Malware Analysis Report

2025-08-05 23:32

Sample ID 250119-x5mv7askay
Target JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85
SHA256 2a3c5aaed84022d4a977905bdd24cc4baa361f9fc0e56d6dd2c5999ef80854ed
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

2a3c5aaed84022d4a977905bdd24cc4baa361f9fc0e56d6dd2c5999ef80854ed

Threat Level: Shows suspicious behavior

The file JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

NSIS installer

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-19 19:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240729-en

Max time kernel

16s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 224

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:29

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 4920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3492 wrote to memory of 4920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3492 wrote to memory of 4920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4920 -ip 4920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:29

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.145:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 145.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 160.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 155.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4564-0-0x00007FFAA0D10000-0x00007FFAA0D20000-memory.dmp

memory/4564-3-0x00007FFAE0D2D000-0x00007FFAE0D2E000-memory.dmp

memory/4564-8-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-7-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-6-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-10-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-11-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-13-0x00007FFA9E7C0000-0x00007FFA9E7D0000-memory.dmp

memory/4564-12-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-9-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-14-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-16-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-17-0x00007FFA9E7C0000-0x00007FFA9E7D0000-memory.dmp

memory/4564-18-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-21-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-20-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-19-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-15-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

memory/4564-5-0x00007FFAA0D10000-0x00007FFAA0D20000-memory.dmp

memory/4564-4-0x00007FFAA0D10000-0x00007FFAA0D20000-memory.dmp

memory/4564-2-0x00007FFAA0D10000-0x00007FFAA0D20000-memory.dmp

memory/4564-1-0x00007FFAA0D10000-0x00007FFAA0D20000-memory.dmp

memory/4564-33-0x00007FFAE0C90000-0x00007FFAE0E85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDD199.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral22

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\jp_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\jp_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 155.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 188.77.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 193.98.74.40.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/4100-1-0x00007FFAC0C0D000-0x00007FFAC0C0E000-memory.dmp

memory/4100-0-0x00007FFA80BF0000-0x00007FFA80C00000-memory.dmp

memory/4100-2-0x00007FFA80BF0000-0x00007FFA80C00000-memory.dmp

memory/4100-4-0x00007FFA80BF0000-0x00007FFA80C00000-memory.dmp

memory/4100-3-0x00007FFA80BF0000-0x00007FFA80C00000-memory.dmp

memory/4100-5-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-6-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-9-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-11-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-12-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-13-0x00007FFA7E440000-0x00007FFA7E450000-memory.dmp

memory/4100-10-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-15-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-19-0x00007FFA7E440000-0x00007FFA7E450000-memory.dmp

memory/4100-18-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-17-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-16-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-14-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-8-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-7-0x00007FFA80BF0000-0x00007FFA80C00000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/4100-37-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-38-0x00007FFAC0C0D000-0x00007FFAC0C0E000-memory.dmp

memory/4100-39-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

memory/4100-40-0x00007FFAC0B70000-0x00007FFAC0D65000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 c33cb5a5384779d1edbf275bc5c6cb47
SHA1 7819001aa570a60fa83534dfdc907ac7e290231e
SHA256 8e2b64ef254be82457d3f60c9a4138ecbd1580b13d7fda74cd064e03ab173f66
SHA512 c23c861da55706cc3551c9c60ec9157ed463c46650162ebb6dc33f348931730dd1b5bf476e53a18e3cd185742d9b9dd8d3703b4af8da71b9ae5cdd85822dac42

C:\Users\Admin\AppData\Local\Temp\TCDD7C4.tmp\iso690.xsl

MD5 ff0e07eff1333cdf9fc2523d323dd654
SHA1 77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA256 3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512 b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Analysis: behavioral7

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240903-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:29

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4620 wrote to memory of 3304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4620 wrote to memory of 3304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4620 wrote to memory of 3304 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\GetVersion.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3304 -ip 3304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 155.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 29.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:29

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 1340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1248 wrote to memory of 1340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1248 wrote to memory of 1340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1340 -ip 1340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1340 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 163.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:29

