Malware Analysis Report

2025-08-11 04:30

Sample ID 250115-tree4szjar
Target JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c
SHA256 1c458e2f8154cb14443da781df0dd13c172ee89a175214bf785e7a0461fedb25
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1c458e2f8154cb14443da781df0dd13c172ee89a175214bf785e7a0461fedb25

Threat Level: Shows suspicious behavior

The file JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Office loads VBA resources, possible macro or embedded object present

NSIS installer

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-15 16:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe"

C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe

C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~4633~4651~~URL Parts Error~~SendRequest Error~62-20-00-77-10-59~#~~~SendRequest Error~

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1064 -ip 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 1356

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 www.dlnortheastzone.com udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\intlib.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\Math.dll

MD5 b140459077c7c39be4bef249c2f84535
SHA1 c56498241c2ddafb01961596da16d08d1b11cd35
SHA256 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
SHA512 fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

memory/1064-55-0x0000000002AC0000-0x0000000002ADA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\registry.dll

MD5 24a7a119e289f1b5b69f3d6cf258db7c
SHA1 fec84298f9819adf155fcf4e9e57dd402636c177
SHA256 ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512 fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\GetVersion.dll

MD5 5264f7d6d89d1dc04955cfb391798446
SHA1 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc
SHA256 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4
SHA512 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

C:\Users\Admin\AppData\Local\Temp\nso7679.tmp\stubdl.exe

MD5 7d901ec0b0c73772ea3c8179da0314cd
SHA1 781534f4014768b9d6bdf66d4fba2746219eee12
SHA256 9c068bc2ffd61cf0f25372800562a12952a75aef3bbe8a22ab23e86edb606d9a
SHA512 ececa2b045589199153458c1cfd06373c02528cbcc1483f4661a245272ae6962e4ca73c4f72282fa0759e9ccdf84fac710526743b1540ad92896dd6cc57b7992

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240903-en

Max time kernel

120s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 224

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240729-en

Max time kernel

53s

Max time network

19s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1096-0-0x000000002F5D1000-0x000000002F5D2000-memory.dmp

memory/1096-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1096-2-0x0000000070D5D000-0x0000000070D68000-memory.dmp

memory/1096-9-0x0000000070D5D000-0x0000000070D68000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_cb.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_cb.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2376-0-0x000000002FE01000-0x000000002FE02000-memory.dmp

memory/2376-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2376-2-0x0000000070AAD000-0x0000000070AB8000-memory.dmp

memory/2376-5-0x0000000070AAD000-0x0000000070AB8000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240903-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_iolo.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_iolo.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2716-0-0x000000002FCE1000-0x000000002FCE2000-memory.dmp

memory/2716-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2716-2-0x00000000717AD000-0x00000000717B8000-memory.dmp

memory/2716-5-0x00000000717AD000-0x00000000717B8000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

134s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 7.98.51.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 198.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1160-1-0x00007FF8CA76D000-0x00007FF8CA76E000-memory.dmp

memory/1160-0-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

memory/1160-3-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

memory/1160-4-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

memory/1160-5-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

memory/1160-2-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

memory/1160-7-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-6-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-9-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-12-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-11-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-14-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-13-0x00007FF8886F0000-0x00007FF888700000-memory.dmp

memory/1160-15-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-17-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-19-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-21-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-20-0x00007FF8886F0000-0x00007FF888700000-memory.dmp

memory/1160-18-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-16-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-10-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-8-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-33-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/1160-34-0x00007FF8CA76D000-0x00007FF8CA76E000-memory.dmp

memory/1160-35-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 fb949c77ab69ee7155ea09dc128a0872
SHA1 c7b7f2a13b09c8812b93c59706dc6bb3e8c9d961
SHA256 8a5d70b8f04bf365b1e3d9336d317af24d3d6463c97fca85eeccd0dd53664b06
SHA512 3aa979fc1950670119ea0d529da922606308618a5f4ea9ed5b71bccbef6ffbc3eebae739c55f7309cca8a34f4a94e5a6fb398c715aba16e37720ad9f6d9ea9bc

memory/1160-41-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCD3ADF.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral13

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240903-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240729-en

Max time kernel

104s

Max time network

19s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2532-0-0x000000002FCC1000-0x000000002FCC2000-memory.dmp

memory/2532-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2532-2-0x0000000070FDD000-0x0000000070FE8000-memory.dmp

memory/2532-9-0x0000000070FDD000-0x0000000070FE8000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

