Malware Analysis Report

2025-08-11 04:31

Sample ID 250115-t8zglsykgt
Target JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c
SHA256 186edf759a37067540eebd6b1f20768fe37b36d30c0b3c6a119a4b2c4ae91520
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

186edf759a37067540eebd6b1f20768fe37b36d30c0b3c6a119a4b2c4ae91520

Threat Level: Shows suspicious behavior

The file JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Program crash

NSIS installer

Office loads VBA resources, possible macro or embedded object present

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 16:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral26

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_CF.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_CF.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 198.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/3032-0-0x00007FF907F50000-0x00007FF907F60000-memory.dmp

memory/3032-1-0x00007FF947F6D000-0x00007FF947F6E000-memory.dmp

memory/3032-5-0x00007FF907F50000-0x00007FF907F60000-memory.dmp

memory/3032-4-0x00007FF907F50000-0x00007FF907F60000-memory.dmp

memory/3032-6-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-3-0x00007FF907F50000-0x00007FF907F60000-memory.dmp

memory/3032-2-0x00007FF907F50000-0x00007FF907F60000-memory.dmp

memory/3032-10-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-9-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-11-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-15-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-14-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-13-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-12-0x00007FF905750000-0x00007FF905760000-memory.dmp

memory/3032-16-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-17-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-8-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-7-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-18-0x00007FF905750000-0x00007FF905760000-memory.dmp

memory/3032-36-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-38-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-37-0x00007FF947F6D000-0x00007FF947F6E000-memory.dmp

memory/3032-39-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

memory/3032-40-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 ebcd5f62e4d2620c279b57d660cff10b
SHA1 23f7f0e7212d45e4266d2129b4e7ee5df3ff0c4e
SHA256 2b5c326ae7ef7e78f0cb689ef06f6d0dc2ba480f518943cec7324dc27ce4edef
SHA512 dea5a09c87bdd04938e547b46b9119003c3b0bfb63d44bad586c61327b88f9967ca44923ecf4914f608e914228e3877697e0d29da91d14eae0098aba49f02d5c

C:\Users\Admin\AppData\Local\Temp\TCD2A6C.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral13

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 224

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

145s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4184 wrote to memory of 5020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4184 wrote to memory of 5020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4184 wrote to memory of 5020 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2452 wrote to memory of 2136 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2136 -ip 2136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 214.80.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 3972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2804 wrote to memory of 3972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2804 wrote to memory of 3972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3972 -ip 3972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsn8EA4.tmp\inetc.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

Analysis: behavioral31

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_SIM.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_SIM.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1416-0-0x000000002F881000-0x000000002F882000-memory.dmp

memory/1416-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1416-2-0x000000007120D000-0x0000000071218000-memory.dmp

memory/1416-5-0x000000007120D000-0x0000000071218000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4836 wrote to memory of 1124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4836 wrote to memory of 1124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4836 wrote to memory of 1124 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1124 -ip 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

145s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 195.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4500-4-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

memory/4500-3-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

memory/4500-2-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

memory/4500-1-0x00007FFF940CD000-0x00007FFF940CE000-memory.dmp

memory/4500-0-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

memory/4500-5-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

memory/4500-6-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

memory/4500-7-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

memory/4500-13-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

memory/4500-12-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

memory/4500-11-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

memory/4500-14-0x00007FFF52050000-0x00007FFF52060000-memory.dmp

memory/4500-10-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

memory/4500-9-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

memory/4500-8-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

memory/4500-15-0x00007FFF52050000-0x00007FFF52060000-memory.dmp

memory/4500-29-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

memory/4500-30-0x00007FFF940CD000-0x00007FFF940CE000-memory.dmp

memory/4500-31-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

memory/4500-32-0x00007FFF94030000-0x00007FFF94225000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 cb0505adeeacdba1fa5c6f2c50ecb25b
SHA1 24ec87cf988a25ee194d785d2b1d1e9bc9f946fd
SHA256 32f132b9f32e69a24152b41048566fdce484577d86de4360b9cb41e4c7e1b54b
SHA512 ee39180974f58ac021905887514a595e24b2d42481141af92e9245611668e04451a41f304267254c7bffd2375009cfceab8d0e54390837a8800e1a44eb6159a1