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

147s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3000 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3000 wrote to memory of 2448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2448 -ip 2448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 224

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20241023-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2416-0-0x000000002F741000-0x000000002F742000-memory.dmp

memory/2416-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2416-2-0x000000007343D000-0x0000000073448000-memory.dmp

memory/2416-5-0x000000007343D000-0x0000000073448000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_cb.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_cb.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 7.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 188.77.23.2.in-addr.arpa udp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 143.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/3332-1-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

memory/3332-0-0x00007FF95E80D000-0x00007FF95E80E000-memory.dmp

memory/3332-3-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

memory/3332-4-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

memory/3332-5-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

memory/3332-2-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

memory/3332-7-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

memory/3332-10-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

memory/3332-13-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

memory/3332-12-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

memory/3332-11-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

memory/3332-14-0x00007FF91C120000-0x00007FF91C130000-memory.dmp

memory/3332-9-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

memory/3332-15-0x00007FF91C120000-0x00007FF91C130000-memory.dmp

memory/3332-16-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

memory/3332-17-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

memory/3332-8-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

memory/3332-6-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

memory/3332-26-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

memory/3332-27-0x00007FF95E80D000-0x00007FF95E80E000-memory.dmp

memory/3332-28-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

memory/3332-29-0x00007FF95E770000-0x00007FF95E965000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 ccad34d2792c0f8523b04378904f7c82
SHA1 488eecc9a2e088dc2c895a1bddd02c77e588c32d
SHA256 fc1f8f67a756d4352b9395118a09d88f97af423e33f08f97c5bc3713e99bf99c
SHA512 df60fcd26fadefb0458525c64d1d676dbf6c4bb0c2c3fe25d42d0d70849ed1d872516f3721032c38153cd05f32be00435c6de1f1c27ffa1f4b395ff1ea71fe06

C:\Users\Admin\AppData\Local\Temp\TCD2618.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj800A.tmp\stubdl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj800A.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj800A.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj800A.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj800A.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj800A.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj800A.tmp\stubdl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsj800A.tmp\stubdl.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe"

C:\Users\Admin\AppData\Local\Temp\nsj800A.tmp\stubdl.exe

C:\Users\Admin\AppData\Local\Temp\nsj800A.tmp\stubdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~872~4849~~URL Parts Error~~SendRequest Error~4A-17-47-94-FC-88~#~~~SendRequest Error~

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dlnortheastzone.com udp

Files

\Users\Admin\AppData\Local\Temp\nsj800A.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nsj800A.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

\Users\Admin\AppData\Local\Temp\nsj800A.tmp\intlib.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

\Users\Admin\AppData\Local\Temp\nsj800A.tmp\Math.dll

MD5 b140459077c7c39be4bef249c2f84535
SHA1 c56498241c2ddafb01961596da16d08d1b11cd35
SHA256 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
SHA512 fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

memory/1808-50-0x0000000000B10000-0x0000000000B2A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj800A.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nsj800A.tmp\registry.dll

MD5 24a7a119e289f1b5b69f3d6cf258db7c
SHA1 fec84298f9819adf155fcf4e9e57dd402636c177
SHA256 ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512 fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

\Users\Admin\AppData\Local\Temp\nsj800A.tmp\GetVersion.dll

MD5 5264f7d6d89d1dc04955cfb391798446
SHA1 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc
SHA256 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4
SHA512 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

\Users\Admin\AppData\Local\Temp\nsj800A.tmp\stubdl.exe

MD5 7d901ec0b0c73772ea3c8179da0314cd
SHA1 781534f4014768b9d6bdf66d4fba2746219eee12
SHA256 9c068bc2ffd61cf0f25372800562a12952a75aef3bbe8a22ab23e86edb606d9a
SHA512 ececa2b045589199153458c1cfd06373c02528cbcc1483f4661a245272ae6962e4ca73c4f72282fa0759e9ccdf84fac710526743b1540ad92896dd6cc57b7992

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\stubdl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\stubdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\stubdl.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\stubdl.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0db3fbadd1dfe4af960271ce3c42e85.exe"