149s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo_de.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo_de.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 198.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1704-0-0x00007FFA5A330000-0x00007FFA5A340000-memory.dmp

memory/1704-1-0x00007FFA9A34D000-0x00007FFA9A34E000-memory.dmp

memory/1704-3-0x00007FFA5A330000-0x00007FFA5A340000-memory.dmp

memory/1704-4-0x00007FFA5A330000-0x00007FFA5A340000-memory.dmp

memory/1704-2-0x00007FFA5A330000-0x00007FFA5A340000-memory.dmp

memory/1704-7-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-6-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-9-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-8-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-11-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-12-0x00007FFA57C30000-0x00007FFA57C40000-memory.dmp

memory/1704-10-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-14-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-15-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-18-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-19-0x00007FFA57C30000-0x00007FFA57C40000-memory.dmp

memory/1704-20-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-22-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-21-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-17-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-16-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-13-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-5-0x00007FFA5A330000-0x00007FFA5A340000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1704-40-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

memory/1704-41-0x00007FFA9A34D000-0x00007FFA9A34E000-memory.dmp

memory/1704-42-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 db962ad18daf2acc948fbb3f66f6ed94
SHA1 2ef74e0a4eef3adff30777915b073bc8b0ac30db
SHA256 34f6c879361c5875120405f8af798d47c593fa2b8343bdff84a50fac381ac647
SHA512 681bd1339caa78fc462de839021ffeb988b33cf9c10f2abdb256bd86b5479db73cd0e83d826e1313ea4e3d4a868cd6491aa5d24d5afe838e5817d108132c1d04

memory/1704-48-0x00007FFA9A2B0000-0x00007FFA9A4A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDF256.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral32

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

139s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_iolo.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_iolo.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 7.98.51.23.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 198.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3248-0-0x00007FFE1544D000-0x00007FFE1544E000-memory.dmp

memory/3248-1-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

memory/3248-2-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

memory/3248-3-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

memory/3248-4-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

memory/3248-9-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

memory/3248-8-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

memory/3248-11-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

memory/3248-10-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

memory/3248-12-0x00007FFDD2C20000-0x00007FFDD2C30000-memory.dmp

memory/3248-7-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

memory/3248-6-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

memory/3248-5-0x00007FFDD5430000-0x00007FFDD5440000-memory.dmp

memory/3248-15-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

memory/3248-18-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

memory/3248-19-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

memory/3248-17-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

memory/3248-16-0x00007FFDD2C20000-0x00007FFDD2C30000-memory.dmp

memory/3248-14-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

memory/3248-13-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/3248-37-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

memory/3248-38-0x00007FFE1544D000-0x00007FFE1544E000-memory.dmp

memory/3248-39-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

memory/3248-40-0x00007FFE153B0000-0x00007FFE155A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 575436425fc2a7262ea9e4718f9e452c
SHA1 f686a10901a5b6e3d66980903ddd58eccc07479b
SHA256 e7e56bc53b90b52cdd94cc667c3490f82989c06b0e6358859579bf7404d56058
SHA512 f3dca7c89adf9fa97bbb568cf9fa86b25ba426abc39d4b2e859a967ab72f311775de56ccd93183717ed74150ba1ad9bbffe56b5ee2de24b9870262db2fcaef89

C:\Users\Admin\AppData\Local\Temp\TCD2D5C.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240729-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2680-0-0x000000002FC01000-0x000000002FC02000-memory.dmp

memory/2680-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2680-2-0x0000000070ACD000-0x0000000070AD8000-memory.dmp

memory/2680-9-0x0000000070ACD000-0x0000000070AD8000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3604 wrote to memory of 1868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3604 wrote to memory of 1868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3604 wrote to memory of 1868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1868 -ip 1868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240903-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2112-0-0x000000002FDE1000-0x000000002FDE2000-memory.dmp

memory/2112-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2112-2-0x000000007140D000-0x0000000071418000-memory.dmp

memory/2112-5-0x000000007140D000-0x0000000071418000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20241023-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo_de.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo_de.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2128-0-0x000000002FDA1000-0x000000002FDA2000-memory.dmp

memory/2128-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2128-2-0x00000000718DD000-0x00000000718E8000-memory.dmp

memory/2128-5-0x00000000718DD000-0x00000000718E8000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

143s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.173.79.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 198.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/2444-1-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

memory/2444-3-0x00007FF9AA9ED000-0x00007FF9AA9EE000-memory.dmp

memory/2444-4-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

memory/2444-2-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

memory/2444-8-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-9-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-11-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-13-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-10-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-15-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-12-0x00007FF968070000-0x00007FF968080000-memory.dmp

memory/2444-14-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-19-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-21-0x00007FF968070000-0x00007FF968080000-memory.dmp

memory/2444-23-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-20-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-22-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-18-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-17-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-16-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-7-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-6-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

memory/2444-5-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

memory/2444-0-0x00007FF96A9D0000-0x00007FF96A9E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/2444-41-0x00007FF9AA950000-0x00007FF9AAB45000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 3f0dac665ad8e6e70bafd81ef2d5858e
SHA1 2daf26482c18f9c69d4740fd2f4d37766c6d7966
SHA256 3812d19b6077e8533cf9c750be9e0aa4b803c20716e0bd2de34e61ebbe506df1
SHA512 756e3526b3f7dba2170344e591572775d19eb53984854f637e4f3fd720a4a6a31901564a5852b42b668ec6f1a03151877330d16f3f5044ba70ae5be6fb3f2e4a

