Analysis Overview
SHA256
186edf759a37067540eebd6b1f20768fe37b36d30c0b3c6a119a4b2c4ae91520
Threat Level: Shows suspicious behavior
The file JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Program crash
NSIS installer
Office loads VBA resources, possible macro or embedded object present
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 16:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral26
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_CF.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.32.7:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 95.101.143.193:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 193.143.101.95.in-addr.arpa | udp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 198.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
memory/3032-0-0x00007FF907F50000-0x00007FF907F60000-memory.dmp
memory/3032-1-0x00007FF947F6D000-0x00007FF947F6E000-memory.dmp
memory/3032-5-0x00007FF907F50000-0x00007FF907F60000-memory.dmp
memory/3032-4-0x00007FF907F50000-0x00007FF907F60000-memory.dmp
memory/3032-6-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-3-0x00007FF907F50000-0x00007FF907F60000-memory.dmp
memory/3032-2-0x00007FF907F50000-0x00007FF907F60000-memory.dmp
memory/3032-10-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-9-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-11-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-15-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-14-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-13-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-12-0x00007FF905750000-0x00007FF905760000-memory.dmp
memory/3032-16-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-17-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-8-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-7-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-18-0x00007FF905750000-0x00007FF905760000-memory.dmp
memory/3032-36-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-38-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-37-0x00007FF947F6D000-0x00007FF947F6E000-memory.dmp
memory/3032-39-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
memory/3032-40-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | ebcd5f62e4d2620c279b57d660cff10b |
| SHA1 | 23f7f0e7212d45e4266d2129b4e7ee5df3ff0c4e |
| SHA256 | 2b5c326ae7ef7e78f0cb689ef06f6d0dc2ba480f518943cec7324dc27ce4edef |
| SHA512 | dea5a09c87bdd04938e547b46b9119003c3b0bfb63d44bad586c61327b88f9967ca44923ecf4914f608e914228e3877697e0d29da91d14eae0098aba49f02d5c |
C:\Users\Admin\AppData\Local\Temp\TCD2A6C.tmp\gb.xsl
| MD5 | 51d32ee5bc7ab811041f799652d26e04 |
| SHA1 | 412193006aa3ef19e0a57e16acf86b830993024a |
| SHA256 | 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97 |
| SHA512 | 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810 |
Analysis: behavioral13
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2184 -s 224
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
145s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4184 wrote to memory of 5020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4184 wrote to memory of 5020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4184 wrote to memory of 5020 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5020 -ip 5020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2452 wrote to memory of 2136 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2452 wrote to memory of 2136 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2452 wrote to memory of 2136 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2136 -ip 2136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.80.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
144s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2804 wrote to memory of 3972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2804 wrote to memory of 3972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2804 wrote to memory of 3972 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3972 -ip 3972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
136s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsn8EA4.tmp\inetc.dll
| MD5 | 1efbbf5a54eb145a1a422046fd8dfb2c |
| SHA1 | ec4efd0a95bb72fd4cf47423647e33e5a3fddf26 |
| SHA256 | 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341 |
| SHA512 | 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb |
Analysis: behavioral31
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20240903-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1416 wrote to memory of 2884 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 1416 wrote to memory of 2884 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 1416 wrote to memory of 2884 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 1416 wrote to memory of 2884 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_SIM.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/1416-0-0x000000002F881000-0x000000002F882000-memory.dmp
memory/1416-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1416-2-0x000000007120D000-0x0000000071218000-memory.dmp
memory/1416-5-0x000000007120D000-0x0000000071218000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20240903-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 224
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
