Malware Analysis Report

2025-08-05 14:43

Sample ID 250701-hdmc1sdm3x
Target Setup.exe
SHA256 240bce5a0d11df228597503ac7070f5f54cb40b71a8d1ed7f3de3d97dafacd47
Tags
lumma discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

240bce5a0d11df228597503ac7070f5f54cb40b71a8d1ed7f3de3d97dafacd47

Threat Level: Known bad

The file Setup.exe was found to be: Known bad.

Malicious Activity Summary

lumma discovery stealer

Lumma family

Lumma Stealer, LummaC

Executes dropped EXE

Enumerates processes with tasklist

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-01 06:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-01 06:37

Reported

2025-07-01 06:40

Platform

win11-20250619-en

Max time kernel

136s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\479390\Super.com N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\DiagramAuckland C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\TrueCalculations C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\CumSink C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
File opened for modification C:\Windows\ChoiceNitrogen C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\extrac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\479390\Super.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\479390\Super.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\479390\Super.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\479390\Super.com N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\479390\Super.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\479390\Super.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\479390\Super.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2608 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 2608 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\cmd.exe
PID 3288 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3288 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3288 wrote to memory of 4352 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3288 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3288 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3288 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3288 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3288 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3288 wrote to memory of 4076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3288 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3288 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3288 wrote to memory of 4164 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3288 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 3288 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 3288 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 3288 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3288 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3288 wrote to memory of 1324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3288 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\479390\Super.com
PID 3288 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\479390\Super.com
PID 3288 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\479390\Super.com
PID 3288 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3288 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 3288 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c copy Entitled.dot Entitled.dot.bat & Entitled.dot.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "opssvc wrsa"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "bdservicehost SophosHealth AvastUI AVGUI nsWscSvc ekrn"

C:\Windows\SysWOW64\extrac32.exe

extrac32 /Y Importantly.dot *.*

C:\Windows\SysWOW64\findstr.exe

findstr /V "educators" Operation

C:\Users\Admin\AppData\Local\Temp\479390\Super.com

Super.com C

C:\Windows\SysWOW64\choice.exe

choice /d n /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 xYhtGSeCXsXyYKGRHYLbKMCrcL.xYhtGSeCXsXyYKGRHYLbKMCrcL udp
US 104.71.182.190:443 steamcommunity.com tcp
US 104.71.182.190:443 steamcommunity.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Entitled.dot

MD5 1d4e02a00655816925b5242ccd3d027d
SHA1 ccf060157f77aa8e870e21ab2d82215064c4a135
SHA256 85fbc188e297280432f6f505267bfe210cf395ad8b8f0bd4a805a95b17ca6df7
SHA512 09a72a9eecd20b2b4bcce80f6a5b7464885f122d1f9949fe585e3ea5709f53cd218d9619b5d48f159af01e6644bd1c010b504ab1ad4db4247d34fdeb32327aa8

C:\Users\Admin\AppData\Local\Temp\Importantly.dot

MD5 9b80a0dc679e8c2a2c7eca051b52b94b
SHA1 35e0f7800be58aeb04a1ca6aef0bea9c226d8e3a
SHA256 510a71332bef204c7db600ebae5f6355607ed5befda8aa18373d298aa6296b67
SHA512 b769ece6eff85222bba3e041f396b7bbfc1f68b22b339b6c09521406b6966494337d37654ad69fa3c8d5f463578189f835c779fda46daf0b93fe69fe7bec11c9

C:\Users\Admin\AppData\Local\Temp\Operation

MD5 2fdf15b45ef59773a59f2df97d9387dd
SHA1 03f1645fa46746baf71e008c2c89110acdad1f8c
SHA256 7ca612ef72d566772188cdd64a33151be5e25dbc013ec17388ded2dcb42ca84b
SHA512 2a6c776e47e9ceb2a311410015e5cef2e5e974e03a84906f84ce3bf2c4db75f10fa4ad80d3a16295580b146bdaaef2be24687f8cea5b9e9d561f27606b0b9a10

C:\Users\Admin\AppData\Local\Temp\Hungarian

MD5 b770e75363da196ccfadcbd554311a85
SHA1 f8ad1a19cef5e58c1b97c6f5dbfd1d10981a8229
SHA256 ace7f310fe461a3f4ac6f842abc02c41afb4629181eb21f6dc1aee2057fbd513
SHA512 ac8548cbd5ed04bc709e90544b6964198fd91dc4eec918d4eb9c46b28b6c8433c950f8043a83b11ca41ce4e7a31808a4d424a4e0b407141f32f727905b6efc04