C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\stubdl.exe

C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\stubdl.exe ~URL Parts Error~~~~URL Parts Error~URL Parts Error~~#~872~4849~~URL Parts Error~~SendRequest Error~5E-A3-48-B3-8F-9D~#~~~SendRequest Error~

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1356 -ip 1356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1356 -s 1624

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 162.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 www.dlnortheastzone.com udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 245.131.30.184.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\intlib.dll

MD5 1efbbf5a54eb145a1a422046fd8dfb2c
SHA1 ec4efd0a95bb72fd4cf47423647e33e5a3fddf26
SHA256 983859570099b941c19d5eb9755eda19dd21f63e8ccad70f6e93f055c329d341
SHA512 7fdeba8c961f3507162eb59fb8b9b934812d449cc85c924f61722a099618d771fed91cfb3944e10479280b73648a9a5cbb23482d7b7f8bfb130f23e8fd6c15fb

C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\Math.dll

MD5 b140459077c7c39be4bef249c2f84535
SHA1 c56498241c2ddafb01961596da16d08d1b11cd35
SHA256 0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67
SHA512 fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

memory/1356-55-0x0000000002AC0000-0x0000000002ADA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\registry.dll

MD5 24a7a119e289f1b5b69f3d6cf258db7c
SHA1 fec84298f9819adf155fcf4e9e57dd402636c177
SHA256 ae53f8e00574a87dd243fdf344141417cfe2af318c6c5e363a030d727a6c75d1
SHA512 fdbbedcc877bf020a5965f6ba8586ade48cfbe03ac0af8190a8acf077fb294ffd6b5a7ae49870bff8cacd9e33d591be63b5b3d5c2e432c640212bdcd0c602861

C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\GetVersion.dll

MD5 5264f7d6d89d1dc04955cfb391798446
SHA1 211d8d3e7c2b2f57f54a11cb8bc4fa536df08acc
SHA256 7d76c7dd8f7cd5a87e0118dacb434db3971a049501e22a5f4b947154621ab3d4
SHA512 80d27ee2f87e2822bd5c8c55cc3d1e49beebb86d8557c92b52b7cbea9f27882d80e59eefa25e414eecee268a9a6193b6b50b748de33c778b007cde24ef8bcfb7

C:\Users\Admin\AppData\Local\Temp\nsd7550.tmp\stubdl.exe

MD5 7d901ec0b0c73772ea3c8179da0314cd
SHA1 781534f4014768b9d6bdf66d4fba2746219eee12
SHA256 9c068bc2ffd61cf0f25372800562a12952a75aef3bbe8a22ab23e86edb606d9a
SHA512 ececa2b045589199153458c1cfd06373c02528cbcc1483f4661a245272ae6962e4ca73c4f72282fa0759e9ccdf84fac710526743b1540ad92896dd6cc57b7992

Analysis: behavioral6

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:29

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 155.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
US 95.100.153.151:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 151.153.100.95.in-addr.arpa udp
US 8.8.8.8:53 143.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 160.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3332-0-0x00007FFB06470000-0x00007FFB06480000-memory.dmp

memory/3332-1-0x00007FFB4648D000-0x00007FFB4648E000-memory.dmp

memory/3332-3-0x00007FFB06470000-0x00007FFB06480000-memory.dmp

memory/3332-2-0x00007FFB06470000-0x00007FFB06480000-memory.dmp

memory/3332-5-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

memory/3332-6-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

memory/3332-7-0x00007FFB06470000-0x00007FFB06480000-memory.dmp

memory/3332-10-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

memory/3332-13-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

memory/3332-12-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

memory/3332-14-0x00007FFB04410000-0x00007FFB04420000-memory.dmp

memory/3332-11-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

memory/3332-9-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

memory/3332-8-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

memory/3332-4-0x00007FFB06470000-0x00007FFB06480000-memory.dmp

memory/3332-15-0x00007FFB04410000-0x00007FFB04420000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/3332-33-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

memory/3332-34-0x00007FFB4648D000-0x00007FFB4648E000-memory.dmp

memory/3332-35-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

memory/3332-36-0x00007FFB463F0000-0x00007FFB465E5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 98bc6e27963758559b221bcec621c726
SHA1 3da0e088ea05d23db98de850230e6b49dc5389a8
SHA256 5b44d5113ac0951b8c6d1b8044f8b1d0425d455a8622c6f76e06fa107fe3c61c
SHA512 63a6e76a569dedb948205c3224f4177111fff5e6f40987a0580ad206c0d8641cea15bbd498f58b863b38edf3c2c26461f9006b22156689d49a4a0215fc6f2abf