C:\Users\Admin\AppData\Local\Temp\TCDF26B.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral28

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

136s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 195.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4956-0-0x00007FFF81A70000-0x00007FFF81A80000-memory.dmp

memory/4956-1-0x00007FFF81A70000-0x00007FFF81A80000-memory.dmp

memory/4956-3-0x00007FFFC1A8D000-0x00007FFFC1A8E000-memory.dmp

memory/4956-2-0x00007FFF81A70000-0x00007FFF81A80000-memory.dmp

memory/4956-4-0x00007FFF81A70000-0x00007FFF81A80000-memory.dmp

memory/4956-10-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-5-0x00007FFF81A70000-0x00007FFF81A80000-memory.dmp

memory/4956-9-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-11-0x00007FFF7F400000-0x00007FFF7F410000-memory.dmp

memory/4956-8-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-16-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-15-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-14-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-13-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-12-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-7-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-6-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-20-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-19-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-22-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-21-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-18-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

memory/4956-17-0x00007FFF7F400000-0x00007FFF7F410000-memory.dmp

memory/4956-34-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 80617f6c50336958b383b1753d8552b8
SHA1 d5f7a1921809684b47ec7d597a20b05bed0f92bd
SHA256 2d45384acbb68ed34732b92dea86a8a61bd8f4c05965af167425bffbf92611ba
SHA512 7b5a770ed4605c36b2cbccb7da82e8e1da59d933b4f3a0b6cba5d46fbd0b42007969e7fed630bb7accf3b6fca53f484c058faeab1b34ad32c67fe3a1ed27c93a

C:\Users\Admin\AppData\Local\Temp\TCDA72.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20241023-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2908-0-0x000000002FF11000-0x000000002FF12000-memory.dmp

memory/2908-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2908-2-0x000000007196D000-0x0000000071978000-memory.dmp

memory/2908-5-0x000000007196D000-0x0000000071978000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20240729-en

Max time kernel

94s

Max time network

16s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 224

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20240903-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_BL.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_BL.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2672-0-0x000000002F681000-0x000000002F682000-memory.dmp

memory/2672-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2672-2-0x00000000712CD000-0x00000000712D8000-memory.dmp

memory/2672-9-0x00000000712CD000-0x00000000712D8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe"

C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe

C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~5558~4796~~URL Parts Error~~SendRequest Error~7E-CF-46-9E-42-CC~#~~SendRequest Error~~~~

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1120

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 www.first2foureast4.com udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\intlib.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\Math.dll

MD5 b140459077c7c39be4bef249c2f84535
SHA1 c56498241c2ddafb01961596da16d08d1b11cd35
SHA256 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
SHA512 fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

memory/4592-61-0x0000000002AF0000-0x0000000002B0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\registry.dll

MD5 24a7a119e289f1b5b69f3d6cf258db7c
SHA1 fec84298f9819adf155fcf4e9e57dd402636c177
SHA256 ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512 fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\GetVersion.dll

MD5 5264f7d6d89d1dc04955cfb391798446
SHA1 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc
SHA256 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4
SHA512 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe

MD5 f737932236aaf871af646c802f8a9bfa
SHA1 c3256ef959ae31543756fc74f25ae8fd1598dadb
SHA256 37d60d891c8557fffc52f5951d82b0756f962d073b842bd975633ed93737ce80
SHA512 29c42a72560f7a2141e2036910e8cb033fbc3d3b6fe14f9e31b87ed1bd55d57d4be0de4217dd642ac5351f4460084b99c3026d09f9714b356dc103117ae5ba42