C:\Users\Admin\AppData\Local\Temp\Wet

MD5 7c4b83d506c2047c38ec34786559f9f4
SHA1 12f6430bbee8555fb006960be543e1705180bb23
SHA256 f1b3f6ef436d895705212891858c6f305cc4d15083683132ed3d65aefce4ed90
SHA512 f807a9edfa5e00b5fb1eb1aca47a85c7684748a7bad2e06f088eefa009c24a30a065b4812bc5aae8999bc200904b8b083689171c65904d7f135558f23560ed0f

C:\Users\Admin\AppData\Local\Temp\Monroe

MD5 f7c6cf32130ca0ece5fdf1680c9d5078
SHA1 07188325f55a2f78dad2a0b02e5a10dc25de6926
SHA256 7cf3e2a4796cfd510146c9359bd70e354a2a4f0b2f50930c131222186c515b55
SHA512 cbebf27184dcd23f9242a2345c5699e8be07e7c6e63a6c3f37965fb82c7f06922c6fb72da916697c2b09eb9bca91266d8fc8b8e526013ddc645639e6bf8cf02f

C:\Users\Admin\AppData\Local\Temp\Many

MD5 6de79cfe065be5669b9fc13eeab9817b
SHA1 36d7cfaa1c1a0e23e007fe9a68508aab20ccd9d9
SHA256 31d8eb0f61968f10e27d6b06035b51d88fb615e0e2fe4fad3255976696238428
SHA512 420bb25064888581fd2e0beff5a67165ed57c023f4c62031a3c0833b98d3a275f00fc4a7224e77b99dc076ebb57e15fa17aa3131144819d72028adc77cfcbe67

C:\Users\Admin\AppData\Local\Temp\Finish

MD5 5214eef8013a68c98aef0ea346b2bc14
SHA1 388e4d6f1a4da6ed54c448f9f6d88111bdc6e036
SHA256 461dd1f464e661218c345b16dc5a641cbaadcb91af6d80a687190cd0d52f803f
SHA512 0c4525fce592e90045e066e78fa74ab1a365a90c0c9c824482edf24929ddd8a59d6d8531b6ffdb99b1f17170c803121a016a6a4be41b40b0ee8a99406eaaec2f

C:\Users\Admin\AppData\Local\Temp\Parallel

MD5 8ed3aff005c1751b3c592f1111525669
SHA1 d28dd942674e3334e07d399b53cf54373afceeca
SHA256 0ac8c37abf0f0f18b7d06c0a5196bc41708ec513b36ea61cf67e70f9d126d855
SHA512 d101edf50862fc3308e4719ddd631532dccf7a51598da72a05e46e83effece454dc32ffa444f8a173a4d478b99c7589f2947d724d6c1af2925128e406473c105

C:\Users\Admin\AppData\Local\Temp\Sweden

MD5 3a9772059dae128c1d85e4ff5d798181
SHA1 6ffc0e3cae9ef7a5e5bd1e9b50f6e2d06da9c12c
SHA256 718898c453ee4232a62e7247d2e365ff963b48dcfb3511c03d036ca8682834e4
SHA512 f13c4c43056ff805d630b945bc6846d1ca8b764c296858ea31f3cdb4209255414925fff6a3fde6e07807742053f803b527c55774d735a13ea3bdb16a3739ac62

C:\Users\Admin\AppData\Local\Temp\Eventually

MD5 daa384bb26db91e041885d265dc53ef9
SHA1 46596c6103ae9180467e93ea84ef5ecca94f76c7
SHA256 a566caa435a45dd2b7fc6c99b0244314d77ea30e62cd791e94225ecbfb7b5b67
SHA512 b823da80880cd0cbf214191bf793cded30391396d5a08b1b24d615acfb392bea7bbd9d0fb4340695e2c508510d26f65363fa823a496d5d2b93b859e0b091836e

C:\Users\Admin\AppData\Local\Temp\Centers

MD5 47840f944f7019f520af43892891a443
SHA1 6fa211dbf633d025ba9ef2a49e81b83815343450
SHA256 ac87653d27bf3fdaa6340f7eed1f894871bc27f5417547adbcaea5c6c15d328f
SHA512 d04184afe607c8b8f573b6368fbb66e356336f3eae2983e79a5b05d942f233122a1cbee83c857422e2fc6b6cae1b085f4b1c9b8439afb04c1f000c24777b7aba