143s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4836 wrote to memory of 1124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4836 wrote to memory of 1124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4836 wrote to memory of 1124 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1124 -ip 1124
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
145s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 95.101.143.193:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 193.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4500-4-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp
memory/4500-3-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp
memory/4500-2-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp
memory/4500-1-0x00007FFF940CD000-0x00007FFF940CE000-memory.dmp
memory/4500-0-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp
memory/4500-5-0x00007FFF94030000-0x00007FFF94225000-memory.dmp
memory/4500-6-0x00007FFF94030000-0x00007FFF94225000-memory.dmp
memory/4500-7-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp
memory/4500-13-0x00007FFF94030000-0x00007FFF94225000-memory.dmp
memory/4500-12-0x00007FFF94030000-0x00007FFF94225000-memory.dmp
memory/4500-11-0x00007FFF94030000-0x00007FFF94225000-memory.dmp
memory/4500-14-0x00007FFF52050000-0x00007FFF52060000-memory.dmp
memory/4500-10-0x00007FFF94030000-0x00007FFF94225000-memory.dmp
memory/4500-9-0x00007FFF94030000-0x00007FFF94225000-memory.dmp
memory/4500-8-0x00007FFF94030000-0x00007FFF94225000-memory.dmp
memory/4500-15-0x00007FFF52050000-0x00007FFF52060000-memory.dmp
memory/4500-29-0x00007FFF94030000-0x00007FFF94225000-memory.dmp
memory/4500-30-0x00007FFF940CD000-0x00007FFF940CE000-memory.dmp
memory/4500-31-0x00007FFF94030000-0x00007FFF94225000-memory.dmp
memory/4500-32-0x00007FFF94030000-0x00007FFF94225000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | cb0505adeeacdba1fa5c6f2c50ecb25b |
| SHA1 | 24ec87cf988a25ee194d785d2b1d1e9bc9f946fd |
| SHA256 | 32f132b9f32e69a24152b41048566fdce484577d86de4360b9cb41e4c7e1b54b |
| SHA512 | ee39180974f58ac021905887514a595e24b2d42481141af92e9245611668e04451a41f304267254c7bffd2375009cfceab8d0e54390837a8800e1a44eb6159a1 |
C:\Users\Admin\AppData\Local\Temp\TCDF26B.tmp\gb.xsl
| MD5 | 51d32ee5bc7ab811041f799652d26e04 |
| SHA1 | 412193006aa3ef19e0a57e16acf86b830993024a |
| SHA256 | 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97 |
| SHA512 | 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810 |
Analysis: behavioral28
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
136s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 95.101.143.193:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 193.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/4956-0-0x00007FFF81A70000-0x00007FFF81A80000-memory.dmp
memory/4956-1-0x00007FFF81A70000-0x00007FFF81A80000-memory.dmp
memory/4956-3-0x00007FFFC1A8D000-0x00007FFFC1A8E000-memory.dmp
memory/4956-2-0x00007FFF81A70000-0x00007FFF81A80000-memory.dmp
memory/4956-4-0x00007FFF81A70000-0x00007FFF81A80000-memory.dmp
memory/4956-10-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-5-0x00007FFF81A70000-0x00007FFF81A80000-memory.dmp
memory/4956-9-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-11-0x00007FFF7F400000-0x00007FFF7F410000-memory.dmp
memory/4956-8-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-16-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-15-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-14-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-13-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-12-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-7-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-6-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-20-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-19-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-22-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-21-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-18-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
memory/4956-17-0x00007FFF7F400000-0x00007FFF7F410000-memory.dmp
memory/4956-34-0x00007FFFC19F0000-0x00007FFFC1BE5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 80617f6c50336958b383b1753d8552b8 |
| SHA1 | d5f7a1921809684b47ec7d597a20b05bed0f92bd |
| SHA256 | 2d45384acbb68ed34732b92dea86a8a61bd8f4c05965af167425bffbf92611ba |
| SHA512 | 7b5a770ed4605c36b2cbccb7da82e8e1da59d933b4f3a0b6cba5d46fbd0b42007969e7fed630bb7accf3b6fca53f484c058faeab1b34ad32c67fe3a1ed27c93a |
C:\Users\Admin\AppData\Local\Temp\TCDA72.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
Analysis: behavioral5
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20241023-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2908 wrote to memory of 2656 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2908 wrote to memory of 2656 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2908 wrote to memory of 2656 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2908 wrote to memory of 2656 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2908-0-0x000000002FF11000-0x000000002FF12000-memory.dmp
memory/2908-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2908-2-0x000000007196D000-0x0000000071978000-memory.dmp
memory/2908-5-0x000000007196D000-0x0000000071978000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20240729-en
Max time kernel
94s
Max time network
16s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 224