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20241010-en

Max time kernel

14s

Max time network

18s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 228

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20240729-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1896-0-0x000000002F371000-0x000000002F372000-memory.dmp

memory/1896-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1896-2-0x0000000070B3D000-0x0000000070B48000-memory.dmp

memory/1896-9-0x0000000070B3D000-0x0000000070B48000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_MLPC.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_MLPC.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2532-0-0x000000002F481000-0x000000002F482000-memory.dmp

memory/2532-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2532-2-0x00000000718DD000-0x00000000718E8000-memory.dmp

memory/2532-9-0x00000000718DD000-0x00000000718E8000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:48

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

144s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_SIM.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_SIM.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 195.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3104-1-0x00007FF9FDE2D000-0x00007FF9FDE2E000-memory.dmp

memory/3104-0-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp

memory/3104-3-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp

memory/3104-2-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp

memory/3104-11-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-10-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-9-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-8-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-12-0x00007FF9BBCA0000-0x00007FF9BBCB0000-memory.dmp

memory/3104-7-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-16-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-18-0x00007FF9BBCA0000-0x00007FF9BBCB0000-memory.dmp

memory/3104-22-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-21-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-20-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-19-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-17-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-15-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-14-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-13-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-6-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-5-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp

memory/3104-4-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp

memory/3104-34-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-35-0x00007FF9FDE2D000-0x00007FF9FDE2E000-memory.dmp

memory/3104-36-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

memory/3104-40-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 3fcef405eac4c98619094ce1c9069ce6
SHA1 762148c87419b6299cabc4a0eafd609b78211eec
SHA256 a6de491417ff40b833e40f112d17fe1225594983d6bd3f9bdffb272b78364f25
SHA512 b779261552048d4fa598855962e9261287c24dd0edf1bd373f6e91deba660b35440dbd4923770e47ad5046bd600acfa46b17b17d1103a61a861a75ea28485c57

C:\Users\Admin\AppData\Local\Temp\TCD2943.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Analysis: behavioral20

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

146s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 195.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3972-0-0x00007FFEDB00D000-0x00007FFEDB00E000-memory.dmp

memory/3972-1-0x00007FFE9AFF0000-0x00007FFE9B000000-memory.dmp

memory/3972-2-0x00007FFE9AFF0000-0x00007FFE9B000000-memory.dmp

memory/3972-3-0x00007FFE9AFF0000-0x00007FFE9B000000-memory.dmp

memory/3972-6-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

memory/3972-5-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

memory/3972-7-0x00007FFE9AFF0000-0x00007FFE9B000000-memory.dmp

memory/3972-4-0x00007FFE9AFF0000-0x00007FFE9B000000-memory.dmp

memory/3972-11-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

memory/3972-12-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

memory/3972-14-0x00007FFE98C20000-0x00007FFE98C30000-memory.dmp

memory/3972-15-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

memory/3972-17-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

memory/3972-18-0x00007FFE98C20000-0x00007FFE98C30000-memory.dmp

memory/3972-16-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

memory/3972-13-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

memory/3972-10-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

memory/3972-9-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

memory/3972-8-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

memory/3972-30-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

memory/3972-31-0x00007FFEDB00D000-0x00007FFEDB00E000-memory.dmp

memory/3972-32-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

memory/3972-33-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 3e9e175c3e51f3446c27213f32ae72b6
SHA1 3893e348e24e143b55ee4cb02b5ba42ef6f5a3a4
SHA256 3d87828533db1162f824e7e0ce9b1fea55b2751cf8445b1a615d70d77af5e237
SHA512 754cca63a4b438dc71f303ac5ad859ec57296f5bf9a2e36efc1e837e8de8b973b9268f9980489e979f00df5e7fd85e530a797cd0111f207a7f517a8b7dd1cbcb

C:\Users\Admin\AppData\Local\Temp\TCDEBF0.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1404 wrote to memory of 3960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1404 wrote to memory of 3960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1404 wrote to memory of 3960 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3960 -ip 3960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20240903-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 224

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20241010-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2332-2-0x000000007105D000-0x0000000071068000-memory.dmp

memory/2332-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2332-0-0x000000002FC91000-0x000000002FC92000-memory.dmp

memory/2332-10-0x000000007105D000-0x0000000071068000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20241010-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 236

