Analysis Overview
SHA256
1c458e2f8154cb14443da781df0dd13c172ee89a175214bf785e7a0461fedb25
Threat Level: Shows suspicious behavior
The file JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Program crash
Office loads VBA resources, possible macro or embedded object present
NSIS installer
Enumerates system info in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-15 16:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
142s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1064 wrote to memory of 4820 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe | C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe |
| PID 1064 wrote to memory of 4820 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe | C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe |
| PID 1064 wrote to memory of 4820 | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe | C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe"
C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe
C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~4633~4651~~URL Parts Error~~SendRequest Error~62-20-00-77-10-59~#~~~SendRequest Error~
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1064 -ip 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 1356
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.dlnortheastzone.com | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\intlib.dll
| MD5 | 1efbbf5a54eb145a1a422046fd8dfb2c |
| SHA1 | ec4efd0a95bb72fd4cf47423647e33e5a3fddf26 |
| SHA256 | 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341 |
| SHA512 | 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb |
C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\Math.dll
| MD5 | b140459077c7c39be4bef249c2f84535 |
| SHA1 | c56498241c2ddafb01961596da16d08d1b11cd35 |
| SHA256 | 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67 |
| SHA512 | fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328 |
memory/1064-55-0x0000000002AC0000-0x0000000002ADA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\registry.dll
| MD5 | 24a7a119e289f1b5b69f3d6cf258db7c |
| SHA1 | fec84298f9819adf155fcf4e9e57dd402636c177 |
| SHA256 | ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1 |
| SHA512 | fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861 |
C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\GetVersion.dll
| MD5 | 5264f7d6d89d1dc04955cfb391798446 |
| SHA1 | 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc |
| SHA256 | 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4 |
| SHA512 | 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7 |
C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe
| MD5 | 7d901ec0b0c73772ea3c8179da0314cd |
| SHA1 | 781534f4014768b9d6bdf66d4fba2746219eee12 |
| SHA256 | 9c068bc2ffd61cf0f25372800562a12952a75aef3bbe8a22ab23e86edb606d9a |
| SHA512 | ececa2b045589199153458c1cfd06373c02528cbcc1483f4661a245272ae6962e4ca73c4f72282fa0759e9ccdf84fac710526743b1540ad92896dd6cc57b7992 |
Analysis: behavioral3
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240903-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 224
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240729-en
Max time kernel
53s
Max time network
19s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1096 wrote to memory of 2104 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 1096 wrote to memory of 2104 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 1096 wrote to memory of 2104 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 1096 wrote to memory of 2104 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/1096-0-0x000000002F5D1000-0x000000002F5D2000-memory.dmp
memory/1096-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1096-2-0x0000000070D5D000-0x0000000070D68000-memory.dmp
memory/1096-9-0x0000000070D5D000-0x0000000070D68000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2376 wrote to memory of 2804 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2376 wrote to memory of 2804 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2376 wrote to memory of 2804 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2376 wrote to memory of 2804 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_cb.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2376-0-0x000000002FE01000-0x000000002FE02000-memory.dmp
memory/2376-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2376-2-0x0000000070AAD000-0x0000000070AB8000-memory.dmp
memory/2376-5-0x0000000070AAD000-0x0000000070AB8000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240903-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2716 wrote to memory of 2732 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2716 wrote to memory of 2732 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2716 wrote to memory of 2732 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2716 wrote to memory of 2732 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_iolo.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2716-0-0x000000002FCE1000-0x000000002FCE2000-memory.dmp
memory/2716-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2716-2-0x00000000717AD000-0x00000000717B8000-memory.dmp
memory/2716-5-0x00000000717AD000-0x00000000717B8000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
134s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.51.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 95.101.143.193:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 193.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/1160-1-0x00007FF8CA76D000-0x00007FF8CA76E000-memory.dmp
memory/1160-0-0x00007FF88A750000-0x00007FF88A760000-memory.dmp
memory/1160-3-0x00007FF88A750000-0x00007FF88A760000-memory.dmp
memory/1160-4-0x00007FF88A750000-0x00007FF88A760000-memory.dmp
memory/1160-5-0x00007FF88A750000-0x00007FF88A760000-memory.dmp
memory/1160-2-0x00007FF88A750000-0x00007FF88A760000-memory.dmp
memory/1160-7-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-6-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-9-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-12-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-11-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-14-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-13-0x00007FF8886F0000-0x00007FF888700000-memory.dmp
