00007FFD831CD000-0x00007FFD831CE000-memory.dmp

memory/3060-0-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

memory/3060-3-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

memory/3060-2-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

memory/3060-4-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

memory/3060-6-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

memory/3060-5-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

memory/3060-7-0x00007FFD431B0000-0x00007FFD431C0000-memory.dmp

memory/3060-9-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

memory/3060-8-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

memory/3060-10-0x00007FFD409B0000-0x00007FFD409C0000-memory.dmp

memory/3060-11-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

memory/3060-15-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

memory/3060-18-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

memory/3060-19-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

memory/3060-17-0x00007FFD409B0000-0x00007FFD409C0000-memory.dmp

memory/3060-16-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

memory/3060-14-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

memory/3060-13-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

memory/3060-12-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/3060-37-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

memory/3060-38-0x00007FFD831CD000-0x00007FFD831CE000-memory.dmp

memory/3060-39-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

memory/3060-40-0x00007FFD83130000-0x00007FFD83325000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDDAE6.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:27

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe
PID 2192 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe
PID 2192 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe
PID 2192 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe
PID 2192 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe
PID 2192 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe
PID 2192 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe
PID 2192 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe
PID 2192 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe
PID 2192 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe
PID 2192 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe
PID 2192 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe
PID 2192 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe
PID 2192 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe"

C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe

C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe /checkispublisherinstalled

C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe

C:\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~4883~4908~~URL Parts Error~~SendRequest Error~C2-8A-DB-22-2B-BA~#~~SendRequest Error~~IE~~

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.northdl4best.com udp

Files

\Users\Admin\AppData\Local\Temp\nseE16B.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nseE16B.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nseE16B.tmp\intlib.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

\Users\Admin\AppData\Local\Temp\nseE16B.tmp\Math.dll

MD5 b140459077c7c39be4bef249c2f84535
SHA1 c56498241c2ddafb01961596da16d08d1b11cd35
SHA256 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
SHA512 fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

memory/2192-60-0x0000000001D00000-0x0000000001D1A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nseE16B.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nseE16B.tmp\registry.dll

MD5 24a7a119e289f1b5b69f3d6cf258db7c
SHA1 fec84298f9819adf155fcf4e9e57dd402636c177
SHA256 ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512 fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

\Users\Admin\AppData\Local\Temp\nseE16B.tmp\GetVersion.dll

MD5 5264f7d6d89d1dc04955cfb391798446
SHA1 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc
SHA256 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4
SHA512 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

\Users\Admin\AppData\Local\Temp\nseE16B.tmp\215AppsChecker.exe

MD5 420320e78490a36cf23cb17ffbb13358
SHA1 fcf1151c22f9b8c9e29ec6387b38e6b040bd196e
SHA256 bc13af4eb6cc4917d617785d7e4ad09f64745a9cf06354833e815e9229ce8dcf
SHA512 fe2774fd095c3a3b51b01a1da1c5fcd49b53f939b647c84cdfd3c243cb74644ca2909971bc87d3e5c8781a93c27ac3ef7691625a024008b4f1ffba4c947cd023

\Users\Admin\AppData\Local\Temp\nsyF0D5.tmp\StdUtils.dll

MD5 21010df9bc37daffcc0b5ae190381d85
SHA1 a8ba022aafc1233894db29e40e569dfc8b280eb9
SHA256 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16
SHA512 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

\Users\Admin\AppData\Local\Temp\nseE16B.tmp\dlhelpdl.exe

MD5 0712e3c1929c12ae94f88eefdf5e8b81
SHA1 ea2460edb455c5b4ab7e078a306ef1e14d8b57bb
SHA256 48b1d33c040dd911bcbc87ece37f8dd84c1e62a338bb1d744f603c831358c164
SHA512 4ed7ef637ccffc1705c9a5ec29c969eabb496d218a2349acb20a7cdb8757098dd713526de029315f3b88abdf4bd857623b2479c15286b2e0696bfb8a6c7812f5

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:27

Platform

win7-20240708-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf"

Network

N/A

Files

memory/2860-0-0x000000002F6A1000-0x000000002F6A2000-memory.dmp

memory/2860-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2860-2-0x000000007189D000-0x00000000718A8000-memory.dmp

memory/2860-5-0x000000007189D000-0x00000000718A8000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:27

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 224

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:29

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

138s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3756 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3756 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3756 wrote to memory of 5012 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5012 -ip 5012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:28

Platform

win10v2004-20241007-en

Max time kernel

96s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\dlhelpdl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\dlhelpdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\dlhelpdl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\dlhelpdl.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_637d26ebff2da169c1d1dfa791628632.exe"

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\dlhelpdl.exe

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\dlhelpdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~4883~4908~~URL Parts Error~~SendRequest Error~C6-70-90-DD-15-99~#~~SendRequest Error~~~~

