Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:485344
Start time:11:45:38
Joe Sandbox Product:Cloud
Start date:20.01.2018
Overall analysis duration:0h 13m 22s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:turla.exe
Cookbook file name:default.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
Detection:MAL
Classification:mal100.evad.spre.spyw.troj.winEXE@68/23@0/0
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 24
  • Number of non-executed functions: 0
EGA Information:
  • Successful, ratio: 100%
Cookbook Comments:
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiPrvSE.exe, conhost.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: turla.exe


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior



Signature Overview

Click to jump to signature section


Networking:

barindex
Urls found in memory or binary dataShow sources
Source: AcroRd32.exeString found in binary or memory: file:///
Source: turla.exeString found in binary or memory: file:///C:/Users/user/AppData/Roaming/Scr.js0
Source: turla.exeString found in binary or memory: file:///C:/Users/user/AppData/Roaming/Scr.jsD
Source: turla.exeString found in binary or memory: file:///C:/Users/user/AppData/Roaming/Scr.jsV
Source: turla.exeString found in binary or memory: file:///C:/Users/user/Desktop/
Source: turla.exeString found in binary or memory: file:///C:/Users/user/Desktop/turla.exev1.0
Source: turla.exeString found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/
Source: wscript.exeString found in binary or memory: file:///C:/Windows/System32/cmd.exe
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/0
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/07
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/0Error
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/0Vector.
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/0file://AcrobatMedia009424/c/0file://AcrobatMedia009424/c/0
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/0spark.components::Applicationspark.components.ApplicationError
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/c/0xi
Source: AcroRd32.exeString found in binary or memory: file://AcrobatMedia009424/d/0
Source: AcroRd32.exeString found in binary or memory: http://
Source: AcroRd32.exeString found in binary or memory: http://$(
Source: AcroRd32.exeString found in binary or memory: http://.acrocomcontent.com
Source: AcroRd32.exeString found in binary or memory: http://E
Source: AcroRd32.exeString found in binary or memory: http://cipa.jp/exif/1.0/
Source: AcroRd32.exeString found in binary or memory: http://cipa.jp/exif/1.0/ul
Source: AcroRd32.exeString found in binary or memory: http://crl.geotrust.com/crls/gtglobal.crl04
Source: AcroRd32.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: AcroRd32.exeString found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
Source: AcroRd32.exeString found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
Source: AcroRd32.exeString found in binary or memory: http://evcs-ocsp.ws.symantec.com04
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/PK
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/)K
Source: AcroRd32.exeString found in binary or memory: http://iptc.org/std/Iptc4xmpExt/2008-02-29/.K
Source: AcroRd32.exeString found in binary or memory: http://ns.useplus.org/ldf/xmp/1.0/
Source: AcroRd32.exeString found in binary or memory: http://ocsp.geotrust.com0K
Source: AcroRd32.exeString found in binary or memory: http://ocsp.thawte.com0
Source: AcroRd32.exeString found in binary or memory: http://recentfiles
Source: AcroRd32.exe, UserCache.bin.4.drString found in binary or memory: http://recentfiles.
Source: AcroRd32.exe, UserCache.bin.4.drString found in binary or memory: http://recentfiles.com.adobe.acrobat.extensions.files_description
Source: wscript.exeString found in binary or memory: http://schemas.m
Source: wscript.exeString found in binary or memory: http://treso
Source: wscript.exeString found in binary or memory: http://tresor-rare.com.hk/wp-content/plugins/wordpress-seo/v=
Source: AcroRd32.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: AcroRd32.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: AcroRd32.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: AcroRd32.exeString found in binary or memory: http://w
Source: AcroRd32.exeString found in binary or memory: http://ww
Source: AcroRd32.exeString found in binary or memory: http://ww4
Source: AcroRd32.exeString found in binary or memory: http://www
Source: AcroRd32.exeString found in binary or memory: http://www.ad
Source: AcroRd32.exeString found in binary or memory: http://www.adob
Source: AcroRd32.exeString found in binary or memory: http://www.adobl-
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/field#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/schema#5K
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfa/ns/type#
Source: AcroRd32.exeString found in binary or memory: http://www.aiim.org/pdfe/ns/id/
Source: AcroRd32.exeString found in binary or memory: http://www.dictionary.com/cgi-bin/dict.pl?term=$o8
Source: AcroRd32.exeString found in binary or memory: http://www.geotrust.com/resources/cps0(
Source: wscript.exeString found in binary or memory: http://www.huluwa.uk/wp-content/plugin
Source: wscript.exeString found in binary or memory: http://www.huluwa.uk/wp-content/plugins/woocommerce/includes/class-wc-log.php
Source: AcroRd32.exeString found in binary or memory: http://www.macromedia.com
Source: AcroRd32.exeString found in binary or memory: http://www.macromedia.comfile://AcrobatMedia009424/c/0file://AcrobatMedia009424
Source: AcroRd32.exeString found in binary or memory: http://www.npes.org/pdfx/ns/id/
Source: AcroRd32.exeString found in binary or memory: http://www.symauth.com/cps0(
Source: AcroRd32.exeString found in binary or memory: http://www.symauth.com/cps09
Source: AcroRd32.exeString found in binary or memory: http://www.symauth.com/rpa04
Source: AcroRd32.exeString found in binary or memory: http://www.w3
Source: AcroRd32.exeString found in binary or memory: http://www.w3z
Source: AcroRd32.exeString found in binary or memory: http://wwwf
Source: AcroRd32.exeString found in binary or memory: http://wwwi8
Source: AcroRd32.exeString found in binary or memory: https://
Source: AcroRd32.exeString found in binary or memory: https://.acrocomcontent.com
Source: AcroRd32.exeString found in binary or memory: https://QA
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.ADotCom/Resource/
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.ADotCom/Resource/api
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.RFLMAP/Resource/
Source: AcroRd32.exeString found in binary or memory: https://WebServiceJob/com.adobe.acrobat.RFLMAP/Resource/)
Source: AcroRd32.exeString found in binary or memory: https://idisk.mac.com/
Source: AcroRd32.exeString found in binary or memory: https://ims-na1.adobelogin.com
Source: AcroRd32.exe, ReaderMessages-journal.4.drString found in binary or memory: https://www.acro
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/broadcastMessage
Source: AcroRd32.exeString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/xehttps://www.macromedia.com/support/flashplayer/
Uses netstat to query active network connections and open portsShow sources
Source: unknownProcess created: C:\Windows\System32\NETSTAT.EXE netstat -nao