C:\Users\Admin\AppData\Local\Temp\Ratings

MD5 7c2cd501a08cf4257a7bd8e2f14aea4d
SHA1 15c52ca78d50d7978549fa2e1819f5512febc04f
SHA256 17f7046bf36ff156243a1b74e10e21a65bd6c4336921aaf9cf649b550b7f1547
SHA512 6147aff7abd381a1fa94fde5a77541458206ff38d63a6af7e4489ebb1ce33a34c0edde2476132885f830d84e837b68ef726b9959e0072c063022c2a3ffb1780f

C:\Users\Admin\AppData\Local\Temp\Orange

MD5 e14d6edd72de863fde8b8089c6bfcab6
SHA1 cd5147f4968cc166d1bdb2ff6355e6493bc410af
SHA256 2d331231316452fb8a9aa81bfd1c94de5922dc7a4bcf4468d9784877671a2adc
SHA512 b70f9f087f8001c845df596490d7a91b02902bd0c6bc18e7c636f52942da094ba9f02c7e57b9399ce74c9167204747ea67494fa9abba5ca708ee3b600826b48e

C:\Users\Admin\AppData\Local\Temp\Anytime.dot

MD5 828b31c554ffafc6a3aa5d8d07c5120b
SHA1 2c381442f05d082b4a55eb67088d89ffe14473a5
SHA256 3a13f040064fb52fe07a62ccf1f863d852d908d58b6b02167f565e68a5f91837
SHA512 f10c8b35357d240ada8f3f05000b7341ffa660e929f9fca4b2c6afcb89aeedb74a69438bde35754322fe14f625409229c8caa624b5ef8febf51bf6ac3a2a3691

C:\Users\Admin\AppData\Local\Temp\Turning.dot

MD5 c27e01a7a3d0062890583b330d8b8280
SHA1 5fdb3acaf5e478d55cc8c44faf19b37234aa6698
SHA256 222a85f880cac9de2d6b8895acb05aa2dbee29e7986c471223ba6b62a0bd8614
SHA512 7860975e2b61260363f2f13cda357ba03f34320cd8803181b2012c12a6fbe836a073fb32eefbe0a4777baad7f20d0105d1b49c5968c49a37634dd37d5b90ea17

C:\Users\Admin\AppData\Local\Temp\Color.dot

MD5 d86cce1201dba1d880a23e21b0e0294e
SHA1 5f5a05a0a06774ad6ac99411e848991bd29631bb
SHA256 c6eee1cae85e9fc7d4604b2b8fc30f117fe79176a1048ae08f7d390efb62c1ed
SHA512 0296259fc2b53fcfae380288cca10a01f21bcd794e0570e8d9fd1145614a1f7d8efeda6bac3dcc1ad593c834cf159e9f44a4da94934d2a225532f36fce26609f

C:\Users\Admin\AppData\Local\Temp\Attitude.dot

MD5 63da6ebb69ec97a1c5cbc175935e74f5
SHA1 cc5a440ad643073cc8fccdd9c95c243323033444
SHA256 d2bed4576ba8aacfa88d79c65e4c0b015c59ada2b1a76d8fcc2fcfaba27ea7c7
SHA512 370a0c44a8a02461420173f5356965ad7c811c9c30f7dd0b0a10645c1d628eae25011218aeeae2df50eb2c01e1eae1dc993f1b3be5c421822f8bf21c8611bd4f

C:\Users\Admin\AppData\Local\Temp\Richardson.dot

MD5 59b53c75aa34be7e47c81e4a2a14b077
SHA1 3b7ded22e4354a2b1bc13798899f2036508c3236
SHA256 bdc480c7eed5371b031679313f387c38917d9e71ad73c46f2c5b174ccf43cb8a
SHA512 9c9caeebea0d97653635bbd5fb5338f3f61b6b579afafd109ddd2e8f64e261d0de20d8bbb04843a01794cdf29a288780886b5fb2ad33952f403b7c82100fdc66