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2808 -ip 2808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 132

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.northdl4best.com udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\intlib.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\Math.dll

MD5 b140459077c7c39be4bef249c2f84535
SHA1 c56498241c2ddafb01961596da16d08d1b11cd35
SHA256 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
SHA512 fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

memory/2808-65-0x0000000002AD0000-0x0000000002AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\registry.dll

MD5 24a7a119e289f1b5b69f3d6cf258db7c
SHA1 fec84298f9819adf155fcf4e9e57dd402636c177
SHA256 ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512 fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\GetVersion.dll

MD5 5264f7d6d89d1dc04955cfb391798446
SHA1 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc
SHA256 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4
SHA512 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsk6051.tmp\dlhelpdl.exe

MD5 0712e3c1929c12ae94f88eefdf5e8b81
SHA1 ea2460edb455c5b4ab7e078a306ef1e14d8b57bb
SHA256 48b1d33c040dd911bcbc87ece37f8dd84c1e62a338bb1d744f603c831358c164
SHA512 4ed7ef637ccffc1705c9a5ec29c969eabb496d218a2349acb20a7cdb8757098dd713526de029315f3b88abdf4bd857623b2479c15286b2e0696bfb8a6c7812f5

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:27

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 224

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:28

Platform

win7-20240729-en

Max time kernel

53s

Max time network

21s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Iminent_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Iminent_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1756-0-0x000000002F621000-0x000000002F622000-memory.dmp

memory/1756-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1756-2-0x000000007187D000-0x0000000071888000-memory.dmp

memory/1756-5-0x000000007187D000-0x0000000071888000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:28

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

145s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Iminent_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Iminent_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.161:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 161.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4740-3-0x00007FFCE3EAD000-0x00007FFCE3EAE000-memory.dmp

memory/4740-2-0x00007FFCA3E90000-0x00007FFCA3EA0000-memory.dmp

memory/4740-1-0x00007FFCA3E90000-0x00007FFCA3EA0000-memory.dmp

memory/4740-0-0x00007FFCA3E90000-0x00007FFCA3EA0000-memory.dmp

memory/4740-6-0x00007FFCE3E10000-0x00007FFCE4005000-memory.dmp

memory/4740-7-0x00007FFCA3E90000-0x00007FFCA3EA0000-memory.dmp

memory/4740-5-0x00007FFCE3E10000-0x00007FFCE4005000-memory.dmp

memory/4740-4-0x00007FFCA3E90000-0x00007FFCA3EA0000-memory.dmp

memory/4740-10-0x00007FFCE3E10000-0x00007FFCE4005000-memory.dmp

memory/4740-9-0x00007FFCE3E10000-0x00007FFCE4005000-memory.dmp

memory/4740-8-0x00007FFCE3E10000-0x00007FFCE4005000-memory.dmp

memory/4740-11-0x00007FFCE3E10000-0x00007FFCE4005000-memory.dmp

memory/4740-12-0x00007FFCA1E30000-0x00007FFCA1E40000-memory.dmp

memory/4740-13-0x00007FFCA1E30000-0x00007FFCA1E40000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/4740-31-0x00007FFCE3E10000-0x00007FFCE4005000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 f8835835237a089d0d9e1a7abbb7fcdc
SHA1 fdaef521a81f94298266ace1704d208c6f9076bf
SHA256 008f5ddf03c8d26d29080ddaa897d94c721e804a9047dd150f343267974a665b
SHA512 317680ca194c46fc47c28a5ce3e0171c435be583ef515366cad6c3c99b379a018ae7e543a433b31e1007de5ffe0beebd5f7602b4cd40521e4491b4244e3232d1

C:\Users\Admin\AppData\Local\Temp\TCDDA0E.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral19

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:27

Platform

win7-20240708-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dlhelpdl.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dlhelpdl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dlhelpdl.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dlhelpdl.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsyB6F1.tmp\inetc.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:28

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\215AppsChecker.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\215AppsChecker.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\215AppsChecker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\215AppsChecker.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\215AppsChecker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nsy8E95.tmp\StdUtils.dll

MD5 21010df9bc37daffcc0b5ae190381d85
SHA1 a8ba022aafc1233894db29e40e569dfc8b280eb9
SHA256 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16
SHA512 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:28

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 4596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4692 wrote to memory of 4596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4692 wrote to memory of 4596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4596 -ip 4596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:28

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1084 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1084 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1084 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 448 -ip 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-01-15 22:25

Reported

2025-01-15 22:27

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2380-0-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

memory/2380-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2380-2-0x0000000070B1D000-0x0000000070B28000-memory.dmp

memory/2380-9-0x0000000070B1D000-0x0000000070B28000-memory.dmp