Stealing of Sensitive Information:

barindex
Gathers information about group policies (GPO)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\gpresult.exe gpresult /z
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\gpresult.exe gpresult /z
Gathers information about network sharesShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net use >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net use >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Gathers network related connection and port informationShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\NETSTAT.EXE netstat -nao
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -nao
Gathers system information via systeminfoShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Detected KopiLuwak backdoor (related to Turla APT)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view /domain >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c tasklist /v >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ipconfig /all >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c arp -a >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view /domain >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c tasklist /v >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ipconfig /all >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c arp -a >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settingsShow sources
Source: unknownProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all

Data Obfuscation:

barindex
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.85051717396

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ProgID
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_USERS\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Performs a network lookup / discovery via ARPShow sources
Source: unknownProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
Performs a network lookup / discovery via net viewShow sources
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: unknownProcess created: C:\Windows\System32\net.exe net view /domain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view /domain

System Summary:

barindex
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
PE file contains a COM descriptor data directoryShow sources
Source: turla.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Uses new MSVCR DllsShow sources
Source: C:\Users\user\Desktop\turla.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: turla.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
PE file contains a debug data directoryShow sources
Source: turla.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscript.pdb source: wscript.exe
Source: Binary string: c:\LocalDisc_D\MyProjects\Runer\Runer\obj\Release\Runer.pdb source: turla.exe
Source: Binary string: wscript.pdbN source: wscript.exe
Binary contains device paths (device paths are often used for kernel mode <-> user mode communication)Show sources
Source: ~~.tmp.7.drBinary string: Host Name: computerOS Name: Microsoft Windows 7 Professional OS Version: 6.1.7601 Service Pack 1 Build 7601OS Manufacturer: Microsoft CorporationOS Configuration: Standalone WorkstationOS Build Type: Multiprocessor FreeRegistered Owner: adminRegistered Organization: Product ID: 00371-OEM-9309885-30338Original Install Date: 1/1/1601, 12:00:00 AMSystem Boot Time: 1/20/2018, 11:43:54 AMSystem Manufacturer: wrnyzkm GmbHSystem Model: tudzbdapnkSystem Type: X86-based PCProcessor(s): 1 Processor(s) Installed. [01]: x64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 MhzBIOS Version: wrnyzkm GmbH tudzbdapnk, 12/1/2006Windows Directory: C:\WindowsSystem Directory: C:\Windows\system32Boot Device: \Device\HarddiskVolume1System Locale: en
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.spre.spyw.troj.winEXE@68/23@0/0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\turla.exeFile created: C:\Users\user\AppData\Roaming\Scr.js
Creates temporary filesShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeFile created: C:\Users\user\AppData\Local\Temp\acrord32_sbx\FAP25AA.tmp
Found command line outputShow sources
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|up.............|u..0.............t...~...............(.................>w......@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .I.n.f.o.r.m.a.t.i.o.n. .......\...P.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u..............|u..0.............\...................|...........P.....>wP.....@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .C.o.m.p.u.t.e.r. .I.n.f.o.r.m.a.t.i.o.n. ...........P.....>wP.......@.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u(.............|u..0.............\...k.................................>w......@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .P.r.o.c.e.s.s.o.r. .I.n.f.o.r.m.a.t.i.o.n. ...............>w........B.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u..............|u..0.............\...F............................#....>w.#....@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .B.I.O.S. .I.n.f.o.r.m.a.t.i.o.n. ....................#....>w.#......8.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u<.............|u..0.............\...a...........................H.....>wH.....@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .I.n.p.u.t. .L.o.c.a.l.e. .I.n.f.o.r.m.a.t.i.o.n. .........>wH...(...H.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u<.............|u..0.............\...<.................................:w..{...@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .T.i.m.e.Z.o.n.e. .I.n.f.o.r.m.a.t.i.o.n. .................:w..{.(...@.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|uP.............|u..0.............\...W.................................:w..{...@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .P.r.o.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. ...................:w..{.<...>.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u8.............|u..0.............@...............................@.....>w@.....@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .P.a.g.e.f.i.l.e. .I.n.f.o.r.m.a.t.i.o.n. ...........@.....>w@...$...@.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u,.............|u..0.............@................................"....>w."....@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .H.o.t.f.i.x. .I.n.f.o.r.m.a.t.i.o.n. ................"....>w."......<.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u..............|u..0.............@...............................P.....>wP.....@.................
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..........|u........L.o.a.d.i.n.g. .N.e.t.w.o.r.k. .C.a.r.d. .I.n.f.o.r.m.a.t.i.o.n. .........>wP.......H.....@.........
Source: C:\Windows\System32\systeminfo.exeConsole Write: ..@.......|u..........|u|.............|u..0.................n...............D.w...........6. .........@.................
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(...........S...........................Px/...>wPx/...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .u.s.e.r. .d.a.t.a. .........................Px/...>wPx/.(...2.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........[...............x...........HQ/...>wHQ/...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........C.o.n.n.e.c.t.i.n.g. .t.o. .t.h.e. .R.S.O.P. .n.a.m.e.s.p.a.c.e. .........>wHQ/.....H.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........o...............x............x/...>w.x/...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .R.S.O.P. .m.e.t.h.o.d. .........x............x/...>w.x/.....6.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........w...............x.............-...>w..-...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .S.I.D. .i.n.f.o.r.m.a.t.i.o.n. ...............-...>w..-.....>.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(.......0...C...............x............x/...>w.x/...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .u.s.e.r. .n.a.m.e. .............x............x/...>w.x/.....2.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(.......0..._...........................H....Q..0.....#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(.......0...e...............x.................>w......#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .l.o.c.a.l. .p.r.o.f.i.l.e. .f.o.r. ...............>w........B.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(.......0...................x.................>w......#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .c.o.m.m.o.n. .i.n.f.o.r.m.a.t.i.o.n. .............>w........D.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|ut.............|u..0.....(.......0...................,...........0.-...>w0.-...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .O.S. .i.n.f.o.r.m.a.t.i.o.n. ...............0.-...>w0.-.`...<.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........{.................................:w..{...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........R.e.t.r.i.e.v.i.n.g. .R.S.O.P. .d.a.t.a. .................................:w..{.....0.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(.......................................P.-...>wP.-...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .R.S.O.P. .p.r.o.v.i.d.e.r. .................P.-...>wP.-.(...:.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(........................................y/...>w.y/...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .R.S.O.P. .m.e.t.h.o.d. ......................y/...>w.y/.(...6.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(.............................................:w..{...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........P.u.t.t.i.n.g. .t.h.e. .S.I.D. ...........................................:w..{.(...&.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(.............................{.........PY>w..........#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(.............................{.........PY>w..........#.......#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(.......................................C..........~..#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u<.............|u..0.....(.......................................C..........~..#.j.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u@.............|u..0.....(...........3&.................v........c......v 2/...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(............B................................:w..{...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..........|u........G.e.t.t.i.n.g. .t.h.e. .u.s.e.r. .n.a.m.e. ...............................:w..{.....2.....#.........
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........9B........................................#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........?B................................:w..{...#..............W..
Source: C:\Windows\System32\gpresult.exeConsole Write: ..#.......|u..........|u..............|u..0.....(...........JB........................................#..............W..
PE file has an executable .text section and no other executable sectionShow sources
Source: turla.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\turla.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
Source: C:\Users\user\Desktop\turla.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
Source: C:\Users\user\Desktop\turla.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecMethod - \\computer\root\cimv2:Win32_Process.Handle=&quot;4&quot;::GetOwner
Reads ini filesShow sources
Source: C:\Users\user\Desktop\turla.exeFile read: C:\Users\user\Desktop\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\turla.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\turla.exe 'C:\Users\user\Desktop\turla.exe'
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Scr.js'
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf'
Source: unknownProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3412.0.1190326145 --type=renderer 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf'
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {1CB75A7D-1803-47C7-91DA-EA5266AAF4C1} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1]
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe 'appidpolicyconverter.js' FileTypeXML gwVAj83JsiqTz5fG
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\net.exe net view
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view /domain >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\net.exe net view /domain
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c tasklist /v >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\tasklist.exe tasklist /v
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\gpresult.exe gpresult /z
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\NETSTAT.EXE netstat -nao
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ipconfig /all >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c arp -a >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: unknownProcess created: C:\Windows\System32\net.exe net share
Source: unknownProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 share
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net use >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Users\user\Desktop\turla.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Scr.js'
Source: C:\Users\user\Desktop\turla.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view /domain >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c tasklist /v >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ipconfig /all >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c arp -a >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net use >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3412.0.1190326145 --type=renderer 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe 'appidpolicyconverter.js' FileTypeXML gwVAj83JsiqTz5fG
Source: C:\Windows\System32\taskeng.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view /domain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\gpresult.exe gpresult /z
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -nao
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net share
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 share
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\turla.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
Uses systeminfo.exe to query system informationShow sources
Source: unknownProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Uses tasklist.exe to query information about running processesShow sources
Source: unknownProcess created: C:\Windows\System32\tasklist.exe tasklist /v
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: turla.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Contains functionality to call native functionsShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712A10 NtOpenKey,4_2_00712A10
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_007129D0 NtCreateKey,4_2_007129D0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712AD0 NtCreateMutant,4_2_00712AD0
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712B90 NtDeleteValueKey,4_2_00712B90
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712B10 NtCreateSection,4_2_00712B10
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712E90 NtMapViewOfSection,4_2_00712E90
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712850 NtOpenFile,4_2_00712850
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712890 NtQueryAttributesFile,4_2_00712890
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712B50 NtOpenSection,4_2_00712B50
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712A50 NtOpenKeyEx,4_2_00712A50
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712800 NtCreateFile,4_2_00712800
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeCode function: 4_2_00712910 NtSetInformationFile,4_2_00712910
Creates mutexesShow sources
Source: C:\Windows\System32\gpresult.exeMutant created: \Sessions\1\BaseNamedObjects\Global\RsopCreateSessionMutex_computer_user
Source: C:\Users\user\Desktop\turla.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Sample file is different than original file name gathered from version infoShow sources
Source: turla.exeBinary or memory string: OriginalFilenameRuner.exe, vs turla.exe
Source: turla.exeBinary or memory string: OriginalFilenamemscorwks.dllT vs turla.exe
Source: turla.exeBinary or memory string: System.OriginalFileName vs turla.exe
Source: turla.exeBinary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs turla.exe
Source: turla.exeBinary or memory string: originalfilename vs turla.exe
Source: turla.exeBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs turla.exe
Source: turla.exeBinary or memory string: OriginalFilenameRuner.exe, vs turla.exe
.NET source code contains very large array initializationsShow sources
Source: turla.exe, Program.csLarge array initialization: Main: array initializer size 22458
Source: turla.exe, Program.csLarge array initialization: Main: array initializer size 369804
Suspicious javascript / visual basic script found (invalid extension)Show sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Scr.js'
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe 'appidpolicyconverter.js' FileTypeXML gwVAj83JsiqTz5fG
Source: C:\Users\user\Desktop\turla.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Scr.js'
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe 'appidpolicyconverter.js' FileTypeXML gwVAj83JsiqTz5fG