memory/1160-15-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-17-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-19-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-21-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-20-0x00007FF8886F0000-0x00007FF888700000-memory.dmp
memory/1160-18-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-16-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-10-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-8-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-33-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
memory/1160-34-0x00007FF8CA76D000-0x00007FF8CA76E000-memory.dmp
memory/1160-35-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | fb949c77ab69ee7155ea09dc128a0872 |
| SHA1 | c7b7f2a13b09c8812b93c59706dc6bb3e8c9d961 |
| SHA256 | 8a5d70b8f04bf365b1e3d9336d317af24d3d6463c97fca85eeccd0dd53664b06 |
| SHA512 | 3aa979fc1950670119ea0d529da922606308618a5f4ea9ed5b71bccbef6ffbc3eebae739c55f7309cca8a34f4a94e5a6fb398c715aba16e37720ad9f6d9ea9bc |
memory/1160-41-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCD3ADF.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
Analysis: behavioral13
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240903-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 224
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240729-en
Max time kernel
104s
Max time network
19s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2532 wrote to memory of 2876 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2532 wrote to memory of 2876 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2532 wrote to memory of 2876 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2532 wrote to memory of 2876 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2532-0-0x000000002FCC1000-0x000000002FCC2000-memory.dmp
memory/2532-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2532-2-0x0000000070FDD000-0x0000000070FE8000-memory.dmp
memory/2532-9-0x0000000070FDD000-0x0000000070FE8000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
149s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo_de.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 95.101.143.193:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| US | 8.8.8.8:53 | 193.143.101.95.in-addr.arpa | udp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
memory/1704-0-0x00007FFA5A330000-0x00007FFA5A340000-memory.dmp
memory/1704-1-0x00007FFA9A34D000-0x00007FFA9A34E000-memory.dmp
memory/1704-3-0x00007FFA5A330000-0x00007FFA5A340000-memory.dmp
memory/1704-4-0x00007FFA5A330000-0x00007FFA5A340000-memory.dmp
memory/1704-2-0x00007FFA5A330000-0x00007FFA5A340000-memory.dmp
memory/1704-7-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-6-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-9-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-8-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-11-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-12-0x00007FFA57C30000-0x00007FFA57C40000-memory.dmp
memory/1704-10-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-14-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-15-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-18-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-19-0x00007FFA57C30000-0x00007FFA57C40000-memory.dmp
memory/1704-20-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-22-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-21-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-17-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-16-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-13-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-5-0x00007FFA5A330000-0x00007FFA5A340000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1704-40-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
memory/1704-41-0x00007FFA9A34D000-0x00007FFA9A34E000-memory.dmp
memory/1704-42-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | db962ad18daf2acc948fbb3f66f6ed94 |
| SHA1 | 2ef74e0a4eef3adff30777915b073bc8b0ac30db |
| SHA256 | 34f6c879361c5875120405f8af798d47c593fa2b8343bdff84a50fac381ac647 |
| SHA512 | 681bd1339caa78fc462de839021ffeb988b33cf9c10f2abdb256bd86b5479db73cd0e83d826e1313ea4e3d4a868cd6491aa5d24d5afe838e5817d108132c1d04 |
memory/1704-48-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDF256.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
Analysis: behavioral32
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
139s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_iolo.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 7.98.51.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.246.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 88.221.135.49:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/3248-0-0x00007FFE1544D000-0x00007FFE1544E000-memory.dmp
memory/3248-1-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp
memory/3248-2-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp
memory/3248-3-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp
memory/3248-4-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp
memory/3248-9-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
memory/3248-8-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
memory/3248-11-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
memory/3248-10-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
memory/3248-12-0x00007FFDD2C20000-0x00007FFDD2C30000-memory.dmp
memory/3248-7-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
memory/3248-6-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
memory/3248-5-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp
memory/3248-15-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
memory/3248-18-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
memory/3248-19-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
memory/3248-17-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
memory/3248-16-0x00007FFDD2C20000-0x00007FFDD2C30000-memory.dmp