C:\Users\Admin\AppData\Local\Temp\TCDDC92.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral21

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\jp_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\jp_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2084-0-0x000000002F341000-0x000000002F342000-memory.dmp

memory/2084-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2084-2-0x0000000070FBD000-0x0000000070FC8000-memory.dmp

memory/2084-9-0x0000000070FBD000-0x0000000070FC8000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240903-en

Max time kernel

118s

Max time network

118s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo_de.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo_de.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2372-0-0x000000002F331000-0x000000002F332000-memory.dmp

memory/2372-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2372-2-0x0000000070EAD000-0x0000000070EB8000-memory.dmp

memory/2372-5-0x0000000070EAD000-0x0000000070EB8000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240729-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 224

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:31

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

145s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 188.77.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
GB 95.101.143.193:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 193.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2304-1-0x00007FFAF81AD000-0x00007FFAF81AE000-memory.dmp

memory/2304-0-0x00007FFAB8190000-0x00007FFAB81A0000-memory.dmp

memory/2304-3-0x00007FFAB8190000-0x00007FFAB81A0000-memory.dmp

memory/2304-2-0x00007FFAB8190000-0x00007FFAB81A0000-memory.dmp

memory/2304-5-0x00007FFAB8190000-0x00007FFAB81A0000-memory.dmp

memory/2304-4-0x00007FFAB8190000-0x00007FFAB81A0000-memory.dmp

memory/2304-10-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-9-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-12-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-11-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-8-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-13-0x00007FFAB6020000-0x00007FFAB6030000-memory.dmp

memory/2304-15-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-16-0x00007FFAB6020000-0x00007FFAB6030000-memory.dmp

memory/2304-18-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-20-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-21-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-19-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-17-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-14-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-7-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-6-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2304-39-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-40-0x00007FFAF81AD000-0x00007FFAF81AE000-memory.dmp

memory/2304-41-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

memory/2304-45-0x00007FFAF8110000-0x00007FFAF8305000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 e2670ad696a595c919e01db40a1a45e1
SHA1 3fd9f9691d78d36d5f205c6e40b52c17386ab689
SHA256 23bfb7fea58630721e73a7c3b70f47950b7c1e7c0ee43634f9bb70c48a6d234f
SHA512 77a940499d11bfb57323659e485be876c45b7f1a19aa142c23e9decb5a516427e4223af9343b1f544a6988ea530c143fa3cd0b6f263ded50b6efb3544496490d

C:\Users\Admin\AppData\Local\Temp\TCD3588.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Analysis: behavioral28

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:31

Platform

win10v2004-20241007-en

Max time kernel

122s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 188.77.23.2.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1396-0-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

memory/1396-1-0x00007FFF06B0D000-0x00007FFF06B0E000-memory.dmp

memory/1396-4-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

memory/1396-2-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

memory/1396-3-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

memory/1396-10-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-8-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-7-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-11-0x00007FFEC4330000-0x00007FFEC4340000-memory.dmp

memory/1396-6-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-5-0x00007FFEC6AF0000-0x00007FFEC6B00000-memory.dmp

memory/1396-9-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-15-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-14-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-13-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-12-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-19-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-20-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-18-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-17-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-16-0x00007FFEC4330000-0x00007FFEC4340000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/1396-29-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-30-0x00007FFF06B0D000-0x00007FFF06B0E000-memory.dmp

memory/1396-31-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

memory/1396-32-0x00007FFF06A70000-0x00007FFF06C65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDD230.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Analysis: behavioral4