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: AcroRd32.exe, taskeng.exeBinary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, taskeng.exeBinary or memory string: Shell_TrayWnd
Source: AcroRd32.exe, taskeng.exeBinary or memory string: Progman
Source: AcroRd32.exe, taskeng.exeBinary or memory string: Program Manager
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\turla.exeProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Scr.js'
Source: C:\Users\user\Desktop\turla.exeProcess created: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net view /domain >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c tasklist /v >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c ipconfig /all >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c arp -a >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c net use >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\wscript.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe 'appidpolicyconverter.js' FileTypeXML gwVAj83JsiqTz5fG
Source: C:\Windows\System32\taskeng.exeProcess created: unknown unknown
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net view /domain
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /v
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\gpresult.exe gpresult /z
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\NETSTAT.EXE netstat -nao
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\ARP.EXE arp -a
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\net.exe net share
Source: C:\Windows\System32\net.exeProcess created: C:\Windows\System32\net1.exe C:\Windows\system32\net1 share
Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\turla.exeMemory allocated: page read and write and page guard
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\wscript.exeSystem information queried: KernelDebuggerInformation
Enables debug privilegesShow sources
Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
Source: C:\Windows\System32\NETSTAT.EXEProcess token adjusted: Debug
Source: C:\Windows\System32\NETSTAT.EXEProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Queries a list of all running processesShow sources
Source: C:\Windows\System32\tasklist.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\turla.exeThread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\turla.exe TID: 3368Thread sleep time: -922337203685477s >= -60000s
Source: C:\Windows\System32\wscript.exe TID: 3484Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\systeminfo.exe TID: 3604Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\systeminfo.exe TID: 3604Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\wscript.exe TID: 3952Thread sleep time: -180000s >= -60000s
Source: C:\Windows\System32\wscript.exe TID: 3952Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 4076Thread sleep time: -180000s >= -60000s
Source: C:\Windows\System32\tasklist.exe TID: 4076Thread sleep time: -60000s >= -60000s
Source: C:\Windows\System32\gpresult.exe TID: 2216Thread sleep count: 34 > 30
Source: C:\Windows\System32\gpresult.exe TID: 2216Thread sleep time: -2040000s >= -60000s
Source: C:\Windows\System32\ipconfig.exe TID: 2512Thread sleep time: -120000s >= -60000s
Source: C:\Windows\System32\ipconfig.exe TID: 2512Thread sleep time: -60000s >= -60000s
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_ComputerSystem
Source: C:\Windows\System32\gpresult.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_ComputerSystem
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapter

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\turla.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskeng.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Modifies the internet feature controls of the internet explorerShow sources
Source: C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exeRegistry value created: HKEY_USERS\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\Desktop\turla.exeQueries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation
Source: C:\Users\user\Desktop\turla.exeQueries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation
Source: C:\Users\user\Desktop\turla.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Users\user\Desktop\turla.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485344 Sample: turla.exe Startdate: 20/01/2018 Architecture: WINDOWS Score: 100 55 Detected KopiLuwak backdoor (related to Turla APT) 2->55 57 .NET source code contains very large array initializations 2->57 59 Uses netstat to query active network connections and open ports 2->59 61 8 other signatures 2->61 9 turla.exe 5 2->9         started        13 taskeng.exe 2->13         started        process3 file4 53 C:\Users\user\AppData\Roaming\Scr.js, ASCII 9->53 dropped 69 Suspicious javascript / visual basic script found (invalid extension) 9->69 15 wscript.exe 2 9->15         started        18 AcroRd32.exe 6 49 9->18         started        20 wscript.exe 13->20         started        signatures5 process6 signatures7 79 Detected KopiLuwak backdoor (related to Turla APT) 15->79 81 Gathers information about group policies (GPO) 15->81 83 Gathers network related connection and port information 15->83 85 2 other signatures 15->85 22 cmd.exe 1 15->22         started        24 cmd.exe 15->24         started        27 cmd.exe 15->27         started        31 7 other processes 15->31 29 AcroRd32.exe 1 90 18->29         started        process8 signatures9 33 systeminfo.exe 22->33         started        71 Gathers information about group policies (GPO) 24->71 36 gpresult.exe 24->36         started        73 Performs a network lookup / discovery via net view 27->73 38 net.exe 27->38         started        75 Gathers network related connection and port information 31->75 77 Performs a network lookup / discovery via ARP 31->77 40 net.exe 31->40         started        42 net.exe 31->42         started        44 tasklist.exe 31->44         started        46 3 other processes 31->46 process10 signatures11 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 33->63 65 Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines) 33->65 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 33->67 48 net1.exe 40->48         started        process12 file13 51 C:\Users\user\AppData\Roaming\...\~~.tmp, ASCII 48->51 dropped

Simulations

Behavior and APIs

TimeTypeDescription
11:47:15API Interceptor5x Sleep call for process: wscript.exe modified from: 60000ms to: 5000ms
11:47:17Task SchedulerRun new task: PolicyConverter path: appidpolicyconverter.js s>FileTypeXML gwVAj83JsiqTz5fG
11:54:01API Interceptor10x Sleep call for process: systeminfo.exe modified from: 60000ms to: 5000ms
11:54:01API Interceptor2x Sleep call for process: taskeng.exe modified from: 60000ms to: 5000ms
11:54:03API Interceptor951x Sleep call for process: AcroRd32.exe modified from: 60000ms to: 5000ms
11:54:15API Interceptor4x Sleep call for process: tasklist.exe modified from: 60000ms to: 5000ms
11:54:18API Interceptor34x Sleep call for process: gpresult.exe modified from: 60000ms to: 5000ms
11:54:26API Interceptor3x Sleep call for process: ipconfig.exe modified from: 60000ms to: 5000ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot

windows-stand

Startup

  • System is w7_1
  • turla.exe (PID: 3352 cmdline: 'C:\Users\user\Desktop\turla.exe' MD5: 7C378D78B7A89AEF27E8A3C5066B8511)
    • wscript.exe (PID: 3396 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Scr.js' MD5: 979D74799EA6C8B8167869A68DF5204A)
      • cmd.exe (PID: 3504 cmdline: 'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • systeminfo.exe (PID: 3540 cmdline: systeminfo MD5: 258B2ED54FC7F74E2FDCCE5861549C1A)
      • cmd.exe (PID: 3840 cmdline: 'C:\Windows\System32\cmd.exe' /c net view >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • net.exe (PID: 3904 cmdline: net view MD5: B9A4DAC2192FD78CDA097BFA79F6E7B2)
      • cmd.exe (PID: 3988 cmdline: 'C:\Windows\System32\cmd.exe' /c net view /domain >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • net.exe (PID: 4012 cmdline: net view /domain MD5: B9A4DAC2192FD78CDA097BFA79F6E7B2)
      • cmd.exe (PID: 4028 cmdline: 'C:\Windows\System32\cmd.exe' /c tasklist /v >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • tasklist.exe (PID: 4056 cmdline: tasklist /v MD5: A9A00E71E3DD67B029FC904FE3BB61DA)
      • cmd.exe (PID: 4092 cmdline: 'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • gpresult.exe (PID: 2224 cmdline: gpresult /z MD5: E32AC8B1091F300A580DA58576934DD7)
      • cmd.exe (PID: 2452 cmdline: 'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • NETSTAT.EXE (PID: 2500 cmdline: netstat -nao MD5: 32297BB17E6EC700D0FC869F9ACAF561)
      • cmd.exe (PID: 2532 cmdline: 'C:\Windows\System32\cmd.exe' /c ipconfig /all >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • ipconfig.exe (PID: 1412 cmdline: ipconfig /all MD5: CABB20E171770FF64614A54C1F31C033)
      • cmd.exe (PID: 2240 cmdline: 'C:\Windows\System32\cmd.exe' /c arp -a >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • ARP.EXE (PID: 2108 cmdline: arp -a MD5: ADC7AD3C261D2753CB7A2FE73A66C210)
      • cmd.exe (PID: 1088 cmdline: 'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp' MD5: AD7B9C14083B52BC532FBA5948342B98)
        • net.exe (PID: 2196 cmdline: net share MD5: B9A4DAC2192FD78CDA097BFA79F6E7B2)
          • net1.exe (PID: 2164 cmdline: C:\Windows\system32\net1 share MD5: 2041012726EF7C95ED51C15C56545A7F)
      • cmd.exe (PID: 2592 cmdline: 'C:\Windows\System32\cmd.exe' /c net use >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp' MD5: AD7B9C14083B52BC532FBA5948342B98)
    • AcroRd32.exe (PID: 3412 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf' MD5: 513659580A49DF6A85CDFD869895924A)
      • AcroRd32.exe (PID: 3472 cmdline: 'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3412.0.1190326145 --type=renderer 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf' MD5: 513659580A49DF6A85CDFD869895924A)
  • taskeng.exe (PID: 3576 cmdline: taskeng.exe {1CB75A7D-1803-47C7-91DA-EA5266AAF4C1} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1] MD5: 4F2659160AFCCA990305816946F69407)
    • wscript.exe (PID: 3636 cmdline: C:\Windows\System32\WScript.exe 'appidpolicyconverter.js' FileTypeXML gwVAj83JsiqTz5fG MD5: 979D74799EA6C8B8167869A68DF5204A)
  • cleanup