C:\Users\Admin\AppData\Local\Temp\Submitting.dot

MD5 5754a2f4323b175d5432eac0bb81f2ca
SHA1 92f37a04cfc07ef1e20bda3d5cc33011766dbeb5
SHA256 8ffcdab3021da520c02211fa2df6a480718618f1600abb5e9a430d3e90150fbe
SHA512 f0c04b0ec63b420fa183ac65e7f5c48beb0daacd114076956aabb78ec05796e4c7685d0c4b6851a80fe9cb46edd2ca753b8913928c2a34745b445dc618a6fe28

C:\Users\Admin\AppData\Local\Temp\Consequences.dot

MD5 a77ee830abc2608cc2b16d97d8d62322
SHA1 631a98da3cf8433d24b5c7e0f220f2613d3d955a
SHA256 28140a1897426ea43491b719d3fa3d3567739b0dfac5a9ee15dabbff9aaa6f65
SHA512 b6fd9f2baa689190701a9a95602d8c82bc0d3956a6bfd8902dbdc5a19cc3655b3d3ec65a5f97000f84d3223ffce4c683417370ed472de54a6eefff1cec58ac31

C:\Users\Admin\AppData\Local\Temp\Pleased.dot

MD5 e6ad99f9219779111b4f1b35cee18430
SHA1 4beb43bfa99ae71388f74fcde1da0e07f4f9f6ce
SHA256 3c66570a3d37aaede803c327d01bdd03880ecfd0eef847d645248c642ec2226e
SHA512 b1345dd106c614ecdfd67a4a6c085ed33eb7562a0226504f4605dbeeaa9c9892b0f0fc31265911df435d8cc3c56711a9dc45925ff095709a8a9bc4de9a03102d

C:\Users\Admin\AppData\Local\Temp\479390\Super.com

MD5 62d09f076e6e0240548c2f837536a46a
SHA1 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA256 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA512 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

C:\Users\Admin\AppData\Local\Temp\479390\C

MD5 58b12ad622c122c1e76488df86a53582
SHA1 8033c0f09f6c4fac2d0af43b186c1a4a149262fb
SHA256 94815a1957251a5924efce89a640c9a4f854d762faad7da43da0d9b8badbfdcd
SHA512 8b3a09bce7eeafdf233b2e27bed34217708a88059a334fcea4c9c6208cf295beb614e4f129b42af3ef70d1fc465b411feaf628e3ab54f412b83d67b9c3d2e01c

memory/2108-257-0x0000000004A10000-0x0000000004A73000-memory.dmp

memory/2108-258-0x0000000004A10000-0x0000000004A73000-memory.dmp

memory/2108-259-0x0000000004A10000-0x0000000004A73000-memory.dmp

memory/2108-261-0x0000000004A10000-0x0000000004A73000-memory.dmp

memory/2108-260-0x0000000004A10000-0x0000000004A73000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-01 06:37

Reported

2025-07-01 06:40

Platform

win11-20250619-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Anytime.dot" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Anytime.dot" /o ""

Network

Country Destination Domain Proto
US 52.109.8.36:443 roaming.officeapps.live.com tcp
US 52.111.227.11:443 tcp

Files

memory/980-0-0x00007FFB201B0000-0x00007FFB201C0000-memory.dmp

memory/980-3-0x00007FFB601C4000-0x00007FFB601C5000-memory.dmp

memory/980-4-0x00007FFB201B0000-0x00007FFB201C0000-memory.dmp

memory/980-2-0x00007FFB201B0000-0x00007FFB201C0000-memory.dmp

memory/980-1-0x00007FFB201B0000-0x00007FFB201C0000-memory.dmp

memory/980-6-0x00007FFB60120000-0x00007FFB60329000-memory.dmp

memory/980-7-0x00007FFB201B0000-0x00007FFB201C0000-memory.dmp

memory/980-5-0x00007FFB60120000-0x00007FFB60329000-memory.dmp

memory/980-8-0x00007FFB1D8A0000-0x00007FFB1D8B0000-memory.dmp

memory/980-9-0x00007FFB1D8A0000-0x00007FFB1D8B0000-memory.dmp

memory/980-12-0x00007FFB60120000-0x00007FFB60329000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-07-01 06:37

Reported

2025-07-01 06:40

Platform

win11-20250610-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Attitude.dot" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Attitude.dot" /o ""

Network

Country Destination Domain Proto
US 52.109.6.63:443 roaming.officeapps.live.com tcp