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:29

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5016 wrote to memory of 1224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5016 wrote to memory of 1224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5016 wrote to memory of 1224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\CustomLicense.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1224 -ip 1224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 245.131.30.184.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 167.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:31

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 456 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 456 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 456 wrote to memory of 2128 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2128 -ip 2128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 155.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 188.77.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:31

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

135s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo_de.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo_de.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 60.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 188.77.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 143.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 181.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 155.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/3716-0-0x00007FF8CA76D000-0x00007FF8CA76E000-memory.dmp

memory/3716-1-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

memory/3716-2-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

memory/3716-3-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

memory/3716-4-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

memory/3716-6-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/3716-5-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/3716-10-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/3716-9-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/3716-8-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/3716-7-0x00007FF88A750000-0x00007FF88A760000-memory.dmp

memory/3716-11-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/3716-13-0x00007FF8886F0000-0x00007FF888700000-memory.dmp

memory/3716-12-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/3716-14-0x00007FF8886F0000-0x00007FF888700000-memory.dmp

memory/3716-26-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/3716-27-0x00007FF8CA76D000-0x00007FF8CA76E000-memory.dmp

memory/3716-28-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

memory/3716-29-0x00007FF8CA6D0000-0x00007FF8CA8C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 f38b6b6bcfc9f17612ae2fdd78b4f2c7
SHA1 79a799ba9b852971e30b4d4ee1182b922500ed2c
SHA256 a3266d009b63e810bd2cf22f596253777f218f6769555c9c0adaec49cc0ab346
SHA512 5b242e7a4ceb7dd35472f42a2c0e67732a09193cdfa701065a29e892b757c23f11745f16de53c5287ce2b44b05e96bf834a475e7b58c81ba4bee323182b41db5

C:\Users\Admin\AppData\Local\Temp\TCD4A5A.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Analysis: behavioral27

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20241010-en

Max time kernel

54s

Max time network

19s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_GDS.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1996-0-0x000000002FEE1000-0x000000002FEE2000-memory.dmp

memory/1996-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1996-2-0x000000007139D000-0x00000000713A8000-memory.dmp

memory/1996-9-0x000000007139D000-0x00000000713A8000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_cb.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_cb.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2092-0-0x000000002F341000-0x000000002F342000-memory.dmp

memory/2092-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2092-2-0x0000000071A5D000-0x0000000071A68000-memory.dmp

memory/2092-11-0x0000000071A5D000-0x0000000071A68000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240903-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_iolo.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_iolo.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2692-0-0x000000002FCA1000-0x000000002FCA2000-memory.dmp

memory/2692-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2692-2-0x000000007136D000-0x0000000071378000-memory.dmp

memory/2692-5-0x000000007136D000-0x0000000071378000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:32

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_iolo.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_iolo.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.136:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 136.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 85.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp

Files

memory/4744-1-0x00007FFD9DC2D000-0x00007FFD9DC2E000-memory.dmp

memory/4744-0-0x00007FFD5DC10000-0x00007FFD5DC20000-memory.dmp

memory/4744-3-0x00007FFD5DC10000-0x00007FFD5DC20000-memory.dmp

memory/4744-2-0x00007FFD5DC10000-0x00007FFD5DC20000-memory.dmp

memory/4744-7-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

memory/4744-9-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

memory/4744-8-0x00007FFD5DC10000-0x00007FFD5DC20000-memory.dmp

memory/4744-6-0x00007FFD5DC10000-0x00007FFD5DC20000-memory.dmp

memory/4744-5-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

memory/4744-4-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

memory/4744-10-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

memory/4744-11-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

memory/4744-12-0x00007FFD5BBB0000-0x00007FFD5BBC0000-memory.dmp

memory/4744-14-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

memory/4744-16-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

memory/4744-17-0x00007FFD5BBB0000-0x00007FFD5BBC0000-memory.dmp

memory/4744-18-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

memory/4744-15-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

memory/4744-13-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 d29962abc88624befc0135579ae485ec
SHA1 e40a6458296ec6a2427bcb280572d023a9862b31
SHA256 a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA512 4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

memory/4744-36-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

memory/4744-37-0x00007FFD9DC2D000-0x00007FFD9DC2E000-memory.dmp

memory/4744-38-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

memory/4744-39-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 e608e779e6ed32ed72d758b385cec3f5
SHA1 438978ac005c74772d6ceff7c5898f495b1e9894
SHA256 f96f02379a5cc15e4a0b317f045a654c68592066ef49f40e1f451aafe37d6c2d
SHA512 98ee32937e9dfc751ca07c4d400a99b5521233c0fcd7b230259489a332f4563c83e1931dccfb71c50bad1edb22b42f86de44847164bd80c043f43890a460f83f