Created / dropped Files

C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages
File Type:SQLite 3.x database
Size (bytes):197632
Entropy (8bit):5.563069174927297
Encrypted:false
MD5:A821D85099ACBE9A8451D6C37D5ADE89
SHA1:32D86BD75AAED017E895CEB1F1C857804591919D
SHA-256:AF2B0B9DAD78B3E7C69CF205185F28BAC9D4EA5BC2379A0591C264446C32945E
SHA-512:7229D15B443AD69EFEB7587F2BBB34DDAAC884EC8EAAE67A6E9CBEE676F5B1C42FCC9B7D352EF0F459319FC19CC362A7F7BAA8E0CD3EA37992DE7A6DFB2C1621
Malicious:false
Reputation:low
C:\Users\user\AppData\LocalLow\Adobe\Acrobat\11.0\ReaderMessages-journal
File Type:data
Size (bytes):228236
Entropy (8bit):4.925287853632984
Encrypted:false
MD5:96FF8AB93805BAFA71D2B11827FAFDBB
SHA1:76FA7283592005EB38E3EBDB60FDD66616F7D204
SHA-256:963F5C23E8357F357C6163B559231102A803CDCCD2995A618A48A1A2DE6F3B8C
SHA-512:EE5EDB4FCFBD46D061509CD6DA28E8E4F1CA8CC84C914C3DB7928FE084E09571D8EF64EF33DFF51707C2E14C65ACBFE8B6C3011AC0A49892B21FBE7DBC94F3B7
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Adobe\Acrobat\11.0\Cache\AdobeFnt14.lst.3472
File Type:PostScript document text
Size (bytes):8244
Entropy (8bit):5.161502934866559
Encrypted:false
MD5:F2CDFE655739BC4EED03AD6BCA23A2E7
SHA1:48EF62A7CD41CFC77F0C23117D41FF8B01D66474
SHA-256:33DE66BC03817D94F1CF0B8D45AA87E7A243CB78169623AB80345BC2D86E207B
SHA-512:A6298AB7BA54C5CC8EC15356349BCCF931F50284827B0132554B6033299B10A7C1CDF68556BE87ABB9CF27CC7DA5C0050675C51230BE7D197755AD9D4A8A1FD7
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Adobe\Acrobat\11.0\UserCache.bin
File Type:data
Size (bytes):224772
Entropy (8bit):6.203353481462018
Encrypted:false
MD5:82493E7FEB190D38B8E958FD79A0B1E7
SHA1:EE910E415820B396DAC46D680DCE3C61146D8A20
SHA-256:7AF6F91ADEE4750B94CF558D230F04B25BCAE3EC67992ECB635E8DBC6F9B757E
SHA-512:02ED983460165A563C5912C26555FA3E710C589AE6AECC82594664DA17B577EB7B5DF24BC11DA4F7414D2893CF62B9832684860E5E5C66CFFD4DD7FAF5952A91
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Temp\acrord32_sbx\FAP25AA.tmp
File Type:ASCII text, with no line terminators
Size (bytes):4
Entropy (8bit):1.5
Encrypted:false
MD5:098F6BCD4621D373CADE4E832627B4F6
SHA1:A94A8FE5CCB19BA61C4C0873D391E987982FBBD3
SHA-256:9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08
SHA-512:EE26B0DD4AF7E749AA1A8EE3C10AE9923F618980772E473F8819A5D4940E0DB27AC185F8A0E1D5F84F88BC887FD67B143732C304CC5FA9AD8E6F57F50028A8FF
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\Annss.dat
File Type:data
Size (bytes):225
Entropy (8bit):6.893995816103472
Encrypted:false
MD5:1951F8593AC840C596FF8C14A1EFA3BC
SHA1:350CBECDCA4D20878E3B1D9F0640870EDDA3B0B8
SHA-256:7A99229735EF2C9F7901F2F8C169DE4B35E67A601729D008679D4778C2687130
SHA-512:547E483032D093ED32D2019416E1DB99F48A803608055D490A7EE444000A800EB5335364320505B9D1B2491C12D9C12C8C3264B75A604A40ADE42D00268390D8
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\Annssi.dat
File Type:data
Size (bytes):777
Entropy (8bit):7.727945731054558
Encrypted:false
MD5:5F4FB1051B979320FD0C7DE9BB51EBE9
SHA1:FA4C4E786ED582F644F202F3D2DB1323BC8B6812
SHA-256:A7DE8222918ABC45C07445F190525E9848ED1BF0C2DADE0CF6410469F1544AF7
SHA-512:21B69BBFCD7EC38EC0AB0EEC5384F383B0403A496DE8663C8EC128CF16B600FA6EA25391CEBD53FA951260556336B8361418545D5C7926980C05A55DD283EAD6
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\Annssk.dat
File Type:data
Size (bytes):264
Entropy (8bit):6.448629394101891
Encrypted:false
MD5:B1DB7262E7360111052E275883CC2021
SHA1:C079A7DE80614AA8F0F742223DCB77472652E5C4
SHA-256:68C92C18FDFB39A314717D2739239A19581D4009E0E9539F264BD52C155A079B
SHA-512:0A85C28EE90E2E5B6EB881066F226F9DA7863D7958DC90F07599B78D6FC3786C5D7A0C701B8886D0763C3629DFD18C837AF2798FF2E5F1D9156649A1B62995B6
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdr.dat
File Type:data
Size (bytes):1561
Entropy (8bit):7.809762278654474
Encrypted:false
MD5:8AFE0D07A4D7E0C9507B3920DFE2BE8B
SHA1:A0B7842C6CA224769CB8146C64A49D412E87B4EF
SHA-256:64484401EC0D89D9F1AE570F56257CBFA1B5C43BE46DD80EA3098D1AD716E5BC
SHA-512:2A6FED70AB089A47F997E8E38548C01960095D438B11FEBD63F4CD3B8449B6325188342178BF8166A998C51084142F217779822191483BEA0C912F59A18D55D1
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdri.dat
File Type:data
Size (bytes):4761
Entropy (8bit):7.962748871905112
Encrypted:false
MD5:4936004151A87B731E226F1AE23F398D
SHA1:EBAA11CBB7AF6ECF77DB4364F083B5924213726B
SHA-256:4C5E89A331C5679BD26B0B78B73FC0AEA6E94BA475A3952876CDC68BF7D9C85A
SHA-512:2B2E910879A17514C129EF0E84A129F7FB36A7CF21856C3D525F6A3202BDA14EB06158C318743DF016566E8C78028DDBC7F0ED093165BB986E38BB475BC27501
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdrk.dat
File Type:data
Size (bytes):264
Entropy (8bit):6.4614494697116855
Encrypted:false
MD5:82757A6B6E5AEA3276D2AE6430CB62F0
SHA1:FA0195EF1367633F64399948C276C8C2AB2DCB3C
SHA-256:E7018CDD0D3FA1508C93BA1A93CF1D549C46B5AF1349454E791EFE61C4D173DF
SHA-512:08814271A277EB74CE9A666CEDC69C608CE2B18A069CED3052659F1C485096439F6AA8948AA86FF9FDBAB7231EDBE2975925D00FCDA5FBBD4E53963949DCDAD3
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Protect\appidpolicyconverter.js
File Type:ASCII text, with very long lines, with CRLF, LF line terminators
Size (bytes):12487
Entropy (8bit):6.158385864693747
Encrypted:false
MD5:DF1B4F63C1ADB9ABFE04E0247956CE66
SHA1:EFB9015BE0497BDF6183383FF677FC8474AC69CE
SHA-256:5698C92FB8FE7DED0FF940C75979F44734650E4F2C852BDB4CBC9D46E7993185
SHA-512:9948948DF25449E2733E12EF8E9B46CE3A8C05AACE217CE37CBB4EA22869AC1A31160ACF6B3B3A3D01A3A523B07B4133534661EFBFB152E05F2F0F52056FDDBE
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp
File Type:ASCII English text, with CRLF line terminators
Size (bytes):467
Entropy (8bit):2.9266020659781105
Encrypted:false
MD5:F92F5F2A804E96965784D78A4421069A
SHA1:1A84E2A26517BC6FF340BCC940429D25EB44AAFF
SHA-256:59744EE1F5EA23C4563EC6C33CD0446ACB2985ECEC84DBAE2FF39FB464531E33
SHA-512:6E66069CF196F5844C644BF41D8353BCDB6DDC3C642A33308DD2485BA4160A87F2E2A100F4CE74AFA6AE4AE56F1FB04F39A17E34E85262C38EB4E5A32DA0C87C
Malicious:true
Reputation:low
C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf
File Type:PDF document, version 1.4
Size (bytes):369804
Entropy (8bit):7.8514411034270895
Encrypted:false
MD5:0892096E45A3909B1BAFE44235C508DA
SHA1:A07B8450147C578ED135FDFFEF84E65C9F911F6F
SHA-256:C978DA455018A73DDBC9E1D2BF8C208AD3EC2E622850F68EF6B0AAE939E5D2AB
SHA-512:33312348AA22DD5A5379F6E5413F4338E7409C773A5714F471C8CAE656AA9988A0CB0448CC9C721E525EA546DD5704B46B5AC42CF845101417EEB162FDEC0B5C
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Scr.js
File Type:ASCII text, with very long lines, with CRLF, LF line terminators
Size (bytes):22458
Entropy (8bit):5.915482458624312
Encrypted:false
MD5:B318AF64676A879DC50B491BECCFA951
SHA1:9D7D559EE19321B07785956F8118D96A9EE47FC1
SHA-256:1C76A66A670A6F69B4FEA25CA0BA4885ECA9E1B85A2AFBAB61DA3B4A6D52AE19
SHA-512:BB2DC5678223E597B010872D38B948DCA37A47149143585FDD083A3BA1E4B272BCFE388D00B34E29A026F6F1AE9E601A88E86AC890876FA986B0CA7458F6964D
Malicious:true
Reputation:low