Files

memory/720-0-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

memory/720-1-0x00007FFB33DC4000-0x00007FFB33DC5000-memory.dmp

memory/720-3-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

memory/720-2-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

memory/720-4-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

memory/720-7-0x00007FFB33D20000-0x00007FFB33F29000-memory.dmp

memory/720-8-0x00007FFAF3DB0000-0x00007FFAF3DC0000-memory.dmp

memory/720-10-0x00007FFB33D20000-0x00007FFB33F29000-memory.dmp

memory/720-9-0x00007FFB33D20000-0x00007FFB33F29000-memory.dmp

memory/720-6-0x00007FFB33D20000-0x00007FFB33F29000-memory.dmp

memory/720-5-0x00007FFB33D20000-0x00007FFB33F29000-memory.dmp

memory/720-11-0x00007FFAF1A70000-0x00007FFAF1A80000-memory.dmp

memory/720-12-0x00007FFAF1A70000-0x00007FFAF1A80000-memory.dmp

memory/720-15-0x00007FFB33DC4000-0x00007FFB33DC5000-memory.dmp

memory/720-16-0x00007FFB33D20000-0x00007FFB33F29000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2025-07-01 06:37

Reported

2025-07-01 06:37

Platform

win11-20250619-en

Max time kernel

10s

Max time network

12s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Consequences.dot" /o ""

Signatures

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Consequences.dot" /o ""

Network

Files

memory/3180-0-0x00007FFE4B530000-0x00007FFE4B540000-memory.dmp

memory/3180-3-0x00007FFE4B530000-0x00007FFE4B540000-memory.dmp

memory/3180-4-0x00007FFE4B530000-0x00007FFE4B540000-memory.dmp

memory/3180-2-0x00007FFE4B530000-0x00007FFE4B540000-memory.dmp

memory/3180-1-0x00007FFE8B544000-0x00007FFE8B545000-memory.dmp

memory/3180-6-0x00007FFE8B4A0000-0x00007FFE8B6A9000-memory.dmp

memory/3180-8-0x00007FFE8B4A0000-0x00007FFE8B6A9000-memory.dmp

memory/3180-7-0x00007FFE4B530000-0x00007FFE4B540000-memory.dmp

memory/3180-5-0x00007FFE8B4A0000-0x00007FFE8B6A9000-memory.dmp

memory/3180-9-0x00007FFE49290000-0x00007FFE492A0000-memory.dmp

memory/3180-10-0x00007FFE49290000-0x00007FFE492A0000-memory.dmp

memory/3180-18-0x00007FFE8B4A0000-0x00007FFE8B6A9000-memory.dmp

memory/3180-17-0x00007FFE8B544000-0x00007FFE8B545000-memory.dmp

memory/3180-20-0x00007FFE8B4A0000-0x00007FFE8B6A9000-memory.dmp

memory/3180-19-0x00007FFE8B4A0000-0x00007FFE8B6A9000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2025-07-01 06:37

Reported

2025-07-01 06:40

Platform

win11-20250619-en

Max time kernel

127s

Max time network

144s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Entitled.dot" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Entitled.dot" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
US 52.109.6.63:443 roaming.officeapps.live.com tcp
US 23.33.42.71:443 metadata.templates.cdn.office.net tcp
US 23.33.42.76:443 metadata.templates.cdn.office.net tcp

Files

memory/4232-0-0x00007FFDDCC90000-0x00007FFDDCCA0000-memory.dmp

memory/4232-3-0x00007FFE1CCA4000-0x00007FFE1CCA5000-memory.dmp

memory/4232-4-0x00007FFDDCC90000-0x00007FFDDCCA0000-memory.dmp

memory/4232-2-0x00007FFDDCC90000-0x00007FFDDCCA0000-memory.dmp

memory/4232-1-0x00007FFDDCC90000-0x00007FFDDCCA0000-memory.dmp

memory/4232-5-0x00007FFE1CC00000-0x00007FFE1CE09000-memory.dmp

memory/4232-7-0x00007FFDDCC90000-0x00007FFDDCCA0000-memory.dmp

memory/4232-6-0x00007FFE1CC00000-0x00007FFE1CE09000-memory.dmp

memory/4232-8-0x00007FFE1CC00000-0x00007FFE1CE09000-memory.dmp

memory/4232-9-0x00007FFDDA190000-0x00007FFDDA1A0000-memory.dmp

memory/4232-10-0x00007FFDDA190000-0x00007FFDDA1A0000-memory.dmp

memory/4232-13-0x00007FFE1CC00000-0x00007FFE1CE09000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