memory/3248-14-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
memory/3248-13-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | d29962abc88624befc0135579ae485ec |
| SHA1 | e40a6458296ec6a2427bcb280572d023a9862b31 |
| SHA256 | a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866 |
| SHA512 | 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f |
memory/3248-37-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
memory/3248-38-0x00007FFE1544D000-0x00007FFE1544E000-memory.dmp
memory/3248-39-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
memory/3248-40-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 575436425fc2a7262ea9e4718f9e452c |
| SHA1 | f686a10901a5b6e3d66980903ddd58eccc07479b |
| SHA256 | e7e56bc53b90b52cdd94cc667c3490f82989c06b0e6358859579bf7404d56058 |
| SHA512 | f3dca7c89adf9fa97bbb568cf9fa86b25ba426abc39d4b2e859a967ab72f311775de56ccd93183717ed74150ba1ad9bbffe56b5ee2de24b9870262db2fcaef89 |
C:\Users\Admin\AppData\Local\Temp\TCD2D5C.tmp\gb.xsl
| MD5 | 51d32ee5bc7ab811041f799652d26e04 |
| SHA1 | 412193006aa3ef19e0a57e16acf86b830993024a |
| SHA256 | 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97 |
| SHA512 | 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810 |
Analysis: behavioral5
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240729-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2680 wrote to memory of 808 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2680 wrote to memory of 808 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2680 wrote to memory of 808 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2680 wrote to memory of 808 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2680-0-0x000000002FC01000-0x000000002FC02000-memory.dmp
memory/2680-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2680-2-0x0000000070ACD000-0x0000000070AD8000-memory.dmp
memory/2680-9-0x0000000070ACD000-0x0000000070AD8000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3604 wrote to memory of 1868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3604 wrote to memory of 1868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3604 wrote to memory of 1868 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1868 -ip 1868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240903-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2112 wrote to memory of 2716 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2112 wrote to memory of 2716 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2112 wrote to memory of 2716 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2112 wrote to memory of 2716 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2112-0-0x000000002FDE1000-0x000000002FDE2000-memory.dmp
memory/2112-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2112-2-0x000000007140D000-0x0000000071418000-memory.dmp
memory/2112-5-0x000000007140D000-0x0000000071418000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20241023-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2128 wrote to memory of 2768 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2128 wrote to memory of 2768 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2128 wrote to memory of 2768 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2128 wrote to memory of 2768 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo_de.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2128-0-0x000000002FDA1000-0x000000002FDA2000-memory.dmp
memory/2128-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2128-2-0x00000000718DD000-0x00000000718E8000-memory.dmp
memory/2128-5-0x00000000718DD000-0x00000000718E8000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 95.101.143.193:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 193.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/2444-1-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp
memory/2444-3-0x00007FF9AA9ED000-0x00007FF9AA9EE000-memory.dmp
memory/2444-4-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp
memory/2444-2-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp
memory/2444-8-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-9-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-11-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-13-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-10-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-15-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-12-0x00007FF968070000-0x00007FF968080000-memory.dmp
memory/2444-14-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-19-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-21-0x00007FF968070000-0x00007FF968080000-memory.dmp
memory/2444-23-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-20-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-22-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-18-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-17-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-16-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-7-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-6-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
memory/2444-5-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp
memory/2444-0-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | d29962abc88624befc0135579ae485ec |
| SHA1 | e40a6458296ec6a2427bcb280572d023a9862b31 |
| SHA256 | a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866 |
| SHA512 | 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f |
memory/2444-41-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 3f0dac665ad8e6e70bafd81ef2d5858e |
| SHA1 | 2daf26482c18f9c69d4740fd2f4d37766c6d7966 |
| SHA256 | 3812d19b6077e8533cf9c750be9e0aa4b803c20716e0bd2de34e61ebbe506df1 |
| SHA512 | 756e3526b3f7dba2170344e591572775d19eb53984854f637e4f3fd720a4a6a31901564a5852b42b668ec6f1a03151877330d16f3f5044ba70ae5be6fb3f2e4a |
C:\Users\Admin\AppData\Local\Temp\TCDEDBE.tmp\gb.xsl
| MD5 | 51d32ee5bc7ab811041f799652d26e04 |
| SHA1 | 412193006aa3ef19e0a57e16acf86b830993024a |
| SHA256 | 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97 |
| SHA512 | 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810 |
Analysis: behavioral7