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

Static File Info

General

File type:PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Entropy (8bit):7.840215455375674
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.10%
  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.73%
  • Visual Basic Script (6000/0) 0.06%
  • Java Script (4500/0) 0.04%
  • Java Script embedded in Visual Basic Script (3500/0) 0.03%
File name:turla.exe
File size:397824
MD5:7c378d78b7a89aef27e8a3c5066b8511
SHA1:5730e117b1efddc9a438a8bf603ff8b17736453e
SHA256:7481e87023604e7534d02339540ddd9565273dd51c13d7677b9b4c9623f0440b
SHA512:9ff603529024d3ae3c32482747e6fb6129a2a5875416a8e8f151fe148e39bed51336dad8e41546d8c4b46d0acf81dceab65fb2129adc32ca6f319e1625816c9e
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."V.............................'... ...@....@.. ....................................@................................

File Icon

Static PE Info

General

Entrypoint:0x4627ae
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0x5622CDAA [Sat Oct 17 22:37:30 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:v2.0.50727
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x627580x53.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x568.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x660000xc.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x626200x1c.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x20000x607b40x60800False0.886847777688ump; data7.85051717396IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc0x640000x5680x600False0.402994791667ump; data3.97372265976IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x660000xc0x200False0.044921875ump; data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_VERSION0x640a00x2d8ump; data
RT_MANIFEST0x643780x1eaump; XML document text

Imports

DLLImport
mscoree.dll_CorExeMain

Version Infos

DescriptionData
Translation0x0000 0x04b0
LegalCopyrightCopyright Microsoft 2015
Assembly Version1.0.0.0
InternalNameRuner.exe
FileVersion1.0.0.0
CompanyNameMicrosoft
ProductNameRuner
ProductVersion1.0.0.0
FileDescriptionRuner
OriginalFilenameRuner.exe

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: turla.exe PID: 3352 Parent PID: 2936

General

Start time:11:47:13
Start date:20/01/2018
Path:C:\Users\user\Desktop\turla.exe
Wow64 process (32bit):false
Commandline:'C:\Users\user\Desktop\turla.exe'
Imagebase:0x77390000
File size:397824 bytes
MD5 hash:7C378D78B7A89AEF27E8A3C5066B8511
Programmed in:.Net C# or VB.NET
Reputation:low

Chronological Activities

Analysis Process: wscript.exe PID: 3396 Parent PID: 3352

General

Start time:11:47:15
Start date:20/01/2018
Path:C:\Windows\System32\wscript.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Scr.js'
Imagebase:0x74c70000
File size:141824 bytes
MD5 hash:979D74799EA6C8B8167869A68DF5204A
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3412 Parent PID: 3352

General

Start time:11:47:15
Start date:20/01/2018
Path:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):false
Commandline:'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf'
Imagebase:0x752f0000
File size:1544928 bytes
MD5 hash:513659580A49DF6A85CDFD869895924A
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: AcroRd32.exe PID: 3472 Parent PID: 3412

General

Start time:11:47:16
Start date:20/01/2018
Path:C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe
Wow64 process (32bit):false
Commandline:'C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe' --channel=3412.0.1190326145 --type=renderer 'C:\Users\user\AppData\Roaming\Save the Date G20 Digital Economy Taskforce 23 24 October.pdf'
Imagebase:0x681f0000
File size:1544928 bytes
MD5 hash:513659580A49DF6A85CDFD869895924A
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: cmd.exe PID: 3504 Parent PID: 3396