C:\Users\Admin\AppData\Local\Temp\TCDEDBE.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240903-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 224

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1008 wrote to memory of 2016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1008 wrote to memory of 2016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1008 wrote to memory of 2016 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2016 -ip 2016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 224

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

142s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 4580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3448 wrote to memory of 4580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3448 wrote to memory of 4580 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4580 -ip 4580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 7.98.51.23.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2244-0-0x000000002FD81000-0x000000002FD82000-memory.dmp

memory/2244-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2244-2-0x0000000070CFD000-0x0000000070D08000-memory.dmp

memory/2244-9-0x0000000070CFD000-0x0000000070D08000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1588 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1588 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1588 wrote to memory of 1860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1860 -ip 1860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\jp_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\jp_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2736-0-0x000000002F1F1000-0x000000002F1F2000-memory.dmp

memory/2736-2-0x00000000718ED000-0x00000000718F8000-memory.dmp

memory/2736-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2736-9-0x00000000718ED000-0x00000000718F8000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

147s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\jp_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\jp_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 7.98.51.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 198.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1052-1-0x00007FFDDD3CD000-0x00007FFDDD3CE000-memory.dmp

memory/1052-0-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

memory/1052-3-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

memory/1052-2-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

memory/1052-4-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

memory/1052-5-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1052-6-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1052-8-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1052-10-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1052-12-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1052-13-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1052-14-0x00007FFD9B0E0000-0x00007FFD9B0F0000-memory.dmp

memory/1052-11-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1052-15-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1052-9-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1052-7-0x00007FFD9D3B0000-0x00007FFD9D3C0000-memory.dmp

memory/1052-17-0x00007FFD9B0E0000-0x00007FFD9B0F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1052-34-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1052-35-0x00007FFDDD3CD000-0x00007FFDDD3CE000-memory.dmp

memory/1052-36-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1052-37-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDD116.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5116 wrote to memory of 5092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5116 wrote to memory of 5092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5116 wrote to memory of 5092 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5092 -ip 5092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
N/A 20.50.80.213:443 tcp
US 8.8.8.8:53 udp
GB 104.78.173.167:80 tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 236

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

155s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 7.98.51.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 198.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/1488-0-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

memory/1488-5-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

memory/1488-1-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

memory/1488-2-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

memory/1488-3-0x00007FFFE056D000-0x00007FFFE056E000-memory.dmp

memory/1488-4-0x00007FFFA0550000-0x00007FFFA0560000-memory.dmp

memory/1488-6-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-7-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-9-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-10-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-8-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-11-0x00007FFF9DD30000-0x00007FFF9DD40000-memory.dmp

memory/1488-12-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-13-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-15-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-14-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-16-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-18-0x00007FFF9DD30000-0x00007FFF9DD40000-memory.dmp

memory/1488-19-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-21-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-20-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-17-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

memory/1488-39-0x00007FFFE056D000-0x00007FFFE056E000-memory.dmp

memory/1488-40-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 b201c65861247b6970b7a63d43d88872
SHA1 17acabeedd0eb944ede828c98ff934c3238638b4
SHA256 a056427c0cdb9f606edff9b2c51ddac5d0d21084805e0dbb0947e055a90b76b1
SHA512 da28e46b6195e53d35d67999c10406d58c42069a3180eaf43225ab425bb1cbc226317eadc76f713d5651464326b05f90df90847eea304447048940eb05864625

memory/1488-49-0x00007FFFE04D0000-0x00007FFFE06C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDFDD8.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral30

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_cb.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_cb.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 198.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3260-3-0x00007FFC4548D000-0x00007FFC4548E000-memory.dmp

memory/3260-2-0x00007FFC05470000-0x00007FFC05480000-memory.dmp

memory/3260-4-0x00007FFC05470000-0x00007FFC05480000-memory.dmp

memory/3260-5-0x00007FFC05470000-0x00007FFC05480000-memory.dmp

memory/3260-9-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-8-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-7-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-6-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-1-0x00007FFC05470000-0x00007FFC05480000-memory.dmp

memory/3260-0-0x00007FFC05470000-0x00007FFC05480000-memory.dmp

memory/3260-11-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-12-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-13-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-14-0x00007FFC02BB0000-0x00007FFC02BC0000-memory.dmp

memory/3260-15-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-16-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-19-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-21-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-20-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-18-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-17-0x00007FFC02BB0000-0x00007FFC02BC0000-memory.dmp

memory/3260-10-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/3260-39-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

memory/3260-40-0x00007FFC453F0000-0x00007FFC455E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 822d2778194e0847ca20fe065259d938
SHA1 6606f6f0e4849d42b8c566a79da0034489b5b992
SHA256 5daa5928370db2146e2898350332d92785f6c2f589ec4bd636cce6e0d0859432
SHA512 aeea1c945b13a52896d416135985d48f3d37d65239c999f3887ae219f65b919fea46ad998ad352c41cf3141b14b31181e371fcfe906946f272bde5a90ee69a79