MD5 7b1125cff1810b15d0601b524017938a
SHA1 ee1b87bbeffb3e74636ee642f79575807f33d3e4
SHA256 3faceddc81215ba0d22e3b7a4f6786a1198e43cd745f5e7fb25bb875f8bc7f05
SHA512 cd924afb1ea8097c9ac39811848a56957c7cdf4c61ae0d80dc91251dcfb506f5f38249c24d06316fe9c458e8ded67956c0f1813a6a84010857c40ec21e0ce608

memory/4232-39-0x00007FFDDCC90000-0x00007FFDDCCA0000-memory.dmp

memory/4232-43-0x00007FFE1CC00000-0x00007FFE1CE09000-memory.dmp

memory/4232-42-0x00007FFE1CC00000-0x00007FFE1CE09000-memory.dmp

memory/4232-41-0x00007FFDDCC90000-0x00007FFDDCCA0000-memory.dmp

memory/4232-40-0x00007FFDDCC90000-0x00007FFDDCCA0000-memory.dmp

memory/4232-38-0x00007FFDDCC90000-0x00007FFDDCCA0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2025-07-01 06:37

Reported

2025-07-01 06:40

Platform

win11-20250619-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Submitting.dot" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Submitting.dot" /o ""

Network

Country Destination Domain Proto
US 52.109.8.36:443 roaming.officeapps.live.com tcp

Files

memory/828-0-0x00007FF9911F0000-0x00007FF991200000-memory.dmp

memory/828-1-0x00007FF9911F0000-0x00007FF991200000-memory.dmp

memory/828-2-0x00007FF9911F0000-0x00007FF991200000-memory.dmp

memory/828-3-0x00007FF9D1204000-0x00007FF9D1205000-memory.dmp

memory/828-6-0x00007FF9D1160000-0x00007FF9D1369000-memory.dmp

memory/828-5-0x00007FF9D1160000-0x00007FF9D1369000-memory.dmp

memory/828-4-0x00007FF9911F0000-0x00007FF991200000-memory.dmp

memory/828-7-0x00007FF9911F0000-0x00007FF991200000-memory.dmp

memory/828-8-0x00007FF9D1160000-0x00007FF9D1369000-memory.dmp

memory/828-9-0x00007FF9D1160000-0x00007FF9D1369000-memory.dmp

memory/828-10-0x00007FF98E770000-0x00007FF98E780000-memory.dmp

memory/828-11-0x00007FF98E770000-0x00007FF98E780000-memory.dmp

memory/828-14-0x00007FF9D1160000-0x00007FF9D1369000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2025-07-01 06:37

Reported

2025-07-01 06:40

Platform

win11-20250610-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Turning.dot" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Turning.dot" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 52.109.6.63:443 roaming.officeapps.live.com tcp

Files

memory/5656-1-0x00007FF92FFB0000-0x00007FF92FFC0000-memory.dmp

memory/5656-0-0x00007FF92FFB0000-0x00007FF92FFC0000-memory.dmp

memory/5656-3-0x00007FF96FFC4000-0x00007FF96FFC5000-memory.dmp

memory/5656-4-0x00007FF92FFB0000-0x00007FF92FFC0000-memory.dmp

memory/5656-2-0x00007FF92FFB0000-0x00007FF92FFC0000-memory.dmp

memory/5656-10-0x00007FF96FF20000-0x00007FF970129000-memory.dmp

memory/5656-9-0x00007FF96FF20000-0x00007FF970129000-memory.dmp

memory/5656-11-0x00007FF96FF20000-0x00007FF970129000-memory.dmp

memory/5656-8-0x00007FF96FF20000-0x00007FF970129000-memory.dmp

memory/5656-7-0x00007FF96FF20000-0x00007FF970129000-memory.dmp

memory/5656-6-0x00007FF92FFB0000-0x00007FF92FFC0000-memory.dmp

memory/5656-5-0x00007FF96FF20000-0x00007FF970129000-memory.dmp

memory/5656-12-0x00007FF92D710000-0x00007FF92D720000-memory.dmp

memory/5656-13-0x00007FF92D710000-0x00007FF92D720000-memory.dmp

memory/5656-16-0x00007FF96FF20000-0x00007FF970129000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2025-07-01 06:37

Reported

2025-07-01 06:40

Platform

win11-20250610-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Color.dot" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Color.dot" /o ""