General

Start time:11:47:16
Start date:20/01/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\cmd.exe' /c systeminfo > 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Imagebase:0x77390000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: systeminfo.exe PID: 3540 Parent PID: 3504

General

Start time:11:47:17
Start date:20/01/2018
Path:C:\Windows\System32\systeminfo.exe
Wow64 process (32bit):false
Commandline:systeminfo
Imagebase:0x751e0000
File size:75776 bytes
MD5 hash:258B2ED54FC7F74E2FDCCE5861549C1A
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: taskeng.exe PID: 3576 Parent PID: 836

General

Start time:11:54:01
Start date:20/01/2018
Path:C:\Windows\System32\taskeng.exe
Wow64 process (32bit):false
Commandline:taskeng.exe {1CB75A7D-1803-47C7-91DA-EA5266AAF4C1} S-1-5-21-312302014-279660585-3511680526-1004:computer\user:Interactive:[1]
Imagebase:0x77390000
File size:192000 bytes
MD5 hash:4F2659160AFCCA990305816946F69407
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: wscript.exe PID: 3636 Parent PID: 3576

General

Start time:11:54:01
Start date:20/01/2018
Path:C:\Windows\System32\wscript.exe
Wow64 process (32bit):false
Commandline:C:\Windows\System32\WScript.exe 'appidpolicyconverter.js' FileTypeXML gwVAj83JsiqTz5fG
Imagebase:0x75440000
File size:141824 bytes
MD5 hash:979D74799EA6C8B8167869A68DF5204A
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: cmd.exe PID: 3840 Parent PID: 3396

General

Start time:11:54:08
Start date:20/01/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\cmd.exe' /c net view >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Imagebase:0x77390000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: net.exe PID: 3904 Parent PID: 3840

General

Start time:11:54:09
Start date:20/01/2018
Path:C:\Windows\System32\net.exe
Wow64 process (32bit):false
Commandline:net view
Imagebase:0x77390000
File size:46080 bytes
MD5 hash:B9A4DAC2192FD78CDA097BFA79F6E7B2
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: cmd.exe PID: 3988 Parent PID: 3396

General

Start time:11:54:13
Start date:20/01/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\cmd.exe' /c net view /domain >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Imagebase:0x75440000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: net.exe PID: 4012 Parent PID: 3988

General

Start time:11:54:13
Start date:20/01/2018
Path:C:\Windows\System32\net.exe
Wow64 process (32bit):false
Commandline:net view /domain
Imagebase:0x71270000
File size:46080 bytes
MD5 hash:B9A4DAC2192FD78CDA097BFA79F6E7B2
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: cmd.exe PID: 4028 Parent PID: 3396

General

Start time:11:54:14
Start date:20/01/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\cmd.exe' /c tasklist /v >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Imagebase:0x75440000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: tasklist.exe PID: 4056 Parent PID: 4028

General

Start time:11:54:15
Start date:20/01/2018
Path:C:\Windows\System32\tasklist.exe
Wow64 process (32bit):false
Commandline:tasklist /v
Imagebase:0x77390000
File size:80896 bytes
MD5 hash:A9A00E71E3DD67B029FC904FE3BB61DA
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: cmd.exe PID: 4092 Parent PID: 3396

General

Start time:11:54:17
Start date:20/01/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\cmd.exe' /c gpresult /z >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Imagebase:0x75440000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: gpresult.exe PID: 2224 Parent PID: 4092

General

Start time:11:54:18
Start date:20/01/2018
Path:C:\Windows\System32\gpresult.exe
Wow64 process (32bit):false
Commandline:gpresult /z
Imagebase:0x740a0000
File size:128000 bytes
MD5 hash:E32AC8B1091F300A580DA58576934DD7
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: cmd.exe PID: 2452 Parent PID: 3396

General

Start time:11:54:24
Start date:20/01/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\cmd.exe' /c netstat -nao >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Imagebase:0x75440000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: NETSTAT.EXE PID: 2500 Parent PID: 2452

General

Start time:11:54:25
Start date:20/01/2018
Path:C:\Windows\System32\NETSTAT.EXE
Wow64 process (32bit):false
Commandline:netstat -nao
Imagebase:0x772c0000
File size:27136 bytes
MD5 hash:32297BB17E6EC700D0FC869F9ACAF561
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: cmd.exe PID: 2532 Parent PID: 3396

General

Start time:11:54:26
Start date:20/01/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\cmd.exe' /c ipconfig /all >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Imagebase:0x75440000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: ipconfig.exe PID: 1412 Parent PID: 2532

General

Start time:11:54:26
Start date:20/01/2018
Path:C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):false
Commandline:ipconfig /all
Imagebase:0x74c70000
File size:27136 bytes
MD5 hash:CABB20E171770FF64614A54C1F31C033
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: cmd.exe PID: 2240 Parent PID: 3396

General

Start time:11:54:27
Start date:20/01/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\cmd.exe' /c arp -a >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Imagebase:0x77390000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: ARP.EXE PID: 2108 Parent PID: 2240

General

Start time:11:54:27
Start date:20/01/2018
Path:C:\Windows\System32\ARP.EXE
Wow64 process (32bit):false
Commandline:arp -a
Imagebase:0x731e0000
File size:20992 bytes
MD5 hash:ADC7AD3C261D2753CB7A2FE73A66C210
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: cmd.exe PID: 1088 Parent PID: 3396

General

Start time:11:54:28
Start date:20/01/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\cmd.exe' /c net share >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Imagebase:0x75440000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: net.exe PID: 2196 Parent PID: 1088

General

Start time:11:54:29
Start date:20/01/2018
Path:C:\Windows\System32\net.exe
Wow64 process (32bit):false
Commandline:net share
Imagebase:0x73330000
File size:46080 bytes
MD5 hash:B9A4DAC2192FD78CDA097BFA79F6E7B2
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: net1.exe PID: 2164 Parent PID: 2196

General

Start time:11:54:29
Start date:20/01/2018
Path:C:\Windows\System32\net1.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\net1 share
Imagebase:0x64730000
File size:142336 bytes
MD5 hash:2041012726EF7C95ED51C15C56545A7F
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: cmd.exe PID: 2592 Parent PID: 3396

General

Start time:11:54:30
Start date:20/01/2018
Path:C:\Windows\System32\cmd.exe
Wow64 process (32bit):false
Commandline:'C:\Windows\System32\cmd.exe' /c net use >> 'C:\Users\user\AppData\Roaming\Microsoft\Protect\~~.tmp'
Imagebase:0x75440000
File size:302592 bytes
MD5 hash:AD7B9C14083B52BC532FBA5948342B98
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: AcroRd32.exe PID: 3472 Parent PID: 3412