C:\Users\Admin\AppData\Local\Temp\TCDCFBB.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20240903-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5bf1b2b77a3a8b708088dd409a3ee85c.exe"

C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe

C:\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~4633~4651~~URL Parts Error~~SendRequest Error~62-CA-C3-60-41-A9~#~~~SendRequest Error~

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dlnortheastzone.com udp

Files

\Users\Admin\AppData\Local\Temp\nst937A.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nst937A.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nst937A.tmp\intlib.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

\Users\Admin\AppData\Local\Temp\nst937A.tmp\Math.dll

MD5 b140459077c7c39be4bef249c2f84535
SHA1 c56498241c2ddafb01961596da16d08d1b11cd35
SHA256 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
SHA512 fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

memory/1860-50-0x00000000004E0000-0x00000000004FA000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst937A.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nst937A.tmp\registry.dll

MD5 24a7a119e289f1b5b69f3d6cf258db7c
SHA1 fec84298f9819adf155fcf4e9e57dd402636c177
SHA256 ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512 fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

\Users\Admin\AppData\Local\Temp\nst937A.tmp\GetVersion.dll

MD5 5264f7d6d89d1dc04955cfb391798446
SHA1 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc
SHA256 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4
SHA512 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

\Users\Admin\AppData\Local\Temp\nst937A.tmp\stubdl.exe

MD5 7d901ec0b0c73772ea3c8179da0314cd
SHA1 781534f4014768b9d6bdf66d4fba2746219eee12
SHA256 9c068bc2ffd61cf0f25372800562a12952a75aef3bbe8a22ab23e86edb606d9a
SHA512 ececa2b045589199153458c1cfd06373c02528cbcc1483f4661a245272ae6962e4ca73c4f72282fa0759e9ccdf84fac710526743b1540ad92896dd6cc57b7992

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win7-20241010-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 228

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 2948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2948 -ip 2948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 61.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

144s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 7.98.51.23.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.198:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 198.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 166.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/4384-0-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp

memory/4384-2-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp

memory/4384-1-0x00007FFE733CD000-0x00007FFE733CE000-memory.dmp

memory/4384-3-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp

memory/4384-6-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-10-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-12-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-11-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-13-0x00007FFE30A50000-0x00007FFE30A60000-memory.dmp

memory/4384-9-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-8-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-7-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp

memory/4384-15-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-19-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-21-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-22-0x00007FFE30A50000-0x00007FFE30A60000-memory.dmp

memory/4384-20-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-18-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-17-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-16-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-14-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-5-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-4-0x00007FFE333B0000-0x00007FFE333C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/4384-40-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

memory/4384-41-0x00007FFE733CD000-0x00007FFE733CE000-memory.dmp

memory/4384-42-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 51c80ba6d554cece2cfd64b667160b34
SHA1 cdabda3e352f6c62162a40c9684e80093d7306f8
SHA256 890f44ca3a80fc3ea2ba2ecfbd6445c5c15f81677b35e6e641f504f307559a74
SHA512 cae72862e99ed6058503f0f91d8c0d067f15992f4a8cd0d52f198335fec55e8db17d26fa928676374eef8388993aaea9f8bec632ba1c54de658a55f6ed11702d

memory/4384-48-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDF643.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Analysis: behavioral18

Detonation Overview

Submitted

2025-01-15 16:17

Reported

2025-01-15 16:19

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
GB 2.18.190.195:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 195.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/2184-3-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

memory/2184-0-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

memory/2184-1-0x00007FF819E6D000-0x00007FF819E6E000-memory.dmp

memory/2184-2-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

memory/2184-4-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2184-5-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

memory/2184-6-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2184-7-0x00007FF7D9E50000-0x00007FF7D9E60000-memory.dmp

memory/2184-10-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2184-9-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2184-8-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2184-13-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2184-12-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2184-11-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2184-15-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2184-16-0x00007FF7D7BF0000-0x00007FF7D7C00000-memory.dmp

memory/2184-14-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2184-17-0x00007FF7D7BF0000-0x00007FF7D7C00000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2184-41-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2184-42-0x00007FF819E6D000-0x00007FF819E6E000-memory.dmp

memory/2184-43-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

memory/2184-44-0x00007FF819DD0000-0x00007FF819FC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDE7BC.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d