Network

Country Destination Domain Proto
US 52.109.6.63:443 roaming.officeapps.live.com tcp

Files

memory/4364-0-0x00007FF855570000-0x00007FF855580000-memory.dmp

memory/4364-2-0x00007FF855570000-0x00007FF855580000-memory.dmp

memory/4364-4-0x00007FF855570000-0x00007FF855580000-memory.dmp

memory/4364-3-0x00007FF895584000-0x00007FF895585000-memory.dmp

memory/4364-1-0x00007FF855570000-0x00007FF855580000-memory.dmp

memory/4364-7-0x00007FF8954E0000-0x00007FF8956E9000-memory.dmp

memory/4364-9-0x00007FF8954E0000-0x00007FF8956E9000-memory.dmp

memory/4364-8-0x00007FF8954E0000-0x00007FF8956E9000-memory.dmp

memory/4364-11-0x00007FF8954E0000-0x00007FF8956E9000-memory.dmp

memory/4364-10-0x00007FF8954E0000-0x00007FF8956E9000-memory.dmp

memory/4364-6-0x00007FF8954E0000-0x00007FF8956E9000-memory.dmp

memory/4364-5-0x00007FF855570000-0x00007FF855580000-memory.dmp

memory/4364-12-0x00007FF8532D0000-0x00007FF8532E0000-memory.dmp

memory/4364-13-0x00007FF8532D0000-0x00007FF8532E0000-memory.dmp

memory/4364-16-0x00007FF8954E0000-0x00007FF8956E9000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-07-01 06:37

Reported

2025-07-01 06:40

Platform

win11-20250610-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Pleased.dot" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Pleased.dot" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
US 52.109.6.63:443 roaming.officeapps.live.com tcp

Files

memory/1912-0-0x00007FFADB470000-0x00007FFADB480000-memory.dmp

memory/1912-1-0x00007FFB1B484000-0x00007FFB1B485000-memory.dmp

memory/1912-3-0x00007FFADB470000-0x00007FFADB480000-memory.dmp

memory/1912-2-0x00007FFADB470000-0x00007FFADB480000-memory.dmp

memory/1912-4-0x00007FFADB470000-0x00007FFADB480000-memory.dmp

memory/1912-6-0x00007FFB1B3E0000-0x00007FFB1B5E9000-memory.dmp

memory/1912-5-0x00007FFB1B3E0000-0x00007FFB1B5E9000-memory.dmp

memory/1912-7-0x00007FFADB470000-0x00007FFADB480000-memory.dmp

memory/1912-8-0x00007FFAD8F20000-0x00007FFAD8F30000-memory.dmp

memory/1912-9-0x00007FFAD8F20000-0x00007FFAD8F30000-memory.dmp

memory/1912-12-0x00007FFB1B484000-0x00007FFB1B485000-memory.dmp

memory/1912-13-0x00007FFB1B3E0000-0x00007FFB1B5E9000-memory.dmp

memory/1912-14-0x00007FFB1B3E0000-0x00007FFB1B5E9000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2025-07-01 06:37

Reported

2025-07-01 06:40

Platform

win11-20250619-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Richardson.dot" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\$TEMP\Richardson.dot" /o ""

Network

Country Destination Domain Proto
US 52.109.8.36:443 roaming.officeapps.live.com tcp

Files

memory/5936-3-0x00007FFC5B6E4000-0x00007FFC5B6E5000-memory.dmp

memory/5936-2-0x00007FFC1B6D0000-0x00007FFC1B6E0000-memory.dmp

memory/5936-1-0x00007FFC1B6D0000-0x00007FFC1B6E0000-memory.dmp

memory/5936-0-0x00007FFC1B6D0000-0x00007FFC1B6E0000-memory.dmp

memory/5936-6-0x00007FFC5B640000-0x00007FFC5B849000-memory.dmp

memory/5936-5-0x00007FFC5B640000-0x00007FFC5B849000-memory.dmp

memory/5936-7-0x00007FFC1B6D0000-0x00007FFC1B6E0000-memory.dmp

memory/5936-4-0x00007FFC1B6D0000-0x00007FFC1B6E0000-memory.dmp

memory/5936-8-0x00007FFC19310000-0x00007FFC19320000-memory.dmp

memory/5936-9-0x00007FFC19310000-0x00007FFC19320000-memory.dmp

memory/5936-12-0x00007FFC5B640000-0x00007FFC5B849000-memory.dmp