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240903-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 224
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1008 wrote to memory of 2016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 2016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1008 wrote to memory of 2016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2016 -ip 2016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 224
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
142s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3448 wrote to memory of 4580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3448 wrote to memory of 4580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3448 wrote to memory of 4580 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4580 -ip 4580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.51.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2244 wrote to memory of 2720 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2244 wrote to memory of 2720 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2244 wrote to memory of 2720 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2244 wrote to memory of 2720 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2244-0-0x000000002FD81000-0x000000002FD82000-memory.dmp
memory/2244-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2244-2-0x0000000070CFD000-0x0000000070D08000-memory.dmp
memory/2244-9-0x0000000070CFD000-0x0000000070D08000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
147s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1588 wrote to memory of 1860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1588 wrote to memory of 1860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1588 wrote to memory of 1860 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1860 -ip 1860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240903-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2736 wrote to memory of 2536 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2736 wrote to memory of 2536 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2736 wrote to memory of 2536 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
| PID 2736 wrote to memory of 2536 | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | C:\Windows\splwow64.exe |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\jp_license.rtf"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
Files
memory/2736-0-0x000000002F1F1000-0x000000002F1F2000-memory.dmp
memory/2736-2-0x00000000718ED000-0x00000000718F8000-memory.dmp
memory/2736-1-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2736-9-0x00000000718ED000-0x00000000718F8000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
147s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\jp_license.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.32.7:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 7.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.51.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 88.221.135.49:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| US | 8.8.8.8:53 | 49.135.221.88.in-addr.arpa | udp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 198.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/1052-1-0x00007FFDDD3CD000-0x00007FFDDD3CE000-memory.dmp
memory/1052-0-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp
memory/1052-3-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp
memory/1052-2-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp
memory/1052-4-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp
memory/1052-5-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1052-6-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1052-8-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1052-10-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1052-12-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1052-13-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1052-14-0x00007FFD9B0E0000-0x00007FFD9B0F0000-memory.dmp
memory/1052-11-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1052-15-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1052-9-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1052-7-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp
memory/1052-17-0x00007FFD9B0E0000-0x00007FFD9B0F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/1052-34-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1052-35-0x00007FFDDD3CD000-0x00007FFDDD3CE000-memory.dmp
memory/1052-36-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1052-37-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDD116.tmp\gb.xsl
| MD5 | 51d32ee5bc7ab811041f799652d26e04 |
| SHA1 | 412193006aa3ef19e0a57e16acf86b830993024a |
| SHA256 | 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97 |
| SHA512 | 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810 |
Analysis: behavioral4
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5116 wrote to memory of 5092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5116 wrote to memory of 5092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5116 wrote to memory of 5092 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5092 -ip 5092
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| N/A | 20.50.80.213:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 104.78.173.167:80 | tcp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240903-en
Max time kernel
117s
Max time network
117s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 236
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
155s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 129.68.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.51.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 95.101.143.193:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| US | 8.8.8.8:53 | 193.143.101.95.in-addr.arpa | udp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 198.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/1488-0-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp
memory/1488-5-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp