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20240903-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2672 wrote to memory of 2744 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2672 wrote to memory of 2744 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2672 wrote to memory of 2744 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2672 wrote to memory of 2744 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_BL.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2672-0-0x000000002F681000-0x000000002F682000-memory.dmp
memory/2672-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2672-2-0x00000000712CD000-0x00000000712D8000-memory.dmp
memory/2672-9-0x00000000712CD000-0x00000000712D8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
144s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4592 wrote to memory of 4356 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe | C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe |
| PID 4592 wrote to memory of 4356 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe | C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe |
| PID 4592 wrote to memory of 4356 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe | C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe"
C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe
C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~5558~4796~~URL Parts Error~~SendRequest Error~7E-CF-46-9E-42-CC~#~~SendRequest Error~~~~
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4592 -ip 4592
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 1120
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.first2foureast4.com | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\intlib.dll
| MD5 | 1efbbf5a54eb145a1a422046fd8dfb2c |
| SHA1 | ec4efd0a95bb72fd4cf47423647e33e5a3fddf26 |
| SHA256 | 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341 |
| SHA512 | 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb |
C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\Math.dll
| MD5 | b140459077c7c39be4bef249c2f84535 |
| SHA1 | c56498241c2ddafb01961596da16d08d1b11cd35 |
| SHA256 | 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67 |
| SHA512 | fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328 |
memory/4592-61-0x0000000002AF0000-0x0000000002B0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\registry.dll
| MD5 | 24a7a119e289f1b5b69f3d6cf258db7c |
| SHA1 | fec84298f9819adf155fcf4e9e57dd402636c177 |
| SHA256 | ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1 |
| SHA512 | fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861 |
C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\GetVersion.dll
| MD5 | 5264f7d6d89d1dc04955cfb391798446 |
| SHA1 | 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc |
| SHA256 | 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4 |
| SHA512 | 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7 |
C:\Users\Admin\AppData\Local\Temp\nsiA837.tmp\dllstub.exe
| MD5 | f737932236aaf871af646c802f8a9bfa |
| SHA1 | c3256ef959ae31543756fc74f25ae8fd1598dadb |
| SHA256 | 37d60d891c8557fffc52f5951d82b0756f962d073b842bd975633ed93737ce80 |
| SHA512 | 29c42a72560f7a2141e2036910e8cb033fbc3d3b6fe14f9e31b87ed1bd55d57d4be0de4217dd642ac5351f4460084b99c3026d09f9714b356dc103117ae5ba42 |
Analysis: behavioral3
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20241010-en
Max time kernel
14s
Max time network
18s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 228
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20240729-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1896 wrote to memory of 2732 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 1896 wrote to memory of 2732 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 1896 wrote to memory of 2732 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 1896 wrote to memory of 2732 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/1896-0-0x000000002F371000-0x000000002F372000-memory.dmp
memory/1896-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1896-2-0x0000000070B3D000-0x0000000070B48000-memory.dmp
memory/1896-9-0x0000000070B3D000-0x0000000070B48000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2532 wrote to memory of 2804 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2532 wrote to memory of 2804 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2532 wrote to memory of 2804 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2532 wrote to memory of 2804 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_MLPC.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2532-0-0x000000002F481000-0x000000002F482000-memory.dmp
memory/2532-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2532-2-0x00000000718DD000-0x00000000718E8000-memory.dmp
memory/2532-9-0x00000000718DD000-0x00000000718E8000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:48
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
144s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_SIM.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 95.101.143.193:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 193.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 195.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3104-1-0x00007FF9FDE2D000-0x00007FF9FDE2E000-memory.dmp
memory/3104-0-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp
memory/3104-3-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp
memory/3104-2-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp
memory/3104-11-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-10-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-9-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-8-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-12-0x00007FF9BBCA0000-0x00007FF9BBCB0000-memory.dmp
memory/3104-7-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-16-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-18-0x00007FF9BBCA0000-0x00007FF9BBCB0000-memory.dmp
memory/3104-22-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-21-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-20-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-19-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-17-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-15-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-14-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-13-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-6-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-5-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp
memory/3104-4-0x00007FF9BDE10000-0x00007FF9BDE20000-memory.dmp
memory/3104-34-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-35-0x00007FF9FDE2D000-0x00007FF9FDE2E000-memory.dmp
memory/3104-36-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
memory/3104-40-0x00007FF9FDD90000-0x00007FF9FDF85000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 3fcef405eac4c98619094ce1c9069ce6 |
| SHA1 | 762148c87419b6299cabc4a0eafd609b78211eec |
| SHA256 | a6de491417ff40b833e40f112d17fe1225594983d6bd3f9bdffb272b78364f25 |
| SHA512 | b779261552048d4fa598855962e9261287c24dd0edf1bd373f6e91deba660b35440dbd4923770e47ad5046bd600acfa46b17b17d1103a61a861a75ea28485c57 |
C:\Users\Admin\AppData\Local\Temp\TCD2943.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |
Analysis: behavioral20
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
146s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.32.7:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 88.221.135.49:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 49.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3972-0-0x00007FFEDB00D000-0x00007FFEDB00E000-memory.dmp
memory/3972-1-0x00007FFE9AFF0000-0x00007FFE9B000000-memory.dmp
memory/3972-2-0x00007FFE9AFF0000-0x00007FFE9B000000-memory.dmp
memory/3972-3-0x00007FFE9AFF0000-0x00007FFE9B000000-memory.dmp
memory/3972-6-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
memory/3972-5-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
memory/3972-7-0x00007FFE9AFF0000-0x00007FFE9B000000-memory.dmp
memory/3972-4-0x00007FFE9AFF0000-0x00007FFE9B000000-memory.dmp
memory/3972-11-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
memory/3972-12-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
memory/3972-14-0x00007FFE98C20000-0x00007FFE98C30000-memory.dmp
memory/3972-15-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
memory/3972-17-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
memory/3972-18-0x00007FFE98C20000-0x00007FFE98C30000-memory.dmp
memory/3972-16-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
memory/3972-13-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
memory/3972-10-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
memory/3972-9-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
memory/3972-8-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
memory/3972-30-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
memory/3972-31-0x00007FFEDB00D000-0x00007FFEDB00E000-memory.dmp
memory/3972-32-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
memory/3972-33-0x00007FFEDAF70000-0x00007FFEDB165000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 3e9e175c3e51f3446c27213f32ae72b6 |
| SHA1 | 3893e348e24e143b55ee4cb02b5ba42ef6f5a3a4 |
| SHA256 | 3d87828533db1162f824e7e0ce9b1fea55b2751cf8445b1a615d70d77af5e237 |
| SHA512 | 754cca63a4b438dc71f303ac5ad859ec57296f5bf9a2e36efc1e837e8de8b973b9268f9980489e979f00df5e7fd85e530a797cd0111f207a7f517a8b7dd1cbcb |
C:\Users\Admin\AppData\Local\Temp\TCDEBF0.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
Analysis: behavioral4
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
143s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1404 wrote to memory of 3960 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1404 wrote to memory of 3960 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1404 wrote to memory of 3960 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3960 -ip 3960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3960 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20240903-en
Max time kernel
119s
Max time network
124s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 224
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20241010-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 2720 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2332 wrote to memory of 2720 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2332 wrote to memory of 2720 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2332 wrote to memory of 2720 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2332-2-0x000000007105D000-0x0000000071068000-memory.dmp
memory/2332-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2332-0-0x000000002FC91000-0x000000002FC92000-memory.dmp