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20240903-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_CF.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_CF.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2076-0-0x000000002FB31000-0x000000002FB32000-memory.dmp

memory/2076-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2076-2-0x0000000070FBD000-0x0000000070FC8000-memory.dmp

memory/2076-9-0x0000000070FBD000-0x0000000070FC8000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_MLPC.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_MLPC.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 195.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/1048-0-0x00007FF9206CD000-0x00007FF9206CE000-memory.dmp

memory/1048-1-0x00007FF8E06B0000-0x00007FF8E06C0000-memory.dmp

memory/1048-3-0x00007FF8E06B0000-0x00007FF8E06C0000-memory.dmp

memory/1048-2-0x00007FF8E06B0000-0x00007FF8E06C0000-memory.dmp

memory/1048-5-0x00007FF920630000-0x00007FF920825000-memory.dmp

memory/1048-6-0x00007FF920630000-0x00007FF920825000-memory.dmp

memory/1048-7-0x00007FF8E06B0000-0x00007FF8E06C0000-memory.dmp

memory/1048-4-0x00007FF8E06B0000-0x00007FF8E06C0000-memory.dmp

memory/1048-12-0x00007FF920630000-0x00007FF920825000-memory.dmp

memory/1048-14-0x00007FF920630000-0x00007FF920825000-memory.dmp

memory/1048-15-0x00007FF8DE010000-0x00007FF8DE020000-memory.dmp

memory/1048-13-0x00007FF920630000-0x00007FF920825000-memory.dmp

memory/1048-11-0x00007FF920630000-0x00007FF920825000-memory.dmp

memory/1048-10-0x00007FF920630000-0x00007FF920825000-memory.dmp

memory/1048-9-0x00007FF920630000-0x00007FF920825000-memory.dmp

memory/1048-8-0x00007FF920630000-0x00007FF920825000-memory.dmp

memory/1048-16-0x00007FF8DE010000-0x00007FF8DE020000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1048-34-0x00007FF920630000-0x00007FF920825000-memory.dmp

memory/1048-35-0x00007FF9206CD000-0x00007FF9206CE000-memory.dmp

memory/1048-36-0x00007FF920630000-0x00007FF920825000-memory.dmp

memory/1048-37-0x00007FF920630000-0x00007FF920825000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 4ff0cabfc194df31a52d18dc4beeedb2
SHA1 d13279efd8d9ae2b73d86fa6f921b8b848cb5679
SHA256 5595d5d327a240264782b9adb919c29bf00bc30bd2a347d8e586c07c37a53969
SHA512 2d89bd265e7376b994c262a57c4296be7257cf43f826ce7b00dbad7d25d3378fc31864494899e3ac7ad3de456f2cf0c0443c0a0a790d345f766970975ebc87e5

C:\Users\Admin\AppData\Local\Temp\TCDE415.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe"

C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe

C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~5558~4796~~URL Parts Error~~SendRequest Error~F2-DF-72-04-BD-4F~#~~SendRequest Error~~IE~~

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.first2foureast4.com udp

Files

\Users\Admin\AppData\Local\Temp\nsdA084.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nsdA084.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsdA084.tmp\intlib.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

\Users\Admin\AppData\Local\Temp\nsdA084.tmp\Math.dll

MD5 b140459077c7c39be4bef249c2f84535
SHA1 c56498241c2ddafb01961596da16d08d1b11cd35
SHA256 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
SHA512 fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

memory/2916-56-0x0000000000A80000-0x0000000000A9A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsdA084.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nsdA084.tmp\registry.dll

MD5 24a7a119e289f1b5b69f3d6cf258db7c
SHA1 fec84298f9819adf155fcf4e9e57dd402636c177
SHA256 ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512 fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

\Users\Admin\AppData\Local\Temp\nsdA084.tmp\GetVersion.dll

MD5 5264f7d6d89d1dc04955cfb391798446
SHA1 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc
SHA256 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4
SHA512 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe

MD5 f737932236aaf871af646c802f8a9bfa
SHA1 c3256ef959ae31543756fc74f25ae8fd1598dadb
SHA256 37d60d891c8557fffc52f5951d82b0756f962d073b842bd975633ed93737ce80
SHA512 29c42a72560f7a2141e2036910e8cb033fbc3d3b6fe14f9e31b87ed1bd55d57d4be0de4217dd642ac5351f4460084b99c3026d09f9714b356dc103117ae5ba42

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

140s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 198.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/372-1-0x00007FFD6590D000-0x00007FFD6590E000-memory.dmp

memory/372-0-0x00007FFD258F0000-0x00007FFD25900000-memory.dmp

memory/372-3-0x00007FFD258F0000-0x00007FFD25900000-memory.dmp

memory/372-2-0x00007FFD258F0000-0x00007FFD25900000-memory.dmp

memory/372-5-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp

memory/372-6-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp

memory/372-4-0x00007FFD258F0000-0x00007FFD25900000-memory.dmp

memory/372-7-0x00007FFD258F0000-0x00007FFD25900000-memory.dmp

memory/372-9-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp

memory/372-11-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp

memory/372-10-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp

memory/372-12-0x00007FFD23040000-0x00007FFD23050000-memory.dmp

memory/372-8-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp

memory/372-13-0x00007FFD23040000-0x00007FFD23050000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/372-33-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp

memory/372-34-0x00007FFD6590D000-0x00007FFD6590E000-memory.dmp

memory/372-35-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp

memory/372-36-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDA743.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Analysis: behavioral15

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nstD3C4.tmp\inetc.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

Analysis: behavioral17

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:46

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2324-0-0x000000002F051000-0x000000002F052000-memory.dmp

memory/2324-2-0x00000000719BD000-0x00000000719C8000-memory.dmp

memory/2324-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2324-9-0x00000000719BD000-0x00000000719C8000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_BL.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_BL.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 198.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 94.65.42.20.in-addr.arpa udp

Files

memory/4900-0-0x00007FF7F49B0000-0x00007FF7F49C0000-memory.dmp

memory/4900-1-0x00007FF834ACD000-0x00007FF834ACE000-memory.dmp

memory/4900-3-0x00007FF7F49B0000-0x00007FF7F49C0000-memory.dmp

memory/4900-4-0x00007FF7F49B0000-0x00007FF7F49C0000-memory.dmp

memory/4900-2-0x00007FF7F49B0000-0x00007FF7F49C0000-memory.dmp

memory/4900-6-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-7-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-8-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-11-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-12-0x00007FF7F22A0000-0x00007FF7F22B0000-memory.dmp

memory/4900-10-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-13-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-9-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-18-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-21-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-20-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-19-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-17-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-16-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-15-0x00007FF7F22A0000-0x00007FF7F22B0000-memory.dmp

memory/4900-14-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-5-0x00007FF7F49B0000-0x00007FF7F49C0000-memory.dmp

memory/4900-39-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-40-0x00007FF834ACD000-0x00007FF834ACE000-memory.dmp

memory/4900-41-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

memory/4900-42-0x00007FF834A30000-0x00007FF834C25000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 089981bebed2190e11f981c7ec65c481
SHA1 53de854ea2ae99e07d7f1e9e27399f045ceb55b9
SHA256 d37c36e9108433589fca732cd4248049535ffaac5a83685f53d4dbfc37a96969
SHA512 1387841a179ac15836463a1c33157ced186dd0242d77d149f13a7379ffdde753fd66a6d32219a67d1700188160164d249471fa1e759a55b86ce3db8d7a782b89

C:\Users\Admin\AppData\Local\Temp\TCDE8E1.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Analysis: behavioral22

Detonation Overview

Submitted

2025-01-15 16:44

Reported

2025-01-15 16:47

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 780 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 780 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 780 wrote to memory of 1996 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1996 -ip 1996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 udp
GB 104.78.173.167:80 tcp

Files

N/A