    Execution Graph

    Execution Coverage:1.7%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:100%
    Total number of Nodes:12
    Total number of Limit Nodes:0

    Graph

    Executed Functions

    Function 00712800, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13nativefile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 712800-71281c NtCreateFile
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.768449146.00712000.00000020.sdmp, Offset: 00712000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_712000_AcroRd32.jbxd
    Function 00712A10, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 5 712a10-712a1c NtOpenKey
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.768449146.00712000.00000020.sdmp, Offset: 00712000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_712000_AcroRd32.jbxd
    Function 007129D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 4 7129d0-7129dc NtCreateKey
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.768449146.00712000.00000020.sdmp, Offset: 00712000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_712000_AcroRd32.jbxd
    Function 00712AD0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 7 712ad0-712adc NtCreateMutant
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.768449146.00712000.00000020.sdmp, Offset: 00712000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_712000_AcroRd32.jbxd
    Function 00712B10, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 8 712b10-712b1c NtCreateSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.768449146.00712000.00000020.sdmp, Offset: 00712000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_712000_AcroRd32.jbxd
    Function 00712B90, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 10 712b90-712b9c NtDeleteValueKey
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.768449146.00712000.00000020.sdmp, Offset: 00712000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_712000_AcroRd32.jbxd
    Function 00712E90, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 11 712e90-712e9c NtMapViewOfSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.768449146.00712000.00000020.sdmp, Offset: 00712000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_712000_AcroRd32.jbxd
    Function 00712850, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4nativefile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1 712850-71285c NtOpenFile
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.768449146.00712000.00000020.sdmp, Offset: 00712000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_712000_AcroRd32.jbxd
    Function 00712890, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4nativefile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 2 712890-71289c NtQueryAttributesFile
    APIs
    • NtQueryAttributesFile.NTDLL ref: 0071289A
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.768449146.00712000.00000020.sdmp, Offset: 00712000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_712000_AcroRd32.jbxd
    Function 00712B50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 9 712b50-712b5c NtOpenSection
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.768449146.00712000.00000020.sdmp, Offset: 00712000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_712000_AcroRd32.jbxd
    Function 00712A50, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4native

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 6 712a50-712a5c NtOpenKeyEx
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.768449146.00712000.00000020.sdmp, Offset: 00712000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_712000_AcroRd32.jbxd
    Function 00712910, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 4nativefile

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 3 712910-71291c NtSetInformationFile
    APIs
    • NtSetInformationFile.NTDLL ref: 0071291A
    Strings
    Memory Dump Source
    • Source File: 00000004.00000002.768449146.00712000.00000020.sdmp, Offset: 00712000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_712000_AcroRd32.jbxd
    Function 084C4CC6, Relevance: .2, Instructions: 219

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 12 84c4cc6-84c4d1e 13 84c4d27-84c4db0 12->13 14 84c4d20 12->14 18 84c4db6-84c4e50 13->18 19 84c4f3c-84c4f59 13->19 14->13 18->19 26 84c4e56-84c4eae 18->26 26->19 30 84c4eb4-84c4f26 26->30 34 84c4f27 call 7ef1cdb 30->34 35 84c4f27 call 7ef1ce4 30->35 33 84c4f29-84c4f3b 34->33 35->33
    Memory Dump Source
    • Source File: 00000004.00000002.773409332.084BF000.00000020.sdmp, Offset: 084BF000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_84bf000_AcroRd32.jbxd
    Function 084C4CEC, Relevance: .2, Instructions: 205

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 36 84c4cec-84c4d1e 37 84c4d27-84c4db0 36->37 38 84c4d20 36->38 42 84c4db6-84c4e50 37->42 43 84c4f3c-84c4f59 37->43 38->37 42->43 50 84c4e56-84c4eae 42->50 50->43 54 84c4eb4-84c4f26 50->54 58 84c4f27 call 7ef1cdb 54->58 59 84c4f27 call 7ef1ce4 54->59 57 84c4f29-84c4f3b 58->57 59->57
    Memory Dump Source
    • Source File: 00000004.00000002.773409332.084BF000.00000020.sdmp, Offset: 084BF000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_84bf000_AcroRd32.jbxd
    Function 084C1B7D, Relevance: .2, Instructions: 200

    Control-flow Graph

    Memory Dump Source
    • Source File: 00000004.00000002.773409332.084BF000.00000020.sdmp, Offset: 084BF000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_84bf000_AcroRd32.jbxd
    Function 084CC7A3, Relevance: .2, Instructions: 166
    Memory Dump Source
    • Source File: 00000004.00000002.773409332.084BF000.00000020.sdmp, Offset: 084BF000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_84bf000_AcroRd32.jbxd
    Function 07EF1B7E, Relevance: .1, Instructions: 108
    Memory Dump Source
    • Source File: 00000004.00000002.773099935.07EF0000.00000020.sdmp, Offset: 07EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ef0000_AcroRd32.jbxd
    Function 07EF1B73, Relevance: .1, Instructions: 90
    Memory Dump Source
    • Source File: 00000004.00000002.773099935.07EF0000.00000020.sdmp, Offset: 07EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ef0000_AcroRd32.jbxd
    Function 084C4F78, Relevance: .1, Instructions: 87
    Memory Dump Source
    • Source File: 00000004.00000002.773409332.084BF000.00000020.sdmp, Offset: 084BF000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_84bf000_AcroRd32.jbxd
    Function 07EF1CE4, Relevance: .1, Instructions: 79
    Memory Dump Source
    • Source File: 00000004.00000002.773099935.07EF0000.00000020.sdmp, Offset: 07EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ef0000_AcroRd32.jbxd
    Function 084C4F69, Relevance: .1, Instructions: 78
    Memory Dump Source
    • Source File: 00000004.00000002.773409332.084BF000.00000020.sdmp, Offset: 084BF000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_84bf000_AcroRd32.jbxd
    Function 07EF1CDB, Relevance: .1, Instructions: 70
    Memory Dump Source
    • Source File: 00000004.00000002.773099935.07EF0000.00000020.sdmp, Offset: 07EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ef0000_AcroRd32.jbxd
    Function 07EF374B, Relevance: .0, Instructions: 32
    Memory Dump Source
    • Source File: 00000004.00000002.773099935.07EF0000.00000020.sdmp, Offset: 07EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ef0000_AcroRd32.jbxd
    Function 07EF373F, Relevance: .0, Instructions: 28
    Memory Dump Source
    • Source File: 00000004.00000002.773099935.07EF0000.00000020.sdmp, Offset: 07EF0000, based on PE: false
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_4_2_7ef0000_AcroRd32.jbxd

    Non-executed Functions