memory/2332-10-0x000000007105D000-0x0000000071068000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20241010-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 236
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20240903-en
Max time kernel
118s
Max time network
118s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2076 wrote to memory of 2128 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2076 wrote to memory of 2128 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2076 wrote to memory of 2128 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2076 wrote to memory of 2128 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_CF.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2076-0-0x000000002FB31000-0x000000002FB32000-memory.dmp
memory/2076-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2076-2-0x0000000070FBD000-0x0000000070FC8000-memory.dmp
memory/2076-9-0x0000000070FBD000-0x0000000070FC8000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_MLPC.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 95.101.143.193:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.143.101.95.in-addr.arpa | udp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 195.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/1048-0-0x00007FF9206CD000-0x00007FF9206CE000-memory.dmp
memory/1048-1-0x00007FF8E06B0000-0x00007FF8E06C0000-memory.dmp
memory/1048-3-0x00007FF8E06B0000-0x00007FF8E06C0000-memory.dmp
memory/1048-2-0x00007FF8E06B0000-0x00007FF8E06C0000-memory.dmp
memory/1048-5-0x00007FF920630000-0x00007FF920825000-memory.dmp
memory/1048-6-0x00007FF920630000-0x00007FF920825000-memory.dmp
memory/1048-7-0x00007FF8E06B0000-0x00007FF8E06C0000-memory.dmp
memory/1048-4-0x00007FF8E06B0000-0x00007FF8E06C0000-memory.dmp
memory/1048-12-0x00007FF920630000-0x00007FF920825000-memory.dmp
memory/1048-14-0x00007FF920630000-0x00007FF920825000-memory.dmp
memory/1048-15-0x00007FF8DE010000-0x00007FF8DE020000-memory.dmp
memory/1048-13-0x00007FF920630000-0x00007FF920825000-memory.dmp
memory/1048-11-0x00007FF920630000-0x00007FF920825000-memory.dmp
memory/1048-10-0x00007FF920630000-0x00007FF920825000-memory.dmp
memory/1048-9-0x00007FF920630000-0x00007FF920825000-memory.dmp
memory/1048-8-0x00007FF920630000-0x00007FF920825000-memory.dmp
memory/1048-16-0x00007FF8DE010000-0x00007FF8DE020000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1048-34-0x00007FF920630000-0x00007FF920825000-memory.dmp
memory/1048-35-0x00007FF9206CD000-0x00007FF9206CE000-memory.dmp
memory/1048-36-0x00007FF920630000-0x00007FF920825000-memory.dmp
memory/1048-37-0x00007FF920630000-0x00007FF920825000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 4ff0cabfc194df31a52d18dc4beeedb2 |
| SHA1 | d13279efd8d9ae2b73d86fa6f921b8b848cb5679 |
| SHA256 | 5595d5d327a240264782b9adb919c29bf00bc30bd2a347d8e586c07c37a53969 |
| SHA512 | 2d89bd265e7376b994c262a57c4296be7257cf43f826ce7b00dbad7d25d3378fc31864494899e3ac7ad3de456f2cf0c0443c0a0a790d345f766970975ebc87e5 |
C:\Users\Admin\AppData\Local\Temp\TCDE415.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20240903-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c8abd2f16f0d69e9f26224894c4304c.exe"
C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe
C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~5558~4796~~URL Parts Error~~SendRequest Error~F2-DF-72-04-BD-4F~#~~SendRequest Error~~IE~~
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.first2foureast4.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsdA084.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
\Users\Admin\AppData\Local\Temp\nsdA084.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nsdA084.tmp\intlib.dll
| MD5 | 1efbbf5a54eb145a1a422046fd8dfb2c |
| SHA1 | ec4efd0a95bb72fd4cf47423647e33e5a3fddf26 |
| SHA256 | 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341 |
| SHA512 | 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb |
\Users\Admin\AppData\Local\Temp\nsdA084.tmp\Math.dll
| MD5 | b140459077c7c39be4bef249c2f84535 |
| SHA1 | c56498241c2ddafb01961596da16d08d1b11cd35 |
| SHA256 | 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67 |
| SHA512 | fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328 |
memory/2916-56-0x0000000000A80000-0x0000000000A9A000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsdA084.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nsdA084.tmp\registry.dll
| MD5 | 24a7a119e289f1b5b69f3d6cf258db7c |
| SHA1 | fec84298f9819adf155fcf4e9e57dd402636c177 |
| SHA256 | ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1 |
| SHA512 | fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861 |
\Users\Admin\AppData\Local\Temp\nsdA084.tmp\GetVersion.dll
| MD5 | 5264f7d6d89d1dc04955cfb391798446 |
| SHA1 | 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc |
| SHA256 | 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4 |
| SHA512 | 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7 |
C:\Users\Admin\AppData\Local\Temp\nsdA084.tmp\dllstub.exe
| MD5 | f737932236aaf871af646c802f8a9bfa |
| SHA1 | c3256ef959ae31543756fc74f25ae8fd1598dadb |
| SHA256 | 37d60d891c8557fffc52f5951d82b0756f962d073b842bd975633ed93737ce80 |
| SHA512 | 29c42a72560f7a2141e2036910e8cb033fbc3d3b6fe14f9e31b87ed1bd55d57d4be0de4217dd642ac5351f4460084b99c3026d09f9714b356dc103117ae5ba42 |
Analysis: behavioral6
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