memory/1488-1-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp
memory/1488-2-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp
memory/1488-3-0x00007FFFE056D000-0x00007FFFE056E000-memory.dmp
memory/1488-4-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp
memory/1488-6-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-7-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-9-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-10-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-8-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-11-0x00007FFF9DD30000-0x00007FFF9DD40000-memory.dmp
memory/1488-12-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-13-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-15-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-14-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-16-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-18-0x00007FFF9DD30000-0x00007FFF9DD40000-memory.dmp
memory/1488-19-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-21-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-20-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-17-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
memory/1488-39-0x00007FFFE056D000-0x00007FFFE056E000-memory.dmp
memory/1488-40-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | b201c65861247b6970b7a63d43d88872 |
| SHA1 | 17acabeedd0eb944ede828c98ff934c3238638b4 |
| SHA256 | a056427c0cdb9f606edff9b2c51ddac5d0d21084805e0dbb0947e055a90b76b1 |
| SHA512 | da28e46b6195e53d35d67999c10406d58c42069a3180eaf43225ab425bb1cbc226317eadc76f713d5651464326b05f90df90847eea304447048940eb05864625 |
memory/1488-49-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDFDD8.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |
Analysis: behavioral30
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
151s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_cb.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| GB | 95.101.143.193:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 193.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/3260-3-0x00007FFC4548D000-0x00007FFC4548E000-memory.dmp
memory/3260-2-0x00007FFC05470000-0x00007FFC05480000-memory.dmp
memory/3260-4-0x00007FFC05470000-0x00007FFC05480000-memory.dmp
memory/3260-5-0x00007FFC05470000-0x00007FFC05480000-memory.dmp
memory/3260-9-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-8-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-7-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-6-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-1-0x00007FFC05470000-0x00007FFC05480000-memory.dmp
memory/3260-0-0x00007FFC05470000-0x00007FFC05480000-memory.dmp
memory/3260-11-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-12-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-13-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-14-0x00007FFC02BB0000-0x00007FFC02BC0000-memory.dmp
memory/3260-15-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-16-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-19-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-21-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-20-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-18-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-17-0x00007FFC02BB0000-0x00007FFC02BC0000-memory.dmp
memory/3260-10-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/3260-39-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
memory/3260-40-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 822d2778194e0847ca20fe065259d938 |
| SHA1 | 6606f6f0e4849d42b8c566a79da0034489b5b992 |
| SHA256 | 5daa5928370db2146e2898350332d92785f6c2f589ec4bd636cce6e0d0859432 |
| SHA512 | aeea1c945b13a52896d416135985d48f3d37d65239c999f3887ae219f65b919fea46ad998ad352c41cf3141b14b31181e371fcfe906946f272bde5a90ee69a79 |
C:\Users\Admin\AppData\Local\Temp\TCDCFBB.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20240903-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe"
C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe
C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~4633~4651~~URL Parts Error~~SendRequest Error~62-CA-C3-60-41-A9~#~~~SendRequest Error~
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.dlnortheastzone.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nst937A.tmp\nsDialogs.dll
| MD5 | c10e04dd4ad4277d5adc951bb331c777 |
| SHA1 | b1e30808198a3ae6d6d1cca62df8893dc2a7ad43 |
| SHA256 | e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a |
| SHA512 | 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e |
\Users\Admin\AppData\Local\Temp\nst937A.tmp\System.dll
| MD5 | c17103ae9072a06da581dec998343fc1 |
| SHA1 | b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d |
| SHA256 | dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f |
| SHA512 | d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f |
\Users\Admin\AppData\Local\Temp\nst937A.tmp\intlib.dll
| MD5 | 1efbbf5a54eb145a1a422046fd8dfb2c |
| SHA1 | ec4efd0a95bb72fd4cf47423647e33e5a3fddf26 |
| SHA256 | 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341 |
| SHA512 | 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb |
\Users\Admin\AppData\Local\Temp\nst937A.tmp\Math.dll
| MD5 | b140459077c7c39be4bef249c2f84535 |
| SHA1 | c56498241c2ddafb01961596da16d08d1b11cd35 |
| SHA256 | 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67 |
| SHA512 | fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328 |
memory/1860-50-0x00000000004E0000-0x00000000004FA000-memory.dmp
\Users\Admin\AppData\Local\Temp\nst937A.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nst937A.tmp\registry.dll
| MD5 | 24a7a119e289f1b5b69f3d6cf258db7c |
| SHA1 | fec84298f9819adf155fcf4e9e57dd402636c177 |
| SHA256 | ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1 |
| SHA512 | fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861 |
\Users\Admin\AppData\Local\Temp\nst937A.tmp\GetVersion.dll
| MD5 | 5264f7d6d89d1dc04955cfb391798446 |
| SHA1 | 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc |
| SHA256 | 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4 |