C:\Users\Admin\AppData\Local\Temp\TCD1724.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral5

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DefaultTab_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2228-0-0x000000002F271000-0x000000002F272000-memory.dmp

memory/2228-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2228-2-0x0000000070BAD000-0x0000000070BB8000-memory.dmp

memory/2228-6-0x0000000070BAD000-0x0000000070BB8000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 224

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240903-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\intlib.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 236

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\license_Ciuvo.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2540-0-0x000000002FE11000-0x000000002FE12000-memory.dmp

memory/2540-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2540-2-0x0000000070D4D000-0x0000000070D58000-memory.dmp

memory/2540-5-0x0000000070D4D000-0x0000000070D58000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:29

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

139s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\frg_license.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 8.153.16.2.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
IE 52.109.76.243:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 18.89.109.52.in-addr.arpa udp
US 8.8.8.8:53 243.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 7.98.51.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 88.221.135.49:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 49.135.221.88.in-addr.arpa udp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
FR 104.123.50.154:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 154.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 152.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3836-1-0x00007FFDF15ED000-0x00007FFDF15EE000-memory.dmp

memory/3836-0-0x00007FFDB15D0000-0x00007FFDB15E0000-memory.dmp

memory/3836-2-0x00007FFDB15D0000-0x00007FFDB15E0000-memory.dmp

memory/3836-3-0x00007FFDB15D0000-0x00007FFDB15E0000-memory.dmp

memory/3836-6-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

memory/3836-4-0x00007FFDB15D0000-0x00007FFDB15E0000-memory.dmp

memory/3836-5-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

memory/3836-11-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

memory/3836-13-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

memory/3836-14-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

memory/3836-15-0x00007FFDAEC70000-0x00007FFDAEC80000-memory.dmp

memory/3836-12-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

memory/3836-10-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

memory/3836-9-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

memory/3836-8-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

memory/3836-7-0x00007FFDB15D0000-0x00007FFDB15E0000-memory.dmp

memory/3836-16-0x00007FFDAEC70000-0x00007FFDAEC80000-memory.dmp

memory/3836-34-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

memory/3836-35-0x00007FFDF15ED000-0x00007FFDF15EE000-memory.dmp

memory/3836-36-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

memory/3836-37-0x00007FFDF1550000-0x00007FFDF1745000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 2c53a47f06dac43358927bedcc77b563
SHA1 1806869eb04eb03e7a3e883feafc417a7ea46f02
SHA256 1c0677af4052fcb8dd78e01f11326b0101efcae45c3d6862973e7f560c5014fb
SHA512 6cd3ffbb996354284ef2434d87ea897adb4f62aef31cd0c1ceeab9d85add1a2cab839bd370bf1ec11c4157748bc7f9dc7ddc8165e9209eb540c0abe92f599ff0

C:\Users\Admin\AppData\Local\Temp\TCDE683.tmp\gb.xsl

MD5 51d32ee5bc7ab811041f799652d26e04
SHA1 412193006aa3ef19e0a57e16acf86b830993024a
SHA256 6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA512 5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Analysis: behavioral17

Detonation Overview

Submitted

2025-01-19 19:26

Reported

2025-01-19 19:28

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf"

Signatures

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gc_license.rtf"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/2400-0-0x000000002F811000-0x000000002F812000-memory.dmp

memory/2400-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2400-2-0x00000000710FD000-0x0000000071108000-memory.dmp

memory/2400-6-0x00000000710FD000-0x0000000071108000-memory.dmp