140s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 88.221.135.49:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 49.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
memory/372-1-0x00007FFD6590D000-0x00007FFD6590E000-memory.dmp
memory/372-0-0x00007FFD258F0000-0x00007FFD25900000-memory.dmp
memory/372-3-0x00007FFD258F0000-0x00007FFD25900000-memory.dmp
memory/372-2-0x00007FFD258F0000-0x00007FFD25900000-memory.dmp
memory/372-5-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp
memory/372-6-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp
memory/372-4-0x00007FFD258F0000-0x00007FFD25900000-memory.dmp
memory/372-7-0x00007FFD258F0000-0x00007FFD25900000-memory.dmp
memory/372-9-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp
memory/372-11-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp
memory/372-10-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp
memory/372-12-0x00007FFD23040000-0x00007FFD23050000-memory.dmp
memory/372-8-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp
memory/372-13-0x00007FFD23040000-0x00007FFD23050000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/372-33-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp
memory/372-34-0x00007FFD6590D000-0x00007FFD6590E000-memory.dmp
memory/372-35-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp
memory/372-36-0x00007FFD65870000-0x00007FFD65A65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDA743.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |
Analysis: behavioral15
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dllstub.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nstD3C4.tmp\inetc.dll
| MD5 | 1efbbf5a54eb145a1a422046fd8dfb2c |
| SHA1 | ec4efd0a95bb72fd4cf47423647e33e5a3fddf26 |
| SHA256 | 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341 |
| SHA512 | 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb |
Analysis: behavioral17
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:46
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2324 wrote to memory of 2696 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2324 wrote to memory of 2696 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2324 wrote to memory of 2696 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2324 wrote to memory of 2696 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2324-0-0x000000002F051000-0x000000002F052000-memory.dmp
memory/2324-2-0x00000000719BD000-0x00000000719C8000-memory.dmp
memory/2324-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2324-9-0x00000000719BD000-0x00000000719C8000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_BL.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 88.221.135.49:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 49.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.65.42.20.in-addr.arpa | udp |
Files
memory/4900-0-0x00007FF7F49B0000-0x00007FF7F49C0000-memory.dmp
memory/4900-1-0x00007FF834ACD000-0x00007FF834ACE000-memory.dmp
memory/4900-3-0x00007FF7F49B0000-0x00007FF7F49C0000-memory.dmp
memory/4900-4-0x00007FF7F49B0000-0x00007FF7F49C0000-memory.dmp
memory/4900-2-0x00007FF7F49B0000-0x00007FF7F49C0000-memory.dmp
memory/4900-6-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-7-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-8-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-11-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-12-0x00007FF7F22A0000-0x00007FF7F22B0000-memory.dmp
memory/4900-10-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-13-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-9-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-18-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-21-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-20-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-19-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-17-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-16-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-15-0x00007FF7F22A0000-0x00007FF7F22B0000-memory.dmp
memory/4900-14-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-5-0x00007FF7F49B0000-0x00007FF7F49C0000-memory.dmp
memory/4900-39-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-40-0x00007FF834ACD000-0x00007FF834ACE000-memory.dmp
memory/4900-41-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
memory/4900-42-0x00007FF834A30000-0x00007FF834C25000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 089981bebed2190e11f981c7ec65c481 |
| SHA1 | 53de854ea2ae99e07d7f1e9e27399f045ceb55b9 |
| SHA256 | d37c36e9108433589fca732cd4248049535ffaac5a83685f53d4dbfc37a96969 |
| SHA512 | 1387841a179ac15836463a1c33157ced186dd0242d77d149f13a7379ffdde753fd66a6d32219a67d1700188160164d249471fa1e759a55b86ce3db8d7a782b89 |
C:\Users\Admin\AppData\Local\Temp\TCDE8E1.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |
Analysis: behavioral22
Detonation Overview
Submitted
2025-01-15 16:44
Reported
2025-01-15 16:47
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 780 wrote to memory of 1996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 780 wrote to memory of 1996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 780 wrote to memory of 1996 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1996 -ip 1996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1996 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| GB | 104.78.173.167:80 | tcp |