| SHA512 | 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7 |
\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe
| MD5 | 7d901ec0b0c73772ea3c8179da0314cd |
| SHA1 | 781534f4014768b9d6bdf66d4fba2746219eee12 |
| SHA256 | 9c068bc2ffd61cf0f25372800562a12952a75aef3bbe8a22ab23e86edb606d9a |
| SHA512 | ececa2b045589199153458c1cfd06373c02528cbcc1483f4661a245272ae6962e4ca73c4f72282fa0759e9ccdf84fac710526743b1540ad92896dd6cc57b7992 |
Analysis: behavioral9
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win7-20241010-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 228
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2664 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2664 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2664 wrote to memory of 2948 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2948 -ip 2948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
144s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.98.51.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 95.101.143.193:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.198:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 193.143.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4384-0-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp
memory/4384-2-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp
memory/4384-1-0x00007FFE733CD000-0x00007FFE733CE000-memory.dmp
memory/4384-3-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp
memory/4384-6-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-10-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-12-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-11-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-13-0x00007FFE30A50000-0x00007FFE30A60000-memory.dmp
memory/4384-9-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-8-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-7-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp
memory/4384-15-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-19-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-21-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-22-0x00007FFE30A50000-0x00007FFE30A60000-memory.dmp
memory/4384-20-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-18-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-17-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-16-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-14-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-5-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-4-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | d29962abc88624befc0135579ae485ec |
| SHA1 | e40a6458296ec6a2427bcb280572d023a9862b31 |
| SHA256 | a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866 |
| SHA512 | 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f |
memory/4384-40-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
memory/4384-41-0x00007FFE733CD000-0x00007FFE733CE000-memory.dmp
memory/4384-42-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
| MD5 | 51c80ba6d554cece2cfd64b667160b34 |
| SHA1 | cdabda3e352f6c62162a40c9684e80093d7306f8 |
| SHA256 | 890f44ca3a80fc3ea2ba2ecfbd6445c5c15f81677b35e6e641f504f307559a74 |
| SHA512 | cae72862e99ed6058503f0f91d8c0d067f15992f4a8cd0d52f198335fec55e8db17d26fa928676374eef8388993aaea9f8bec632ba1c54de658a55f6ed11702d |
memory/4384-48-0x00007FFE73330000-0x00007FFE73525000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDF643.tmp\sist02.xsl
| MD5 | f883b260a8d67082ea895c14bf56dd56 |
| SHA1 | 7954565c1f243d46ad3b1e2f1baf3281451fc14b |
| SHA256 | ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353 |
| SHA512 | d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e |
Analysis: behavioral18
Detonation Overview
Submitted
2025-01-15 16:17
Reported
2025-01-15 16:19
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf" /o ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.76.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.173.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | metadata.templates.cdn.office.net | udp |
| GB | 88.221.135.49:443 | metadata.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | binaries.templates.cdn.office.net | udp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| GB | 2.18.190.195:443 | binaries.templates.cdn.office.net | tcp |
| US | 8.8.8.8:53 | 49.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/2184-3-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp
memory/2184-0-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp
memory/2184-1-0x00007FF819E6D000-0x00007FF819E6E000-memory.dmp
memory/2184-2-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp
memory/2184-4-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
memory/2184-5-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp
memory/2184-6-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
memory/2184-7-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp
memory/2184-10-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
memory/2184-9-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
memory/2184-8-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
memory/2184-13-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
memory/2184-12-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
memory/2184-11-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
memory/2184-15-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
memory/2184-16-0x00007FF7D7BF0000-0x00007FF7D7C00000-memory.dmp
memory/2184-14-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
memory/2184-17-0x00007FF7D7BF0000-0x00007FF7D7C00000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/2184-41-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
memory/2184-42-0x00007FF819E6D000-0x00007FF819E6E000-memory.dmp
memory/2184-43-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
memory/2184-44-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TCDE7BC.tmp\iso690.xsl
| MD5 | ff0e07eff1333cdf9fc2523d323dd654 |
| SHA1 | 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4 |
| SHA256 | 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5 |
| SHA512 | b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d |